Is your organisation NIS2 compliant?
The updated Network and Information Security Directive (NIS2) came into effect on 17 October 2024, replacing the original 2016 version. It introduced stricter cyber security, reporting, and governance requirements for organisations operating in or serving the EU.
This checklist provides a practical guide for compliance and is aimed at CISOs, compliance managers, and security teams responsible for critical infrastructure or digital services.
Who does NIS2 apply to?
NIS2 applies to organisations considered essential or important in sectors such as:
- Energy
- Transport
- Finance
- Public Administration
- Health
- Space
- Water Supply
- Digital Infrastructure
Organisations outside the EU must also comply if they offer services within EU member states.
Note: SMEs may be exempt, but if they play a critical role in essential sectors or supply chains, they are still subject to key NIS2 requirements. Any organisation with more than 50 employees and over €10 million annual turnover is generally in scope.
To find out more about whether you comply, read our previous blog.
NIS2 Checklist
1. Governance Risk and Compliance
- Define organisational goals and risk appetite, assuring that any NIS2 compliance framework supports strategic objectives.
- Assign clear roles and responsibilities for NIS2 compliance tasks, identifying who is liable in the case of non-compliance.
- Identify and document cyber risks in your environment, focusing on internal and external factors that could impact security.
- Regularly review and test cyber security measures and ensure senior management involvement in the approval and oversight process.
- Be able to evidence compliance efforts.
2. Cyber Security Policies and Procedures
- Ensure that security policies are formally documented and regularly reviewed.
- Develop and implement formal incident response plans and procedures that enables rapid detection, triage and response to an incident, with sufficiently detailed record keeping for prompt reporting to the national Cyber Security Incident Response Team (CSIRT) within 24 hours in the event of a serious incident and follow up within 72 hours with technical and impact details.
- Implement procedures and a framework for formally assessing and managing supply chain risk, including conducting due diligence on third-party vendors and including cyber security requirements in contractual agreements.
- Establish disaster recovery plans that align with agreed Recovery Time Objectives (RTO) to ensure business continuity.
3. Technical and Operational Measures
- Implement multi-factor authentication (MFA) or a continuous authentication solution across all critical systems.
- Assess and implement basic cyber hygiene practices and conduct regular cybersecurity training to maintain high-security standards.
- Use strong cryptography and encryption practices for sensitive data, such as encrypting data at rest and in transit to protect sensitive information.
- Conduct penetration testing and vulnerability assessments periodically and regularly update and patch software, hardware, and firmware.
4. Security Technologies and Solutions
- Enforce endpoint protection and monitoring (EDR, SIEM, IDS/IPS) and ensure secure system configurations (hardening, least privilege access).
- Use SaaS solutions that comply with EU data residency regulations (such as GDPR compliance for data protection). Ensure that cloud environments are secured against breaches and unauthorised access.
5. Legal & Compliance
- Maintain documentation of security policies, procedures, and compliance efforts
- Ensure cybersecurity strategies meet specific requirements pertinent to critical infrastructure sectors such as healthcare (HIPAA compliance), energy (NERC CIP standards), and finance (SOX compliance). Implement recognised frameworks to strengthen security postures and standards, such as ISO 27001 and NIST SP 800.
- Cooperate with national and EU authorities during audits and investigations.
6. Registration
- Organisations must self-register with the national competent authority (or will be notified if they are in scope).
- Provide relevant information as requested pertaining to operations, services, and security contacts.
Why It Matters
NIS2 brings increased scrutiny, higher penalties, and personal liability for executive leadership in the event of non-compliance. Failure to act can result in fines and reputational damage.
Start your compliance process now. Review your current practices, identify any gaps, and build a roadmap to align with NIS2 requirements.
Need Help?
Toro provides consulting and technical support to help organisations assess their readiness and implement controls aligned with NIS2. Contact us to learn how we can support your compliance journey.