- NIS2 encompasses six requirement areas: registration with the BSI, ten minimum measures per Article 21, reporting obligations, governance requirements, supply chain security, and training mandates.
- The ten minimum measures range from risk analysis to incident response and business continuity through to cryptography, access control, and multi-factor authentication.
- Security incidents must be initially reported within 24 hours, confirmed after 72 hours, and accompanied by a final report after one month.
- Executive management is personally liable and must demonstrably participate in cybersecurity training.
- A realistic implementation timeline for a mid-market company is 12 to 18 months if no ISMS is already in place.
Why a NIS2 Checklist?
NIS2 has been applicable law in Germany since December 2025 through the NIS2 Implementation Act (NIS2UmsuCG). The requirements are distributed across various articles of the directive and the national legislation. Anyone dealing with it for the first time faces the challenge of maintaining an overview: what exactly is required? Which of it applies to me? And in what order should I address the requirements?
This checklist summarizes all essential NIS2 requirements, organized by the six central requirement areas. For each item, you'll find a brief explanation, a recommended status tracker (done / in progress / open), and a prioritization. At the end, there is a realistic implementation timeline.
A note upfront: this checklist is aimed at organizations classified as "important entities" under NIS2. This applies to the majority of mid-market companies that fall under the regulation. Essential entities are subject to additional supervisory requirements that are not listed separately here.
Area 1: Registration and Self-Identification
NIS2 relies on the principle of self-identification. This means: you must determine for yourself whether you are affected and actively register. No authority will come and inform you.
Registration Checklist
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 1.1 | Conduct applicability assessment: Check based on the size criteria (from 50 employees or 10 million euros in revenue) and the 18 sectors whether your organization falls under NIS2. | Critical | ☐ |
| 1.2 | Determine category: Clarify whether you are classified as an essential or important entity. The category determines the supervisory regime and fine levels. | Critical | ☐ |
| 1.3 | Register with the BSI: Register via the BSI portal as an affected organization. Registration includes company name, sector, contact details, and a contact person for security incidents. | Critical | ☐ |
| 1.4 | Designate a contact person: Appoint a central contact person for the BSI and ensure the contact details are always current. | High | ☐ |
| 1.5 | Document the applicability assessment: Record in writing why your organization falls under NIS2 (or does not). In case of a review by the supervisory authority, you must be able to present this assessment. | High | ☐ |
Registration is the first formal step. Without it, you are not only non-compliant — you also risk that the BSI doesn't know how to reach you in the event of an incident. The registration obligation applies from the effective date of the law, regardless of how far along your implementation of the other requirements is.
Area 2: The Ten Minimum Measures per Article 21
Article 21 of the NIS2 directive defines ten minimum measures that all affected entities must implement. These measures form the core of the technical and organizational requirements.
Measure 1: Risk Analysis and Security Policies
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.1.1 | Define risk assessment methodology: Establish how risks are identified, analyzed, and evaluated. The methodology must be reproducible and documented. | Critical | ☐ |
| 2.1.2 | Conduct initial risk assessment: Identify and evaluate the risks to your network and information systems. | Critical | ☐ |
| 2.1.3 | Create risk treatment plan: Document for each relevant risk how it will be treated: measure, responsible person, deadline. | Critical | ☐ |
| 2.1.4 | Create security concept: Develop an overarching security concept that translates the results of the risk analysis into concrete protective measures. | Critical | ☐ |
| 2.1.5 | Establish regular review: Risk assessments must be updated at least annually and on an ad-hoc basis (after incidents, upon significant changes). | High | ☐ |
The risk analysis is the foundation for all subsequent measures. Without it, the factual basis for selecting and prioritizing protective measures is missing. Start here before addressing the other nine minimum measures.
Measure 2: Incident Response
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.2.1 | Create incident response plan: Document the procedure for security incidents with clear roles, escalation levels, and communication channels. | Critical | ☐ |
| 2.2.2 | Designate incident response team: Define who belongs to the team (internal and external if applicable) and ensure all members know their role. | Critical | ☐ |
| 2.2.3 | Implement detection mechanisms: Deploy technical measures for detecting security incidents (logging, monitoring, alerting). | High | ☐ |
| 2.2.4 | Establish reporting channel to the BSI: Ensure the reporting chain to the BSI functions within the required timeframes (see Area 3). | Critical | ☐ |
| 2.2.5 | Document and debrief incidents: Every incident must be documented and followed up with lessons learned. | High | ☐ |
Measure 3: Business Continuity and Crisis Management
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.3.1 | Conduct business impact analysis (BIA): Assess the impact of a failure of your critical business processes and determine maximum tolerable downtime. | High | ☐ |
| 2.3.2 | Create business continuity plan: Document how business operations will be maintained during a severe incident. | High | ☐ |
| 2.3.3 | Implement backup strategy: Implement a documented backup strategy with defined RPO/RTO targets and regular restore tests. | Critical | ☐ |
| 2.3.4 | Create recovery plan: Describe the technical recovery of critical systems with prioritization and responsibilities. | High | ☐ |
| 2.3.5 | Establish crisis management: Define a crisis team, communication channels, and decision-making authority for crisis situations. | High | ☐ |
| 2.3.6 | Conduct regular tests: Plan and conduct emergency exercises at least annually (tabletop exercises, restore tests, failover tests). | Medium | ☐ |
Measure 4: Supply Chain Security
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.4.1 | Identify critical suppliers: Create an overview of all IT service providers and suppliers that have access to your systems or data. | High | ☐ |
| 2.4.2 | Include security requirements in contracts: Ensure that contracts with critical suppliers contain security requirements, audit rights, and incident reporting obligations. | High | ☐ |
| 2.4.3 | Conduct supplier assessment: Assess the security posture of your critical suppliers, e.g., through questionnaires, certificates, or audits. | Medium | ☐ |
| 2.4.4 | Establish regular review: Review the security posture of critical suppliers at least annually and upon significant changes. | Medium | ☐ |
Measure 5: Security in Acquisition, Development, and Maintenance
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.5.1 | Secure procurement policy: Define security requirements for purchasing IT systems, software, and services. | Medium | ☐ |
| 2.5.2 | Implement vulnerability management: Establish a process for identifying and remediating vulnerabilities (patch management, vulnerability scanning). | High | ☐ |
| 2.5.3 | Secure development practices: If you develop software, implement secure development guidelines (code reviews, dependency checks, security testing). | Medium | ☐ |
Measure 6: Assessing Effectiveness of Measures
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.6.1 | Establish effectiveness reviews: Define how and when you check whether your security measures are actually effective. | High | ☐ |
| 2.6.2 | Define metrics: Establish measurable KPIs to evaluate the security status (e.g., patch status, training rate, incident count). | Medium | ☐ |
| 2.6.3 | Conduct internal audits: Plan and carry out regular internal audits that review the implementation and effectiveness of measures. | High | ☐ |
| 2.6.4 | Report results to executive management: Ensure that effectiveness review results are regularly reported to executive management. | High | ☐ |
Measure 7: Cyber Hygiene and Training
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.7.1 | Set up security awareness program: Establish a regular awareness program for all employees. | High | ☐ |
| 2.7.2 | Implement basic cyber hygiene measures: Password policy, MFA, current software, email security, secure configuration. | Critical | ☐ |
| 2.7.3 | Document training records: Record for each employee which training sessions have been completed. | High | ☐ |
| 2.7.4 | Train executive management: Executive management must demonstrably participate in cybersecurity training (NIS2 obligation). | Critical | ☐ |
Measure 8: Cryptography
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.8.1 | Create encryption policy: Define which data must be encrypted at rest and in transit. | High | ☐ |
| 2.8.2 | Implement encryption: Implement encryption according to the policy (TLS, disk encryption, email encryption). | High | ☐ |
| 2.8.3 | Establish key management: Define the handling of cryptographic keys (generation, storage, rotation, revocation). | Medium | ☐ |
Measure 9: Personnel Security and Access Control
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.9.1 | Create access control policy: Define the authorization concept based on the least privilege principle. | High | ☐ |
| 2.9.2 | Implement authorization concept: Implement role-based access control and document the assignment of permissions. | High | ☐ |
| 2.9.3 | Regular recertification: Review at least semi-annually whether assigned permissions are still appropriate. | Medium | ☐ |
| 2.9.4 | Onboarding and offboarding process: Ensure that permissions are granted upon entry and promptly revoked upon departure. | High | ☐ |
| 2.9.5 | Personnel security at hiring: Verify the identity and references of new employees with access to critical systems. | Medium | ☐ |
Measure 10: Multi-Factor Authentication and Secure Communication
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 2.10.1 | Introduce MFA for critical systems: Implement multi-factor authentication for administrative access, VPN, and cloud services. | Critical | ☐ |
| 2.10.2 | Roll out MFA for all employees: Extend MFA to all employee access wherever technically and organizationally feasible. | High | ☐ |
| 2.10.3 | Establish secure communication: Provide secured voice, video, and text communication for emergencies. | Medium | ☐ |
| 2.10.4 | Secure emergency communication: Define communication channels that work even if regular IT fails. | High | ☐ |
Area 3: Reporting Obligations
The reporting obligations are among the requirements with the tightest deadlines. Those unprepared here risk not only the actual damage from an incident but also fines for delayed reporting.
Reporting Obligations Checklist
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 3.1 | Define reporting process: Document the internal flow from incident detection to BSI notification. Who decides whether an incident is reportable? Who reports? Through which channel? | Critical | ☐ |
| 3.2 | Ensure 24-hour initial report: A significant security incident must be reported to the BSI within 24 hours of becoming aware. The initial report must contain the suspicion and an initial assessment. | Critical | ☐ |
| 3.3 | Plan 72-hour confirmation report: Within 72 hours, a confirmed report with further details must follow: severity, impact, indicators of compromise. | Critical | ☐ |
| 3.4 | Final report after one month: No later than one month after the initial report, a final report must be submitted with a description of the incident, root cause analysis, measures taken, and cross-border impacts. | High | ☐ |
| 3.5 | Test reporting channels: Conduct a test run of the reporting process regularly (at least annually) to ensure deadlines can be met. | Medium | ☐ |
| 3.6 | Prepare report templates: Keep pre-filled report templates ready that only need to be supplemented with incident-specific information in an emergency. | Medium | ☐ |
| 3.7 | On-call service for reporting obligations: Ensure that someone is available outside business hours (weekends, holidays, vacation) who can meet the 24-hour deadline. | High | ☐ |
The reporting deadlines start from the moment of awareness. "We didn't notice the incident until Monday" doesn't protect you if adequate detection mechanisms should have discovered the incident on Friday. This is why implementing monitoring and alerting (item 2.2.3) is directly linked to reporting obligations.
Area 4: Governance and Responsibilities
NIS2 places special emphasis on cybersecurity being a leadership responsibility. Executive management cannot fully delegate responsibility.
Governance Checklist
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 4.1 | Engage executive management: Executive management must approve cybersecurity measures and oversee their implementation. Document this approval. | Critical | ☐ |
| 4.2 | Communicate personal liability: Ensure that executive management is informed of their personal liability. In case of violations, the supervisory authority can hold management personally accountable. | Critical | ☐ |
| 4.3 | Appoint CISO or ISB: Designate an information security officer with a clear mandate, sufficient resources, and a direct reporting line to executive management. | Critical | ☐ |
| 4.4 | Document roles and responsibilities: Define and document all security-relevant roles (CISO, risk owners, IT security officers, data protection officer). | High | ☐ |
| 4.5 | Establish regular reporting: Set up a fixed cadence for security reports to executive management (at least quarterly). | High | ☐ |
| 4.6 | Provide cybersecurity budget: Executive management must provide adequate resources (personnel, budget, tools) for implementing NIS2 requirements. | High | ☐ |
Executive Training Obligations Checklist
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 4.7 | Plan executive training: Executive management must participate in cybersecurity training. Schedule these training sessions and ensure they are regularly repeated. | Critical | ☐ |
| 4.8 | Define training content: The training must cover at minimum risk management, current threat landscape, NIS2 requirements, and the role of executive management. | High | ☐ |
| 4.9 | Secure training records: Document executive management participation with date, topic, and duration. These records will be reviewed in audits. | High | ☐ |
NIS2's governance requirements fundamentally differ from the previous practice of many organizations where cybersecurity was treated as a pure IT topic. NIS2 makes it a leadership responsibility with personal liability. For executive management, there is no "the IT department handles that."
Area 5: Supply Chain Security in Detail
Supply chain security is already included in the ten minimum measures as an item (Measure 4) but deserves deeper examination due to its complexity.
Supply Chain Checklist
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 5.1 | Create supplier inventory: Create a complete list of all suppliers with access to your network and information systems or data. Prioritize by criticality. | High | ☐ |
| 5.2 | Risk analysis per supplier: Assess the security risks for each critical supplier. Consider their own security measures, certifications, and the type of access. | High | ☐ |
| 5.3 | Contractual security clauses: Review and update contracts with critical suppliers. They must contain security requirements, audit rights, incident reporting obligations, and liability provisions. | High | ☐ |
| 5.4 | Review data processing agreements (DPA): If suppliers process personal data, DPAs in accordance with DSGVO (GDPR) must be in place. NIS2 supplements this with specific security requirements. | High | ☐ |
| 5.5 | Monitor critical suppliers: Establish a process for ongoing monitoring of the security posture of critical suppliers (certification status, security incidents, press reports). | Medium | ☐ |
| 5.6 | Contingency plan for supplier failure: For business-critical suppliers, assess what alternatives exist and how quickly you could switch in an emergency. | Medium | ☐ |
| 5.7 | Coordinated supply chain risk assessment: NIS2 enables coordinated risk assessments at the sector level. Stay informed about industry-specific initiatives. | Low | ☐ |
In practice, the supply chain is often the area that requires the most effort. The number of suppliers with IT access is larger than most organizations initially think: cloud providers, managed service providers, software vendors, external consultants with VPN access, printer service providers, cleaning companies with access cards. A systematic inventory is worthwhile.
Area 6: Training and Awareness
Beyond the cyber hygiene and executive training already mentioned in the minimum measures, there are additional training requirements that should result in a structured awareness program.
Training and Awareness Checklist
| No. | Requirement | Priority | Status |
|---|---|---|---|
| 6.1 | Create training plan: Develop an annual plan with defined target groups, topics, formats, and dates. | High | ☐ |
| 6.2 | Basic training for all employees: All employees must be trained on fundamental cybersecurity risks and behavioral guidelines. | High | ☐ |
| 6.3 | Role-specific training: IT administrators, developers, and other roles with elevated risk profiles require in-depth training. | Medium | ☐ |
| 6.4 | Phishing simulations: Conduct regular simulated phishing campaigns to test and sharpen employee awareness. | Medium | ☐ |
| 6.5 | Train new employees: Integrate cybersecurity training into the onboarding process. New employees should be trained within the first week. | High | ☐ |
| 6.6 | Measure training effectiveness: Define metrics to measure training success (quiz results, phishing click rates, suspicious activity reporting rate). | Medium | ☐ |
| 6.7 | Documentation and records: Maintain complete records of all training with participant, date, topic, and result. | High | ☐ |
Prioritization: What Comes First?
With over 60 individual items in the checklist, the question inevitably arises: where do I start? Not everything can be implemented simultaneously, and not everything has the same urgency. The following prioritization helps you find the right sequence.
Phase 1: Immediate (Months 1 to 3)
Items with "Critical" priority must be addressed first:
- Applicability assessment and registration (1.1 to 1.5): Nothing else works without this.
- Governance foundations (4.1 to 4.3): Get executive management on board, appoint a CISO.
- Risk assessment methodology (2.1.1): The basis for all subsequent measures.
- Incident response plan (2.2.1, 2.2.2): If an incident occurs tomorrow, you must be capable of responding.
- Reporting process (3.1, 3.2): The 24-hour deadline applies immediately.
- MFA for critical systems (2.10.1): One of the most effective protective mechanisms.
Phase 2: Short-term (Months 3 to 6)
Items with "High" priority that build on the critical foundations:
- Conduct initial risk assessment (2.1.2, 2.1.3): Now that the methodology is in place.
- Create security concept (2.1.4): The overarching document that brings everything together.
- Review backup strategy (2.3.3): Backups are often in place but not documented or tested.
- Access control and authorization concept (2.9.1, 2.9.2): Who has access to what?
- Supplier inventory (5.1): Get an overview first.
- Start training program (6.1, 6.2): Build awareness, train executive management.
- Document roles and responsibilities (4.4): Who is responsible for what?
Phase 3: Medium-term (Months 6 to 12)
The remaining "High" priority items and the first "Medium" priorities:
- Business continuity and recovery (2.3.1 to 2.3.5): BIA, BCP, and recovery plan.
- Vulnerability management (2.5.2): Formalize patch management.
- Supplier assessment and contract adjustment (5.2 to 5.4): The detailed work on the supply chain.
- Internal audits (2.6.3): First effectiveness review of implemented measures.
- Encryption policy (2.8.1, 2.8.2): Documentation and implementation.
- Test reporting channels (3.5): First test run of the reporting process.
Phase 4: Long-term (Months 12 to 18)
The remaining "Medium" and "Low" priorities plus consolidation:
- Emergency exercises and tests (2.3.6): Tabletop exercises, restore tests.
- Secure communication (2.10.3, 2.10.4): Emergency communication channels.
- Supplier monitoring (5.5, 5.6, 5.7): Ongoing oversight.
- KPI dashboard and reporting (2.6.2, 4.5): Regular reporting to executive management.
- Key management (2.8.3): Detailed cryptography provisions.
- Measure training effectiveness (6.6): Evaluation and optimization of the awareness program.
Timeline Recommendation
The following timeline shows a realistic framework for NIS2 implementation. It assumes that no formal ISMS exists yet but basic IT security measures (firewall, antivirus, backup) are in place.
| Period | Focus | Outcome |
|---|---|---|
| Month 1 | Applicability assessment, registration, governance | You know whether and how you are affected and have laid the organizational foundations. |
| Months 2 to 3 | Risk assessment methodology, incident response, reporting process, MFA | You are capable of responding to an incident and have closed the most urgent technical gaps. |
| Months 4 to 6 | Risk assessment, security concept, policies, training program | Risks are assessed, measures are prioritized, and awareness across the organization is growing. |
| Months 7 to 9 | Business continuity, supply chain, access control | Operational processes are documented and the supply chain is assessed. |
| Months 10 to 12 | Vulnerability management, encryption, first audits | Technical measures are implemented and the first effectiveness review is completed. |
| Months 13 to 18 | Tests, consolidation, monitoring, KPIs | The overall system is established, tested, and continuously monitored. |
This timeline is ambitious but achievable if dedicated resources are available. Budget for half to a full FTE for the CISO plus support from IT and business departments. If you are simultaneously pursuing ISO 27001 certification, extend the timeline by three to six months because the documentation requirements are higher.
The NIS2 Checklist as a Living Document
This checklist is a starting point, not an endpoint. NIS2 compliance is not a one-time task but an ongoing process. The requirements must not only be implemented but permanently maintained.
Use the checklist as a status overview in your ISMS. Tools like ISMS Lite map all NIS2 requirements as trackable measures so you can see the implementation status at a glance at any time. 500 Euro pro Jahr you get all modules including risk assessment, measure tracking, and audit trail — without seat licenses. Update the status regularly — at least monthly during the setup phase and quarterly during ongoing operations. Report progress to executive management, because under NIS2 they have both a legitimate interest and a personal obligation to know the status.
If you already operate an ISMS according to ISO 27001, you will find that many items on this checklist are already covered. The overlap is approximately 80 percent. The specific NIS2 requirements that go beyond ISO 27001 primarily concern reporting obligations, personal liability of executive management, and individual technical requirements such as the explicit MFA mandate.
For organizations without an existing ISMS, NIS2 implementation is simultaneously the occasion to build an ISMS. This is the most efficient path because a well-structured ISMS organizationally covers all NIS2 requirements while simultaneously laying the groundwork for an optional ISO 27001 certification.
Further Reading
- NIS2 für den Mittelstand: Was du wissen musst und was jetzt zu tun ist
- NIS2-Erstmeldung an das BSI: Ablauf und Inhalte der Meldung
- NIS2-Bußgelder und persönliche Haftung der Geschäftsführung
- NIS2 vs. ISO 27001: Gemeinsamkeiten, Unterschiede und Synergien
- Incident-Response-Plan erstellen: Aufbau und Praxisbeispiel
Start with the applicability assessment and registration, get executive management on board, and work through the checklist step by step. The prioritization helps you do the right things first, and the timeline gives you a framework to orient yourself. NIS2 compliance doesn't happen overnight, but with a structured approach it is achievable even for mid-market companies without a large security team.