Reference Document

NIS2 Quick Checklist
Executive 1-Pager

Aligned to NIS2 Art. 21 (risk management measures) and Art. 23 (incident reporting). Ten items. Each maps directly to an enforceable obligation.

Compliance progress

0 / 10

Governance & Risk

Art. 21 — Risk Management Measures

Owner named for cybersecurity risk management and reporting — RACI in place.

Documented policies for access control, logging, incident response, and supplier security.

Periodic risk assessment completed in the last 12 months — with a documented action plan.

Operations & Controls

Art. 21 — Security Measures

Logging enabled and retained for critical systems — review cadence defined.

Access based on least privilege — privileged access reviewed on a defined schedule.

Business continuity and disaster recovery tested specifically for cyber scenarios.

Supply Chain

Art. 21(2)(d) — Third-Party Risk

Third-party register with criticality tiering — evidence requirements defined per tier (e.g., ISO 27001, SOC 2).

Contracts include security obligations, audit rights, and incident notification windows.

Incident Reporting

Art. 23 — Reporting Obligations

≤24h

Early Warning

Initial notification to CSIRT — concise facts, suspected cause, affected services.

≤72h

Notification

Full incident report with initial impact assessment and mitigation steps.

30d

Final Report

Confirmed root cause, full impact, lessons learned, long-term measures.

Reporting workflow defined — early warning ≤24h, notification ≤72h, final report ≤30 days. Owner named for each stage.

Templates prepared, CSIRT/authority contacts verified, and end-to-end rehearsal completed.

NIS2 Quick ChecklistExecutive 1-Pager