Save as PDF: Use the button below or your browser’s Print → Save as PDF.
NIS2 Compliance Checklist (2026)
Articles 20–25 · InfoSecFlow · infosecflow.com
Companion to the full NIS2 checklist article. For a scored pass, try the readiness tool.
Article 20 — Governance
- Management approved cybersecurity risk management measures (documented)
- Regular cybersecurity briefings to management (quarterly+)
- Management cybersecurity training completed
- Employee awareness training with participation records
- Roles and responsibilities for cybersecurity governance assigned
Article 21 — Risk management (core)
- Risk assessment methodology and risk register
- Incident response plan (tested)
- Business continuity and disaster recovery (tested backups)
- Supplier inventory, tiering, and security assessments
- Secure development / acquisition and vulnerability management
- Internal audit or effectiveness assessment program
- Cyber hygiene and security training for all staff
- Cryptography and encryption policy
- Access control policy and periodic access reviews
- IT asset inventory
- MFA on critical systems, remote access, and privileged accounts
- Secured communications and emergency comms capability
Article 22 — Supply chain (EU coordination)
- Process to incorporate ENISA / national coordinated supply-chain findings
- Critical technology dependencies identified
Article 23 — Incident reporting
- National CSIRT / competent authority contact identified
- “Significant incident” criteria defined
- Templates: 24h early warning, 72h notification, 1-month final report
- Escalation process tested (can meet 24h deadline)
- CSIRT contacts stored offline / outside primary systems
Articles 24–25 — Certification & standards
- Relevant standards mapped (e.g. ISO 27001, IEC 62443)
- Procurement considers EU cybersecurity certification where available
- Monitoring sector-specific implementing acts
© InfoSecFlow · Not legal advice · Verify national transposition in your member state