🏛️
Art. 20–21
Governance & Risk Management
NIS2 Article 20 requires management bodies to approve cybersecurity risk measures and oversee implementation. Article 21.1 mandates proportionate technical and organizational risk management measures.
Q1 · Domain 1
Board-approved cybersecurity risk management policy exists?
Q2 · Domain 1
Annual formal cybersecurity risk assessments conducted?
Q3 · Domain 1
Cybersecurity roles and accountabilities formally documented?
Q4 · Domain 1
Cybersecurity strategy with defined KPIs and objectives exists?
Q5 · Domain 1
Third-party and supplier risk management process established?
🚨
Art. 23
Incident Handling & Reporting
NIS2 Article 23 requires entities to notify their national competent authority (NCA) of significant incidents within 24 hours (early warning) and 72 hours (full notification). Article 21.2(b) mandates documented incident handling procedures.
Q1 · Domain 2
Incident response plan with defined roles and escalation paths documented?
Q2 · Domain 2
Significant incidents detected and classified within 24 hours?
Q3 · Domain 2
NCA notification process for significant cybersecurity incidents established?
Q4 · Domain 2
After-action reviews (AAR) conducted and documented after every significant incident?
Q5 · Domain 2
Incident response exercises (tabletop or live drill) conducted at least annually?
🔗
Art. 21.2(d)
Supply Chain Security
NIS2 Article 21.2(d) requires entities to address security in the supply chain, including security-related aspects of relationships between each entity and its direct suppliers or service providers.
Q1 · Domain 3
Inventory of critical ICT service providers and suppliers maintained?
Q2 · Domain 3
Cybersecurity requirements included in supplier contracts?
Q3 · Domain 3
Annual cybersecurity assessments of key suppliers performed?
Q4 · Domain 3
Open-source component security evaluation process exists?
Q5 · Domain 3
Supply chain incident response procedure documented?
🔄
Art. 21.2(c)
Business Continuity & Crisis Management
NIS2 Article 21.2(c) mandates business continuity measures including backup management, disaster recovery, and crisis management. Entities must demonstrate tested and documented recovery capabilities.
Q1 · Domain 4
Business Continuity (BCP) and Disaster Recovery Plans (DRP) documented?
Q2 · Domain 4
BCPs and DRPs tested through exercises at least annually?
Q3 · Domain 4
Recovery Time (RTO) and Recovery Point (RPO) objectives defined for critical systems?
Q4 · Domain 4
Offline backups with regular integrity testing maintained?
Q5 · Domain 4
Crisis management process for regulator and stakeholder coordination defined?
🔐
Art. 21.2(i/h)
Access Control & Cryptography
NIS2 Article 21.2(i) covers access control policies and asset management. Article 21.2(h) mandates the use of multi-factor authentication, secured communication, and encrypted communications where appropriate.
Q1 · Domain 5
MFA enforced for all privileged accounts and remote access?
Q2 · Domain 5
Least-privilege access model with quarterly access reviews applied?
Q3 · Domain 5
Encryption standards for data at rest and in transit defined and enforced?
Q4 · Domain 5
Cryptographic key management policy with rotation schedules exists?
Q5 · Domain 5
Immediate access deprovisioning process for departing or role-changing employees?