RiskNote
Free tool

NIS2 checklist

24 items across six areas matching NIS2 Art. 21 requirements. Check off as you progress. Nothing is stored on our servers, your answers stay in your browser.

How the checklist works

The checklist covers what NIS2 Art. 21 requires of essential and important entities: from scope assessment to board engagement. It doesn't replace a formal NIS2 review with legal counsel or a security consultant, but it gives you a clear picture of where you stand.

Your answers are saved automatically in your browser's localStorage. Close the tab and come back, answers are still there. Clear cache and they're gone.

0 / 24 Done0%

1. Scope, are you in scope for NIS2?

2. Risk management (Art. 21.2 a)

3. Incident handling (Art. 21.2 b)

4. Continuity and backup (Art. 21.2 c)

5. Supply-chain security (Art. 21.2 d)

6. Access and encryption (Art. 21.2 e, j)

7. Governance and training (Art. 20, Art. 21.2 g, h)

Frequently asked questions about the NIS2 checklist

Is this list official?

No. It's our interpretation of NIS2 Art. 21 translated into practical control points. It doesn't replace legal advice or your authority's guidance. Use it as a starting point for internal discussions.

Are my answers saved?

Only in your browser's localStorage, locally on your computer, not on our servers. Clear cache and they're gone. Copy the result to Excel or Word if you want to keep it.

What if we check everything?

Then you have a very solid base for NIS2 compliance. But the checklist doesn't replace formal supervision, documentation, or legal review. Contact a NIS2 consultant or the supervisory authority for certification steps.

Are we even in scope for NIS2?

The first group of the checklist helps you decide. Generally: medium and large companies (over 50 employees or €10 million) in essential or important sectors. Exceptions exist, see the national authority.

How do we build the risk register NIS2 requires?

RiskNote provides a risk register built on ISO 31000 (which NIS2 is built on). See our guides to [NIS2](/en/ramverk/nis2) and [risk assessment](/en/guide/riskbedomning) for more depth.

Build the NIS2 risk register in RiskNote

Once the checklist is done you'll need a living risk register. RiskNote is built on ISO 31000, the standard NIS2 is based on. 7-day free trial.