Mondoo
Compliance

NIS2 Compliance Checklist

A practical, step-by-step NIS2 compliance checklist drawn from the published text of the directive. Work through scope, the ten Article 21 requirements, and incident reporting, then take your marked-up checklist with you. Use it to orient your own review, not as a determination of compliance.

NIS2 is in force

The EU transposition deadline (17 October 2024) has passed; member states set the binding rules in national law (in Germany, via the amended BSI Act).

NIS2 in brief

NIS2 is the EU's cybersecurity directive (Directive (EU) 2022/2555). It applies to medium and large organizations in covered sectors, and to their supply chains.

In scope
Essential entities
  • Energy
  • Transport
  • Banking
  • Health
  • Water
  • Digital infrastructure
  • Public administration
  • Space

Annex I

Important entities
  • Manufacturing
  • Chemicals
  • Food
  • Postal
  • Waste
  • Digital providers
  • Research

Annex II

Both must meet the same Article 21 security requirements.

Suppliers

even if you are not directly in scope, organizations that are must address supply chain security, so you may face security requirements as a third party.

Use the checklist to self-assess. National law sets the binding thresholds.

How Mondoo makes NIS2 easier

NIS2 does not reward longer lists of findings. It asks you to manage vulnerabilities on an ongoing basis (Article 21.2.e) and to show that your security measures actually work (Article 21.2.f). Both demand continuous finding, fixing, and a standing audit trail, not a once-a-year document. That is exactly what Mondoo does.

Two ways to run it

Do it yourself.

Use the Mondoo platform to run continuous assessment, map controls to NIS2 and 30+ other frameworks, and generate audit-ready reports with your own team.

Have Mondoo do it for you.

Our Managed Vulnerability Service acts as an extension of your team, prioritizing and remediating gaps and keeping evidence current between audits, while you keep full control and approve every change.

Learn about the Managed Vulnerability Service

Why teams choose Mondoo for NIS2

Find and fix, not just flag. Most tools hand you a list. Mondoo closes the loop through to a verified fix, which is what Article 21.2.e actually asks for.

80%
reduction in audit prep time

A continuous audit trail. Evidence is collected as you go, so proving effectiveness under Article 21.2.f is a report, not a fire drill.

30+
frameworks covered simultaneously

One control, many frameworks. NIS2 overlaps heavily with ISO 27001 and others. Mondoo maps a single control across 30+ frameworks, so you are not doing the work several times.

95%+
continuous compliance score

Go deeper with the full NIS2 guide

For the complete walkthrough, including the NIS2 to ISO/IEC 27001:2022 control mapping and detailed sector tables, download our in-depth NIS2 guide.

NIS2 frequently asked questions

What is NIS2?

NIS2 is the EU's Network and Information Systems Directive (Directive (EU) 2022/2555). It updates and broadens the original 2016 NIS Directive to strengthen cybersecurity across the EU, extending the sectors and entities in scope, adding management accountability, and standardizing incident reporting.

Who does NIS2 apply to?

It applies to medium and large organizations in the covered sectors, such as energy, transport, banking, health, and water under Annex I (essential), and manufacturing, food, chemicals, and digital providers under Annex II (important), plus their supply chains. You self-assess against size and sector; national law sets the binding thresholds.

What are the NIS2 requirements?

Article 21 lists ten minimum risk-management measures, ranging from risk policies and incident handling to supply chain security, vulnerability handling, cryptography, access control, and multi-factor authentication. Article 23 sets incident reporting obligations.

When was the NIS2 deadline?

The EU transposition deadline was 17 October 2024 and has passed. NIS2 is now implemented through national law, and timelines and specifics vary by member state. Confirm the rules that apply to you with your national authority.

What are the penalties for NIS2 non-compliance?

Under the directive, essential entities can face fines up to 10 million euros or 2% of total worldwide annual turnover, and important entities up to 7 million euros or 1.4%. Management bodies can also be held accountable. National implementing laws set the figures that apply in each country.

How does NIS2 apply in Germany?

Germany implements NIS2 through its amended BSI Act, with the BSI as the competent authority and a registration obligation for in-scope entities. German national law defines its own entity categories and thresholds, so confirm the specifics against the German rules.

Sources

Every requirement above is drawn from the published text of the NIS2 Directive (Directive (EU) 2022/2555), in particular Article 21 (risk-management measures) and Article 23 (reporting obligations).

  • NIS2 Directive, full text: eur-lex.europa.eu/eli/dir/2022/2555/oj
  • For national rules, consult your member state's competent authority (in Germany, the Federal Office for Information Security, BSI).

This is an informational overview based on the published text of the NIS2 Directive. It is not legal advice, and completing it does not constitute or guarantee compliance with NIS2 or any national implementing law. NIS2 is implemented through national legislation, which may impose additional or different requirements; confirm the rules that apply to you with your national authority and a qualified advisor. Last reviewed June 2026.