NIS2 checklist for managers
Eight things a manager needs in place for the company to stand up to NIS2. Treat it as a first pass: if you can answer yes to each item and point to documentation, you're in good shape for supervision and audits.
This article is general guidance, not legal advice.
1. Do you know whether the directive applies to you?
The first step is a formal assessment: does the company operate in a sector covered by NIS2, and is it above the size threshold (generally more than 50 employees or over 10 million euros in annual turnover)? Document the conclusion even if the answer is no, because customers and insurers will ask. Remember the requirements reach suppliers of covered companies indirectly.
2. Is the board clear about its accountability?
NIS2 puts the accountability on management, not the IT department. The board approves the security measures, oversees their implementation and undergoes training itself. Neglect can carry personal liability. The checklist item: board minutes approving the security policy, and confirmation that board members have completed training.
3. Does a risk assessment exist?
The foundation of every measure is a documented assessment of which systems and data matter most and what threatens them. It doesn't need to be a hundred pages, but it needs to exist, be kept current, and the measures need to answer it.
4. Are the basic defences in place?
Article 21 lists the measures that must be in place. In practice these matter most:
- Multi-factor authentication (MFA) on all access, especially email and admin accounts.
- Backups taken regularly, stored separately and tested with actual restores.
- Security updates applied without delay.
- Access control: each employee has only the access the job requires.
- Encryption of data in transit and at rest where applicable.
5. Do you have a grip on the supply chain?
The company is responsible for the security of the services it buys. The checklist item: a list of key suppliers and software services, an assessment of their security, and security requirements in contracts with those who handle company data.
6. Does an incident process exist, and has it been exercised?
Significant incidents must be reported to the supervisory authority with an early warning within 24 hours and a fuller notification within 72 hours. That's only achievable if the process exists beforehand: who assesses an incident, who reports, where and how. A documented response plan and at least one exercise per year is a realistic minimum.
7. Is staff training regular and documented?
Cybersecurity training for staff is named explicitly in Article 21. A one-off course doesn't satisfy it: training must be regular, reach all staff and leave proof of who completed what and when. This is the obligation that's easiest to get fully right immediately, and it delivers the most in practice because most attacks target people.
8. Can you prove all of the above?
Supervision and audits run on evidence, not promises. For every item on this list there should be a document: the applicability assessment, board minutes, the risk assessment, an overview of defences, the supplier list, the response plan and training records. If the evidence is produced automatically by the systems you use, the work is nearly zero.
Frequently asked questions
- Where should a company start with NIS2?
- With a formal assessment of whether the directive applies, then getting the board involved, putting the basic defences in place (MFA, backups, updates) and starting regular, documented staff training.
- What has to be documented under NIS2?
- The risk assessment, the security measures, board approval and oversight, supplier assessments, the incident response plan and staff training records: who completed what and when. Supervision runs on evidence.
- What are the incident reporting deadlines?
- An early warning to the supervisory authority within 24 hours of detecting a significant incident, and a fuller notification within 72 hours. That requires the response process to be defined in advance.
- Does the board itself have to undergo training?
- Yes. Under Article 20 of NIS2, the board approves the security measures, oversees them and undergoes training itself. Managers can be held personally liable for neglect.
Item 7 takes three minutes to set up
Varhugi handles regular, documented staff security training: monthly modules in Icelandic, automatic certificates and a one-click audit report.

