Free Download

The NIS2 Compliance Checklist

The step-by-step checklist for NIS2 Directive compliance. From risk analysis to ENISA notification - every cybersecurity requirement covered.

Built by cybersecurity and compliance professionals who have guided essential and important entities through NIS2 readiness. This checklist gives you a clear, actionable path to compliance - whether you're building your security program from scratch or closing gaps before enforcement begins.

Actionable checklist — not just theory
Used by compliance teams across Europe
PDF format — print or share with your team
Completely free, no credit card needed

Get Your Free Checklist

No credit card required. Instant download.

By downloading, you agree to receive the checklist and optional compliance updates. Unsubscribe anytime.

What's inside

Everything you need to get compliant.

Risk Analysis Requirements - comprehensive cybersecurity risk assessment framework
Incident Handling Procedures - 24-hour early warning and 72-hour notification workflows
Supply Chain Security checklist - third-party ICT risk assessment and contractual requirements
Business Continuity planning - backup management, disaster recovery, and crisis response
Encryption and Access Control requirements - technical security measures and implementation
Vulnerability Disclosure procedures - coordinated vulnerability handling and patch management
ENISA Notification Process - step-by-step regulatory reporting templates and timelines
Management Accountability framework - board-level oversight and personal liability provisions
Cross-Border Coordination guide - multi-jurisdiction incident reporting and CSIRT engagement
Cyberhygiene Training program - employee awareness, phishing defense, and security culture

Trusted by 50+ European financial institutions

NIS2ISO 27001DORA

Frequently Asked Questions

Does NIS2 apply to my organization?

NIS2 applies to essential entities (energy, transport, banking, health, digital infrastructure, ICT service management, public administration) and important entities (postal, waste, chemicals, food, manufacturing, digital providers, research). If you have 50+ employees or EUR 10M+ revenue in these sectors, NIS2 likely applies to you.

What are the NIS2 incident reporting deadlines?

NIS2 requires a three-stage notification: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment, and a final report within one month with root cause analysis and remediation measures.

What happens if we don't comply with NIS2?

Non-compliance can result in fines up to EUR 10 million or 2% of global annual turnover for essential entities (EUR 7 million or 1.4% for important entities). Management bodies can also be held personally liable, with potential temporary bans from management functions.

How does NIS2 relate to ISO 27001?

ISO 27001 provides an excellent foundation for NIS2 compliance, as both focus on risk-based cybersecurity management. However, NIS2 adds specific requirements around incident reporting timelines, supply chain security, and management accountability that go beyond ISO 27001. This checklist maps the gaps between them.

Get started

Ready to automate your compliance?

The checklist is just the beginning. Matproof automates evidence collection, policy generation, and continuous monitoring — so you can focus on your business.

Start free trialView pricing