NIS2 checklist: what you need to have in order to be compliant

Waiting until after it comes into force is not an option. Essential entities are subject to proactive supervision immediately. Fines can reach ten million euros or two percent of global turnover, and directors are personally liable. In this article: the six areas you need to have in order right now, plus what commonly goes wrong in practice.

Who this checklist is relevant for

NIS2 affects an estimated 160,000 organisations in the EU, a tenfold increase compared to NIS1. The directive covers eighteen sectors across two categories. Annex I lists eleven highly critical sectors, including energy, transport, banking, healthcare and digital infrastructure. Annex II lists seven other critical sectors, including manufacturing, chemicals, food and digital providers.

Large organisations (250+ employees or more than fifty million euros in turnover) in Annex I are essential entities. Medium-sized organisations (50+ employees) in Annex I and all organisations in Annex II are important entities. Certain services always fall under the law, regardless of size: DNS service providers, TLD registries, trust services and central government authorities.

Not sure whether you are in scope? The Rijksinspectie Digitale Infrastructuur (RDI) has a self-assessment tool that lets you find out within ten minutes. Do that before reading on.

The six pillars you need to have in order

1. Governance and management accountability

Article 20 of the directive explicitly places cybersecurity with the board. The board approves the security policy, monitors its implementation and is personally liable for non-compliance. Board members are also required to complete cybersecurity training.

In practice this means minutes in which cyber risks are discussed, formal approval decisions on the security policy, and periodic reports to the board. This area is the most commonly overlooked: organisations start with technology and only run into the governance requirement when an auditor asks for it.

2. Risk management and controls

Article 21 lists ten categories of measures as a minimum, ranging from risk analysis and incident handling to supply chain security, multi-factor authentication and personnel security. The guiding principle is "appropriate and proportionate": measures must be in proportion to your risk profile and the potential societal impact of an incident.

Start with your crown jewels: which systems, data and processes do you absolutely need to protect? Work outward from there. For Dutch organisations that fall directly under NIS2, ISO 27001 is the most widely used implementation path. The standard covers the vast majority of the ten measure categories in Article 21 and provides a recognisable management system that supervisors understand. A second route that is increasingly used in the Netherlands is NIS2 Supply Chain SC30 (formerly NIS2 Quality Mark High or QM30). The highest level of this framework is explicitly suited to critical entities that are themselves directly subject to NIS2 and want to demonstrate their compliance clearly to supervisors and their supply chain. In Belgium, CyberFundamentals (CyFun) from the CCB is the common route, with three levels ranging from Basic to Essential.

3. Cybersecurity measures in practice

The directive explicitly prescribes a number of basic technical measures: multi-factor authentication, cryptography where appropriate, access management based on least privilege, patch management, network segmentation and endpoint security. You also need to secure software that you develop yourself or commission from others by design.

Backups deserve separate attention. The NCSC recommends a backup strategy in which you document how often you take backups, where you store them (preferably disconnected from the network) and how often you run restoration tests. A backup that has never been tested is often worthless in a crisis. Obvious, but we see it regularly in audits.

4. Incident detection and reporting obligations

Article 23 sets strict reporting deadlines. Within 24 hours of discovering a significant incident, an initial warning goes to the NCSC or the sectoral CSIRT. Within 72 hours, a more detailed incident report follows with an initial impact assessment. Within one month, the final report is due, covering root cause analysis, measures taken and any cross-border effects.

That 24-hour deadline is tight. If you still need to figure out during an incident who to notify and what information is required, you will almost certainly miss it. Establish in advance: who reports, via which channel, with what information. Test it at least once with a tabletop exercise before you actually need it.

5. Supply chain security

This area surprises many organisations. NIS2 requires you to actively manage the security risks of your direct suppliers. Not just the cloud provider hosting your production data, but also the SaaS vendor with access to sensitive systems and the IT service provider with administrator access.

Start with an inventory and risk classification. Which suppliers have access to what? Which are critical to your business continuity? Then make contractual arrangements: incident notification, audit rights, minimum security requirements, restrictions on subcontracting. Chapter 5 of the European Implementing Regulation EU 2024/2690 provides concrete guidance here.

The flip side also applies: if you are yourself a supplier to a NIS2-obligated organisation, you will receive these requirements contractually. The NIS2 Supply Chain mark has been the most widely used instrument to demonstrate this since January 2026. It has three levels: SC10 (Basic) for most SME suppliers with a limited risk profile, SC20 (Substantial) for suppliers with access to sensitive systems or data, and SC30 (High) for critical chain partners and for critical entities that are themselves directly subject to NIS2.

6. Continuous evaluation and improvement

NIS2 is not a project you close off. Article 21(2)(f) requires you to periodically assess the effectiveness of your measures. This can be done through internal audits, penetration tests or management reviews. Whatever the method, findings must lead to concrete improvement actions with an owner and a deadline.

The board receives periodic reports on the state of affairs. Avoid dashboards with nothing but green ticks. A board member should be able to judge from the report whether the organisation is sufficiently protected and where additional attention is needed.

Three mistakes we keep seeing

Starting too late. The most common pattern. Organisations wait until the law is in place and only then get started, while a thorough implementation takes six to twelve months. From 1 July 2026, supervision is immediately in effect. For essential entities that means proactive checks: an inspection without a prior incident can already be enough.

Over-documentation. Thick policy documents that nobody reads are not sufficient. A supervisor wants to see that measures work, not that they exist on paper. Concise policy plus automated evidence (test reports, configuration exports, log files) is stronger than a seventy-page Word document.

Isolated action points without coherence. The ten measure categories in Article 21 are not meant as a checklist you tick off item by item. They are interconnected. Governance without risk assessment leads to arbitrary choices. Technical measures without an incident response plan mean you do not know what to do in a crisis.

How Tidal Control supports you

Tidal Control offers pre-built controls and policy templates for ISO 27001, CyberFundamentals and NIS2 Supply Chain. Controls are assigned an owner, tasks are created automatically and progress is visible to the entire team. Through more than 300 automated tests across Microsoft Azure, AWS, GitHub, GitLab and Jira, you continuously verify that controls are working. During a supervisory review, you have all the evidence that you are in control in a single overview.

Want to know where your organisation stands?

Before you start implementing, you want to know where you stand right now. Which measures are already implicitly in place? Where are the biggest gaps? Which areas need to be prioritised?

Take the free Quickscan and get a first picture of your NIS2 position and the logical next steps in five minutes. No sales conversation, no obligations.

Take the free Quickscan →

Frequently asked questions about NIS2 compliance

When exactly does the Cybersecurity Act come into force?

Expected on 1 July 2026. The House of Representatives passed the bill on 15 April 2026. The Senate is now reviewing it, with an estimated approval probability of well over 95% according to parliamentary analyses. From the moment it enters into force, supervision is immediately in effect. For essential entities that means proactive checks; for important entities, reactive checks following an incident.

Which areas are most commonly overlooked?

Three consistent blind spots. Governance: management accountability and training of board members (Article 20). Supply chain security: assessing and managing supplier risks (Article 21(2)(d)). The reporting obligation: a working process capable of meeting the 24-hour deadline (Article 23). Many organisations start with technology and only discover later that NIS2 also imposes organisational and process-related requirements.

How do I know whether my organisation falls under NIS2?

Two conditions: you operate in one of the eighteen sectors (Annex I or II) and you meet the size thresholds (50+ employees or more than ten million euros in turnover and a balance sheet total above ten million euros). The RDI self-assessment tool helps you determine this within ten minutes. Some services always fall under the law regardless of size: DNS providers, TLD registries and trust services.

What does non-compliance cost?

For essential entities: up to ten million euros or two percent of global annual turnover, whichever is higher. For important entities: up to seven million euros or 1.4 percent. In addition, directors are personally liable. In extreme cases they can be suspended until appropriate measures have been taken.

Does ISO 27001 satisfy NIS2?

Not automatically, but the overlap is significant. ISO 27001 covers most of the ten NIS2 measure categories and is the common implementation path in the Netherlands for organisations directly subject to NIS2. However, the directive sets specific requirements that fall outside an ISMS: the 24-hour reporting obligation, explicit management liability and getting supply chain security in order. Having ISO 27001 puts you in a strong position, but you need to address the NIS2-specific elements separately.