NIS2 checklist: implementation, audit, and governance

NIS2, the new European directive on cybersecurity, sets strict requirements for companies and organizations. Those falling under NIS2 must take measures quickly. If this is not done in time, significant fines will follow. These fines can amount to up to 10 million euros or 2 percent of your (European) annual revenue. Additionally, directors can be held personally liable.

Many organizations struggle to translate these rules into practice. How do you ensure your organization truly complies with NIS2? What steps do you take to properly check and document this? This NIS2 checklist helps you as an IT risk manager, auditor, or CISO to quickly gain insight. No superficial basic information, but clear, in-depth insights to get started right away.

Implementation: From Baseline to Action Plan

To NIS2 implementation properly, you need a clear plan. Always start with a baseline measurement. This will help you see where your organization stands and what needs to be done.

Step 1: Involve management and arrange responsibility

The board is directly responsible for NIS2 compliance. This means you must actively involve management. Make it clear that the board is liable for mistakes. It often helps to provide concrete examples of fines imposed on other organizations. Then, designate one person to monitor the plan's progress and report to the board.

Step 2: Determine scope and status

Check carefully whether your organization falls under ‘essential’ or ‘important’ within NIS2. The requirements differ per category. In addition, clearly map out the current state of your security. What risks are already known? Where are there still weak spots?

Step 3: Perform a thorough gap analysis

Put all the requirements of NIS2 next to your current situation. Look honestly for differences and areas for improvement. An external specialist can help. Sometimes someone on the outside can see just a little more clearly where improvements are needed.

Step 4: Create an action plan

Outline in an action plan what actions your organization needs to take. Set clear short- and long-term deadlines. Focus first on urgent actions such as multifactor authentication (MFA), encryption and fixing vulnerabilities. Make sure everyone knows exactly what their job is and when something needs to be done.

Step 5: Implement mandatory measures

NIS2 asks organizations to take a number of important measures. These include establishing clear security rules, incident management and regular security training for employees. Vulnerability management, access control and protecting sensitive data with encryption are also mandatory points. Make sure you document exactly what has been done for each measure. This makes audits easier later.

Ensuring NIS2 compliance

NIS2 requires not only a good start, but also sustained attention. After establishing your action plan, it's time to check that everything is working properly. This ensures that you are always in demonstrable compliance. But how do you do that in practice?

Check operation of measures

Checking implementation starts with reviewing your measures. For example, check if the incident response plan works as intended. Regularly test your backups and verify that your encryption is in order. These types of tests give you confidence. You quickly see where improvements can still be made. It also helps to properly document all evidence, such as reports or evaluations. This will put you on solid ground during inspections by supervisory authorities.

Governance check: Responsibility and Structure

Also regularly check if the board remains actively involved. Have clear agreements been made and is everyone adhering to them? For example, ask for reports in which the board demonstrates that it takes cybersecurity seriously. This could be an approved security plan or minutes from meetings about cyber risks. These types of documents are valuable evidence later on.

Practice incident reporting regularly

According to NIS2, you must report incidents quickly. In fact, an initial report must be made within 24 hours. This requires a quick response from your organization. Therefore, conduct regular exercises in which you simulate an incident. This way you can immediately see whether your team reacts quickly enough and whether they know what to do. This will prevent you from making mistakes during real incidents that will cost your organization dearly.

Vendor control

In addition, pay close attention to how your organization handles suppliers and partners. Cybersecurity doesn't stop at your own doorstep. Regularly check whether important suppliers also comply with NIS2. For example, you can periodically check their security measures through audits or questionnaires. This prevents suppliers from unexpectedly causing problems.

Collecting and preserving evidence

Finally, make gathering evidence a standard part of your audit process. Consider reports on penetration testing, employee training or software updates. This evidence will help your organization during inspections by regulators. In this way, you avoid discussions and quickly make it clear that your organization is compliant.

Governance & Accountability: Role of Management

For a successful implementation of NIS2, you need management. NIS2 makes it clear that cybersecurity starts at the top of your organization. This means that cybersecurity will henceforth be a fixed part of the board agenda. But what does that look like exactly?

Act as ultimately responsible

With NIS2, management is ultimately responsible. They must ensure that cybersecurity is a priority and that all measures are implemented. This is not a task that rests solely with IT. Therefore, make cybersecurity a regular agenda item at meetings with executive board members. Show that cybersecurity is just as important as finance or marketing. This way, you prevent cybersecurity from remaining at the bottom of the agenda.

Mandatory training for drivers

Many directors do not specialize in cybersecurity. NIS2 therefore requires directors to attend training on cyber risks and security. This helps them make better decisions when incidents occur. It also ensures support when budgets are needed for security measures. Training does not have to be complicated. A short workshop or practical session can already help administrators get off to a good start.

Integration with other processes

Cybersecurity works best when you make it a part of other processes within your organization. Therefore, use existing ways of working such as ISO 27001 or your own risk management. This way, you prevent duplication of work. Make it clear how cybersecurity fits into your current approach. This works clearly and prevents confusion among employees.

Open and clear communication

A key part of NIS2 is clear communication during incidents. Ensure it's clear in advance who will communicate with regulators or customers. This prevents panic or mistakes during incidents. Also, prepare messages in advance so you can react quickly if something happens. Clear communication helps your organization maintain trust with customers and partners.

Make cybersecurity normal

It helps tremendously if cybersecurity becomes commonplace within your organization. Not something for specialists alone, but part of daily practice. Therefore, let management name successes and make sure employees feel safe to report incidents. Every report can make your organization stronger. Therefore, do not see cybersecurity as an obligation, but as something that makes your organization stronger and safer.