Is there a specific individual (e.g., a board member, senior manager) formally accountable for overall cybersecurity and compliance with NIS2?

Example: A board explicitly assigns the CFO to champion cybersecurity, ensuring it’s on every quarterly meeting agenda.
Regulatory Mapping: Article 20 (Management Body Responsibility).

Does the board (or top leadership) regularly review cybersecurity risks, incidents, and progress on NIS2-related actions?

Example: The board reviews a monthly or quarterly dashboard showing key risk indicators and ongoing security initiatives.
Regulatory Mapping: Article 20 (Top Management Engagement).

Are key security policies (e.g., incident response, data protection) officially approved by senior executives or the board?

Example: The CEO signs off on an updated cybersecurity policy, and it’s circulated to all staff with a covering note.
Regulatory Mapping: Article 21 (Information System Security Policies).

Are senior leaders aware of the key obligations under NIS2, including potential penalties for non-compliance?

Example: A short “NIS2 overview” briefing is held for top managers to clarify requirements and penalties.
Regulatory Mapping: Article 20 (Management Body’s Role).

Have you identified your main cyber risks (e.g., ransomware, data breaches) and ranked them in terms of likelihood and impact?

Example: A manufacturing firm recognizes ransomware as the top threat and invests in robust backups and endpoint security.
Regulatory Mapping: Article 21: (Risk Analysis & Security Policies).

Is there a process to evaluate, track, and address cybersecurity risks on a regular schedule (e.g., annually)?

Example: A risk register is updated quarterly, with action plans for each identified risk.
Regulatory Mapping: Article 21 (Appropriate Risk Management Measures).

Do you verify that critical suppliers (e.g., IT providers, cloud services) also follow reasonable security measures?

Example: A healthcare provider requires a cloud vendor to show ISO 27001 certification and sign breach notification clauses.
Regulatory Mapping: Article 21 & Recital 54 (Supply Chain Security).

Do you revisit your risk assessments and supply chain risks at least once a year or after major changes?

Example: After adopting a new CRM system, the company updates its risk assessment to account for SaaS-based exposures.
Regulatory Mapping: Article 21 (Continuous Risk Management).

Do employees have clear, written guidelines (e.g., a security policy) on acceptable use, data handling, and reporting incidents?

Example: Staff must confirm they’ve read the latest “Cybersecurity Policy” each year, covering do’s and don’ts.
Regulatory Mapping: Article 21 (Information System Security Policies).

Are user accounts unique (no shared logins) and tied to the correct level of access (e.g., least privilege)?

Example: The finance system requires each user to have a personal login with only the permissions they need.
Regulatory Mapping: Article 21 (Access Control Measures).

Do staff and administrators use at least one additional factor beyond passwords to access critical systems or data?

Example: Employees must enter a one-time code (via phone app) to log into the company’s HR portal.
Regulatory Mapping: Article 21 (Technical and Organizational Security Measures).

Are admin or “super-user” accounts carefully controlled, monitored, and restricted to specific personnel?

Example: Only two IT managers have server admin rights, and their access is logged and reviewed monthly.
Regulatory Mapping: Article 21 (Access Security).

Is there a written plan that explains what to do if a cyber incident occurs, who to contact, and how to contain the issue?

Example: A simple checklist shows “isolate infected machine, notify IT lead, inform top management, consider contacting law enforcement.”
Regulatory Mapping: Articles 23 (Incident Handling).

Do you know when and how to inform relevant authorities (e.g., national CSIRT) and affected customers/partners, as required by NIS2?

Example: A healthcare provider has a communication protocol for data breaches—who calls the data protection authority, how quickly, etc.
Regulatory Mapping: Articles 30–33 (Reporting Obligations).

Are there regular backups of critical data, and do you test restoring them to ensure quick recovery in events like ransomware?

Example: A construction firm takes daily encrypted backups to the cloud, with quarterly test restores to confirm data integrity.
Regulatory Mapping: Article 21 (Continuity of Operations).

Does your plan specify who communicates with staff, customers, media, and/or legal authorities during an incident, and in what order?

Example: A small retail chain’s IRP calls for the CEO to approve all external statements; an internal phone tree notifies store managers.
Regulatory Mapping: Article 23 (Incident Handling - Communication).

Do all employees (including contractors) receive basic cybersecurity training (e.g., phishing awareness) at least once a year?

Example: An annual 30-minute online course explains how to spot and report suspicious emails.
Regulatory Mapping: Article 20 (Training Requirements).

Do senior managers or executives receive enhanced training or briefings on strategic cyber risks and NIS2 obligations?

Example: Quarterly briefings for executives include recent incidents, major threat trends, and compliance updates.
Regulatory Mapping: Article 20 (Top Management Engagement).

Do you conduct simulated phishing exercises to test and improve staff vigilance?

Example: A marketing agency sends mock “phishing” emails once a quarter and tracks click rates to identify who needs extra training.
Regulatory Mapping: Article 20 (Security Awareness Measures).

Do employees periodically re-confirm they understand and will follow the organization’s security policies?

Example: Employees must digitally sign a short “responsible use” acknowledgment each year.
Regulatory Mapping: Article 21 (Information Security Policies).

Are critical systems (e.g., servers, financial databases) monitored with basic logging to detect unusual activity or breaches?

Example: A finance system records every login attempt and flags multiple failed attempts for immediate review.
Regulatory Mapping: Article 21 (Monitoring, Auditing, and Logging Requirements).

Do you promptly apply security updates (patches) for operating systems and software, and check for known vulnerabilities?

Example: A monthly patch cycle ensures all laptops, desktops, and servers run the latest security updates.
Regulatory Mapping: Article 21 (Technical Measures & Vulnerability Handling).

Is sensitive data (customer information, financial records) encrypted, especially during transmission (e.g., over email or web) and stored securely (e.g., in the cloud)?

Example: A law office uses an encrypted file transfer service and ensures client files are always stored on encrypted drives.
Regulatory Mapping: Article 21 (Protection of Data & Systems).

Have you classified the types of data you hold (e.g., confidential, internal, public) and given staff simple rules on how each category should be handled?

Example: A small marketing firm labels documents “Confidential,” “Internal,” or “Public,” with instructions on each label’s handling rules.
Regulatory Mapping: Article 21 (Information System Security Policies).