NIS 2 raises the bar for cybersecurity across a much wider range of organizations than its predecessor. If you are not sure where you stand, this short checklist is a good place to start.
1. Confirm whether you are in scope
NIS 2 covers many "essential" and "important" entities. Map your sector and size against the directive before assuming you are out of scope.
2. Get board-level accountability
Management bodies are now explicitly responsible for cybersecurity risk. Make sure ownership sits at the top, not only in IT.
3. Run regular testing
Article 21 expects you to test the effectiveness of your measures. Penetration testing and vulnerability assessments produce the evidence auditors look for.
4. Manage human risk
Most incidents start with people. Continuous security awareness training and phishing simulation measurably reduce that exposure.
5. Have an incident-response plan
You need detection, response and reporting processes — and you need to have practiced them.
6. Secure your supply chain
Third-party and ICT providers are in scope too. Review their security and your contracts.
7. Keep audit-ready evidence
Map your controls to NIS 2 and keep the evidence current, so an audit is a formality, not a fire drill.
Not sure where to begin? Talk to us — we can run a gap assessment and a first round of testing.