NIS2 Readiness Assessment Guide 2026

The NIS2 Directive (EU 2022/2555) came into force in January 2023, replacing the original NIS Directive from 2016. Member states were required to transpose NIS2 into national law by October 17, 2024, and national regulators are now actively enforcing its requirements. NIS2 significantly expands the scope of cybersecurity obligations across the EU, bringing thousands of additional organizations under mandatory compliance requirements for the first time. Organizations that fell outside the original NIS Directive — including mid-sized manufacturers, chemical companies, food producers, and digital service providers — may now find themselves classified as “important entities” subject to binding security measures and incident reporting obligations. The penalties for non-compliance are severe: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of global turnover for important entities. This guide explains what NIS2 requires, who is affected, and how to systematically assess your organization’s readiness.

1. What NIS2 Requires

The heart of NIS2 is Article 21, which sets out the specific security measures that all in-scope entities must implement. These are not aspirational recommendations — they are mandatory obligations enforceable by national supervisory authorities. Article 21 organizes required measures across five broad security domains:

Risk Management & Governance

Entities must implement a systematic approach to identifying, analyzing, and treating cybersecurity risks. This includes adopting security policies covering incident response, business continuity, supply chain security, access control, and the use of cryptography. Critically, Article 20 establishes that members of the management body — boards of directors and senior executives — are personally accountable for approving these measures and overseeing their implementation. Management body members are also required to complete regular cybersecurity training.

Incident Reporting

NIS2 establishes a strict multi-stage incident reporting timeline. When a significant incident occurs, organizations must:

• Within 24 hours: Submit an early warning to the national CSIRT or competent authority, indicating whether the incident is suspected to be malicious and whether it has cross-border impact.
• Within 72 hours: Provide a detailed incident notification with an initial assessment of severity, impact, and indicators of compromise.
• Within one month: Submit a final report with a full description of the incident, its root cause, mitigation measures, and cross-border impacts if applicable.

An incident is considered “significant” if it causes or is capable of causing severe operational disruption, or if it affects other organizations. Organizations must also report significant incidents to recipients of their services where the incident is likely to adversely affect them.

Access Control & Authentication

Article 21 explicitly requires entities to implement appropriate access control policies, including multi-factor authentication (MFA) or continuous authentication solutions for privileged and remote access. Single-factor authentication for critical systems and administrative accounts is no longer considered adequate under NIS2. Organizations must document access policies, enforce least-privilege principles, and review privileged access on a regular basis.

Supply Chain Security

Organizations must assess the security of their ICT supply chain, including the security practices of direct suppliers and service providers. This requires maintaining an inventory of critical third-party dependencies, performing security assessments of key vendors, including cybersecurity clauses in contracts, and monitoring for vulnerabilities in third-party components. Supply chain security is consistently identified by national regulators as the area with the most significant compliance gaps.

Business Continuity

Entities must maintain business continuity plans that address cybersecurity incidents, including backup management procedures, disaster recovery plans, and crisis management capabilities. These plans must be regularly tested — not just documented and filed.

2. Who Is Affected by NIS2

NIS2 divides in-scope organizations into two tiers: Essential Entities and Important Entities. The classification determines the level of supervisory oversight (ex ante vs. ex post) and the maximum applicable penalties, but both categories must implement the same Article 21 security measures.

Essential Entities

The following sectors automatically fall within the essential entity classification if they meet the size thresholds:

• Energy (electricity, oil, gas, hydrogen, district heating/cooling)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health sector (including hospitals, pharmaceutical manufacturers, and medical device makers)
• Drinking water and wastewater
• Digital infrastructure (internet exchange points, DNS providers, TLD registries, data centers, cloud computing, CDNs, electronic communications networks)
• ICT service management (managed service providers and managed security service providers)
• Public administration (central government bodies)
• Space sector

Important Entities

Organizations in the following sectors are classified as important entities:

• Postal and courier services
• Waste management
• Chemical production and distribution
• Food production, processing, and distribution
• Manufacturing (medical devices, computers, electronic equipment, machinery, motor vehicles)
• Digital providers (online marketplaces, search engines, social networking platforms)

Size Thresholds

In most cases, NIS2 applies to organizations with at least 50 employees and €10 million annual turnover (qualifying as medium enterprises). Essential entities in certain critical sectors also include large enterprises with 250+ employees and €50 million+ turnover. However, size thresholds do not apply to critical infrastructure operators, qualified trust service providers, and several other categories — those entities are in scope regardless of size.

3. Common NIS2 Compliance Gaps

Based on assessments conducted across EU member states, regulatory guidance from national CSIRTs, and pre-audit findings from compliance specialists, the following areas represent the most frequently identified gaps:

Supply Chain Risk Management

The most common critical gap is the absence of a formal third-party risk management program. Many organizations have informal vendor review processes but lack documented security assessments for critical suppliers, contractual security requirements in vendor agreements, or ongoing monitoring of third-party risk exposure. NIS2 requires a systematic approach covering vendor selection, contractual security clauses, ongoing monitoring, and procedures for managing incidents originating from the supply chain.

Multi-Factor Authentication

Despite MFA being a widely recognized control, a significant proportion of organizations still rely on single-factor authentication for administrative accounts, remote access VPNs, and email. NIS2 explicitly requires MFA for these access scenarios. Organizations also frequently lack continuous authentication mechanisms for privileged access to critical systems.

Security Awareness Training

Article 21 requires mandatory security awareness training for all employees, with targeted training for roles with elevated risk exposure. Many organizations conduct annual tick-box training but lack documented training programs, tracking of completion rates, or evidence that training content is updated to reflect current threats. Management body training on cybersecurity risk, explicitly required under Article 20, is almost universally absent.

Incident Response Planning

Most organizations have some form of incident response documentation, but NIS2 compliance requires tested IR plans with documented procedures for the 24-hour early warning and 72-hour detailed notification timelines. Organizations frequently lack specific playbooks for regulatory notification, defined roles and responsibilities for notification decisions, and evidence of tabletop exercises that have tested the notification process.

Board-Level Cybersecurity Governance

Article 20 personal liability provisions for management body members are a significant departure from previous EU cybersecurity requirements. Most organizations have not yet formally assigned cybersecurity accountability at board level, established regular board-level cybersecurity reporting, or ensured that management body members have received the cybersecurity training NIS2 requires.

4. How to Assess Your Readiness

A structured NIS2 readiness assessment covers five steps. Working through each systematically gives you an accurate picture of your current compliance posture and a prioritized remediation plan.

1. Map your entity classification. Determine whether your organization falls within NIS2 scope, and whether you are classified as an essential or important entity. Check both sector classification and size thresholds. If in doubt, your national competent authority’s guidance documents provide sector-specific classification criteria. Note that some countries have extended NIS2 to additional sectors during transposition.
2. Review Article 21 security measures. Conduct a structured inventory of your current security controls against each of the 10 specific security measures listed in Article 21(2). Document your current state for each measure: fully implemented, partially implemented, or not implemented. Be honest — this assessment is only useful if it reflects reality.
3. Document your current controls. Gather evidence of existing controls: policies, procedures, configuration standards, training records, incident logs, and third-party assessments. National supervisory authorities will request this evidence during audits and inspections. Gap assessments are far more credible when they are evidence-based rather than self-declared.
4. Identify gaps and prioritize. Compare your documented control state against NIS2 requirements. Rank gaps by risk level: critical gaps (absent controls that directly expose the organization to significant risk), major gaps (controls present but inadequate), and minor gaps (documentation or process improvements needed). Focus remediation resources on critical and major gaps first.
5. Build a remediation roadmap. Translate prioritized gaps into a time-bound project plan with owners, milestones, and budget. Share the roadmap with your management body to fulfill the governance requirements of Article 20. Schedule quarterly progress reviews, and use tabletop exercises to test implemented controls under realistic incident conditions.

Using Our Free Assessment Tool

Our NIS2 readiness assessment tool walks you through a structured questionnaire covering all Article 21 security domains. It takes approximately 5 minutes to complete and generates an instant compliance score across each domain, with specific gap findings and recommended remediation steps. The assessment is free, requires no registration for basic results, and produces a printable report you can use to brief your management body.

5. NIS2 Compliance Checklist

Use this checklist to quickly gauge your current NIS2 compliance posture. Each item represents a mandatory requirement under the Directive. A fully compliant organization should be able to evidence all 10 items.

• Entity classification confirmed — You have determined whether you are an essential or important entity and documented the basis for that classification.
• Risk management framework in place — A documented cybersecurity risk management policy exists, has been approved by the management body, and is reviewed at least annually.
• Incident response plan documented and tested — Your IR plan includes specific procedures for the 24-hour early warning and 72-hour detailed notification timelines, with tested notification decision workflows.
• Supply chain security controls implemented — Critical third-party vendors have been assessed, security requirements are included in contracts, and ongoing monitoring is in place.
• Multi-factor authentication deployed — MFA is enforced for all administrative accounts, remote access, and privileged system access. Single-factor authentication has been eliminated from critical access paths.
• Executive accountability established — Management body members have been briefed on NIS2 personal liability provisions, cybersecurity is on the board agenda, and management members have received required cybersecurity training.
• Vulnerability management program active — You have a documented process for identifying, assessing, and remediating vulnerabilities in your network and systems, with defined patching timelines based on severity.
• Encryption in use for sensitive data — Data at rest and in transit is encrypted using current standards. Key management procedures are documented and keys are rotated regularly.
• Business continuity plan tested — A documented BCP/DRP addresses cybersecurity incidents, includes backup verification procedures, and has been tested within the last 12 months.
• Regular security testing conducted — Penetration testing or equivalent security assessments are conducted at least annually and findings are tracked to remediation with documented timelines.

Next Steps & Related Resources

Once you have your NIS2 readiness baseline, the most effective next step is stress-testing your incident response and notification procedures through tabletop exercises. Realistic scenario-based exercises reveal gaps in your 24/72-hour notification workflows that documentation reviews alone will not surface. The Skyhigh Cybersecurity platform includes NIS2-mapped tabletop scenarios across all major sectors, enabling you to practice notification decision-making and board-level crisis communication in a safe, facilitated environment.