NIS2 Compliance Checklist: What Your ISMS Covers and What It Doesn't
The complete overview: All ten risk management measures from Article 21, assessed against a typical ISO 27001 ISMS. Where you stand, where the gaps are, and what you need to add operationally.
NIS2 Compliance Checklist: What Your ISMS Covers and What It Doesn't
Every organization that falls under NIS2 asks the same question: How much of this do we already have? The answer depends on how you define "have." If it means "we have a documented process" – then an ISMS aligned with ISO 27001 covers roughly 70%. If it means "we can operationally execute this and prove it on demand" – the math looks different.
This checklist walks through each of the ten risk management measures from Article 21(2) individually: What does NIS2 require? What does a typical ISMS deliver? Where's the gap? And what needs to be added operationally?
How to Read This Checklist
The ten measures from Article 21(2) of the NIS2 Directive are the core of the regulatory requirements. National implementations translate them into binding law. For each measure, this checklist assesses:
- ✅ ISMS covers this — An ISMS aligned with ISO 27001:2022 delivers the essential processes and controls.
- ⚠️ ISMS provides foundation, but operational addition needed — The governance framework is in place, but operational execution under NIS2 requirements goes beyond it.
- ❌ ISMS doesn't cover this — The requirement falls outside what an ISMS was designed for.
The assessment refers to a typical, well-implemented ISMS under ISO 27001:2022 – not a minimal or maximally extended one. Actual coverage depends on the specific implementation in your organization.
The Ten Measures in Detail
(a) Policies on Risk Analysis and Information System Security
What NIS2 requires: Policies for risk analysis and information system security – including regular review and updates.
ISMS coverage: ✅ Core component
This is the heart of ISO 27001. Risk assessment, risk treatment, Statement of Applicability, regular reviews – all part of the standard repertoire of a certified ISMS. Typically no action needed here.
Remaining task: Ensure your risk analysis accounts for the specific operational aspects of NIS2 – particularly incident reporting, supply chain, and proof of effectiveness requirements that go beyond the classic CIA triad.
(b) Incident Handling
What NIS2 requires: Measures for the prevention, detection, and management of security incidents – in conjunction with the reporting obligations under Article 23 (early warning 24h, notification 72h, final report 1 month).
ISMS coverage: ⚠️ Foundation yes, operational capability missing
ISO 27001 requires an incident management process (Annex A, A.5.24-A.5.28). Most implementations include an incident response plan with roles, escalation paths, and post-incident review processes.
The gap: The plan describes what should happen. NIS2 evaluates whether it actually happens – under time pressure. The 24-hour early warning deadline requires real-time operational coordination between Security, Legal, Communications, and executive management. Parallel management of GDPR reporting obligations. Versioned documentation during the incident. Templates for regulatory reports.
What to do: Build an incident management system that goes beyond the plan. Run tabletop exercises against the 24h deadline. Prepare templates for all three reporting stages.
→ NIS2 Incident Reporting: How to Actually Meet the 24-Hour Deadline
(c) Business Continuity and Crisis Management
What NIS2 requires: Business continuity management, backup management and disaster recovery, and crisis management.
ISMS coverage: ✅ Covered
ISO 27001 addresses business continuity directly (Annex A, A.5.29-A.5.30). Most ISMS implementations include BCM plans, backup strategies, and recovery procedures. Organizations that have additionally implemented ISO 22301 are particularly well positioned.
Remaining task: Verify that your BCM plans cover NIS2-specific scenarios – particularly cyber incidents with simultaneous reporting obligations. The connection between crisis management and the Article 23 reporting regime must be established.
(d) Supply Chain Security
What NIS2 requires: Supply chain security including security-related aspects of relationships with direct suppliers and service providers. Consideration of the specific vulnerabilities of each individual supplier and the overall quality of cybersecurity practices.
ISMS coverage: ⚠️ Point-in-time assessment, no continuous monitoring
ISO 27001 addresses supplier relationships (Annex A, A.5.19-A.5.23). Most implementations include supplier categorization, assessment questionnaires at onboarding, and annual re-assessments.
The gap: NIS2 doesn't require an annual snapshot but ongoing control. This means: continuous monitoring of suppliers' security posture, event-triggered re-assessments when conditions change, an integrated evidence overview of the status of all relevant suppliers, and structured communication during supply chain security incidents.
What to do: Build monitoring capability. Shift the assessment model from cyclical to trigger-based. Add NIS2-specific clauses to contractual foundations. Shift evidence from filing to retrieval.
→ NIS2 Supply Chain Security: Why Annual Vendor Assessments Are No Longer Enough
(e) Security in Network and Information Systems Acquisition, Development, and Maintenance
What NIS2 requires: Security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
ISMS coverage: ✅ Largely covered
ISO 27001 addresses secure development (Annex A, A.8.25-A.8.34), vulnerability management (A.8.8), and change management. Most ISMS implementations include policies for secure development, patch management, and vulnerability handling.
Remaining task: Verify that your vulnerability disclosure processes meet NIS2 requirements. ENISA's implementation guidance goes beyond typical ISMS implementations in some areas here.
(f) Policies and Procedures to Assess the Effectiveness of Cybersecurity Risk-Management Measures
What NIS2 requires: Policies and procedures to assess the effectiveness of cybersecurity measures – in conjunction with expanded supervisory powers (authorities can request evidence at any time).
ISMS coverage: ⚠️ Process yes, continuous evidence no
ISO 27001 requires internal audits, management reviews, and continual improvement. These mechanisms exist in every certified ISMS.
The gap: ISO 27001 operates in planned cycles. NIS2 gives supervisory authorities the power to request evidence at any time. Effectiveness must not only be assessed but also be demonstrable on demand – with verifiable artifacts, metadata, and current evidence, not audit reports from last quarter.
What to do: Shift evidence management from "audit preparation" to "continuous availability." Equip artifacts with versioning, validity periods, and ownership. Build the capability to respond to authority requests within days – not weeks.
→ NIS2 Audit Readiness: From Documentation to Continuous Evidence
(g) Basic Cyber Hygiene Practices and Cybersecurity Training
What NIS2 requires: Basic cyber hygiene practices and cybersecurity training – including the obligation for executive management to undergo regular training themselves (Art. 20(2)).
ISMS coverage: ✅ Covered
Awareness programs and training are standard in every ISO 27001 ISMS (Annex A, A.6.3). Most organizations have regular security awareness training in place.
Remaining task: NIS2 makes the training obligation explicitly a duty of executive management – not just employees. Verify that your executive management demonstrably participates in cybersecurity training. This evidence is directly relevant to personal liability.
(h) Policies and Procedures Regarding the Use of Cryptography and Encryption
What NIS2 requires: Policies and procedures for the use of cryptography and, where appropriate, encryption.
ISMS coverage: ✅ Covered
ISO 27001 addresses cryptography comprehensively (Annex A, A.8.24). Most ISMS implementations include cryptography policies, key management processes, and encryption standards.
Remaining task: No significant gap. Ensure your policies are current and reflect the state of the art.
(i) Human Resources Security, Access Control Policies, and Asset Management
What NIS2 requires: Personnel security, access control policies, and asset management.
ISMS coverage: ✅ Covered
All three areas are core to ISO 27001: human resources security (A.6.1-A.6.8), access control (A.8.1-A.8.5), and asset management (A.5.9-A.5.14).
Remaining task: No significant gap. Ensure multi-factor authentication is implemented where NIS2 requires it (see point (j)).
(j) Multi-Factor Authentication, Secured Communications, and Secured Emergency Communications
What NIS2 requires: Use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems – "where appropriate."
ISMS coverage: ⚠️ Partially covered
ISO 27001 addresses authentication and secure communications, but not with the specificity NIS2 applies here. The requirement for secured emergency communications in particular goes beyond typical ISMS implementations.
The gap: Most organizations have MFA for standard access. But: Are there secured communication channels for crisis situations that function even when the regular IT infrastructure is compromised? Is there encrypted communication for incident coordination – between Security, Legal, executive management, and potentially authorities?
What to do: Audit MFA coverage for completeness. Establish emergency communication channels that operate independently from regular infrastructure. Ensure encrypted communication for incident coordination.
The Full Overview
| # | Measure (Art. 21(2)) | ISMS | Gap? | Priority |
|---|---|---|---|---|
| (a) | Risk analysis and security policies | ✅ | — | Low |
| (b) | Incident handling | ⚠️ | Operational 24h/72h capability | High |
| (c) | Business continuity and crisis management | ✅ | — | Low |
| (d) | Supply chain security | ⚠️ | Continuous monitoring | High |
| (e) | Security in acquisition, development, maintenance | ✅ | Check vulnerability disclosure | Medium |
| (f) | Effectiveness evaluation | ⚠️ | Continuous evidence | High |
| (g) | Cyber hygiene and training | ✅ | Executive training evidence | Low |
| (h) | Cryptography and encryption | ✅ | — | Low |
| (i) | Personnel security, access control, assets | ✅ | — | Low |
| (j) | MFA and secured emergency communications | ⚠️ | Emergency communications | Medium |
The pattern: The governance measures (a, c, e, g, h, i) are largely covered by an ISMS. The operational measures (b, d, f, j) require additions that go beyond the documentation layer.
Three gaps stand out – all with "High" priority:
- Incident Management (b): Reporting obligations apply now, deadlines are fixed, capability is missing in most organizations.
- Supply Chain Security (d): The most complex gap, requiring the longest to close.
- Proof of Effectiveness (f): Becomes a problem at the first authority contact – which can happen at any time.
How to Use This Checklist
Step 1: Self-Assessment
Walk through each of the ten measures and assess honestly: Not "do we have a process?" but "can we operationally execute this under time pressure, against external parties, with verifiable evidence?"
Step 2: Prioritize Gaps
Use the priority column as a starting point. The three "High" gaps should be addressed first – they carry the highest regulatory urgency and greatest risk during an authority review.
Step 3: Plan the Operational Build
For each identified gap: What do we concretely need? What system, process, or capability? The deep-dive articles on the individual topics provide the details.
Step 4: Connect ISMS and Operational Systems
The goal isn't to replace the ISMS – it's to supplement it with the operational layer NIS2 additionally requires. An ISMS for internal control, a Trust Center for external communication and evidence.
Sources
- Directive (EU) 2022/2555 (NIS2 Directive) – Full Text – Article 21(2)(a-j) on the ten risk management measures.
- BSI – NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) – § 30 BSIG on the national implementation of risk management measures.
- ISO/IEC 27001:2022 – Information Security Management Systems – The ISMS standard with the referenced Annex A controls.
- ENISA – Implementing Guidance on NIS2 Security Measures – ENISA's implementation guidance on all ten measures.
- ENISA – NIS2 Requirements Mapping to ISO 27001 – Mapping between NIS2 requirements and ISO 27001 controls.
Related Reading
- ISO 27001 Is Not NIS2 Compliance: What's Actually Missing
- NIS2 Incident Reporting: How to Actually Meet the 24-Hour Deadline
- NIS2 Supply Chain Security: Why Annual Vendor Assessments Are No Longer Enough
- NIS2 Audit Readiness: From Documentation to Continuous Evidence
- You're NIS2-Affected — Now What?