NIS 2 & DORA Readiness Checklist
A practical, no-jargon checklist to gauge how ready your organization is for NIS 2 and DORA. Work through each item, mark what is in place, and turn the gaps into a plan. Free to use and share.
Download the PDF checklistNIS 2 readiness
NIS 2 (Directive (EU) 2022/2555) expands scope and raises minimum security measures. Article 21 lists the baseline; management bodies are accountable for approving and overseeing them.
Governance & accountability
- Management body formally approves and oversees the cyber risk-management measures.
- Management and key staff complete cybersecurity risk training.
- Roles, responsibilities and an accountable owner for cybersecurity are defined.
Risk management & policies
- Documented risk analysis and information system security policies.
- Asset inventory and data classification kept up to date.
- Policies and procedures to assess the effectiveness of the measures (audits, tests, pentests).
Incident handling
- Incident detection, handling and response procedures are in place and tested.
- Ability to meet reporting deadlines: 24h early warning, 72h notification, final report.
Continuity & supply chain
- Backups, disaster recovery and crisis management, tested regularly.
- Supply-chain security: security requirements and assessment for suppliers and service providers.
Technical baseline
- Security in acquisition, development and maintenance, including vulnerability handling and disclosure.
- Basic cyber hygiene practices and security awareness training for all staff.
- Cryptography and encryption policy where appropriate.
- Human resources security, access control and asset management (screening, least-privilege access, timely revocation).
- Multi-factor authentication (MFA) or continuous authentication, and secured voice, video and text communications.
DORA readiness
DORA (Regulation (EU) 2022/2554) sets digital operational resilience rules for financial entities and their ICT providers, built on five pillars.
ICT risk management
- Board-approved ICT risk-management framework, reviewed regularly.
- Mapping of ICT assets, business functions and dependencies.
- ICT business continuity policy, response and recovery plans, and tested backups.
ICT incident management & reporting
- Process to detect, classify and report major ICT-related incidents to the competent authority.
Operational resilience testing
- Regular resilience testing programme (vulnerability assessments, scenario tests).
- Threat-Led Penetration Testing (TLPT) for entities in scope.
Third-party & information sharing
- Register of ICT third-party providers, contractual requirements and concentration-risk monitoring.
- Arrangements to share cyber threat intelligence with peers.
This checklist is a practical guide, not legal advice. Obligations depend on your sector, size and role under each framework.
Need help closing the gaps?
We help organizations test, train and document their way to NIS 2 and DORA readiness — from penetration testing to human risk and audit-ready evidence.