NIS2 compliance checklist: what a company really needs to do

Practical guide to NIS2 compliance: operational checklist, essential controls, governance, incident response, and business continuity.

NIS2 is not tackled with a PDF checklist found online

Many companies look for a simple list to check off.

The reality is different.

The NIS2 directive requires a structural approach to security, not a formal document to be filed away.

It requires an operational vision.

First of all, it is necessary to understand if the company is involved directly or indirectly.

Sector, size, dependencies, and role in the supply chain make the difference.

Without this analysis, everything else risks being useless.

Management must be involved.

Security is no longer just a technical issue.

Clear roles, defined responsibilities, and real decision-making capacity are needed.

You need to know what to do when something happens.

Not during.

Before.

An incident response plan with precise processes, escalations, and responsibilities is required.

Backups must actually exist, be verified, and be usable.

Disaster recovery is not theory:

it is real-time restart capacity.

How long can the company stay down?

Which processes are critical?

Who decides during a crisis?

This is where resilience is measured.

MFA, privileges, users, remote access, forgotten accounts.

Many attacks start right here.

Partners also become a risk.

Supplier security is part of corporate security.

An initial audit is not enough.

Continuous control, visibility, and reaction capacity are needed.

The right question is not:

“do we have a checklist?”

but:

“if something happens tomorrow, are we truly ready?”