NIS2 checklist for SMEs
A practical NIS2 checklist for SMEs covering scoping, Article 21 controls, incident reporting, supply-chain security, management accountability and evidence.
Direct answer
A NIS2 checklist for SMEs should cover applicability, entity category, management accountability, cybersecurity risk policies, incident response, business continuity, supplier security, vulnerability handling, access controls, training and reporting timelines. The evidence should show how controls work before an incident occurs.
What should be on a NIS2 checklist for SMEs?
A NIS2 checklist for SMEs should cover applicability, entity category, management accountability, cybersecurity risk policies, incident response, business continuity, supplier security, vulnerability handling, access controls, training and reporting timelines. The evidence should show how controls work before an incident occurs.
- Risk analysis
- Incident handling
- Supplier security
- Management approval
| Control anchor | Article 21 cybersecurity risk-management measures |
| Reporting anchor | Article 23 reporting obligations |
| Customer angle | Enterprise buyers may require NIS2-aligned supplier evidence |
A NIS2 checklist for SMEs should cover applicability, entity category, management accountability, cybersecurity risk policies, incident response, business continuity, supplier security, vulnerability handling, access controls, training and reporting timelines. The evidence should show how controls work before an incident occurs.
The 24-hour early warning window is too short to design during a live event.
NIS2 checklist for SMEs checklist
Action checklistKeep a current risk register for systems and services.
Article 21
Define severity triggers, roles and reporting templates.
Article 23
Classify critical vendors and request security evidence.
Article 21
Record board or management review of cybersecurity measures.
Article 20
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| Before incident | Prepare reporting workflowThe 24-hour early warning window is too short to design during a live event. | European Commission NIS2 guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
NIS2 checklist
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
NIS2 checklist
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
NIS2 checklist
Evidence to retain
Applicability decision
Shows whether a NIS2 checklist applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
What documents prove NIS2 readiness?
Risk policy, incident plan, continuity plan, supplier register, access-control policy, training records and management approval are core evidence.
Is ISO 27001 enough for NIS2?
ISO 27001 can provide useful evidence, but SMEs still need to map NIS2-specific scope, reporting and national requirements.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.