A NIS2 compliance checklist for 2026
A practical checklist to move from 'we think we're in scope' to 'we can prove it', without boiling the ocean.
1. Confirm your scope and register
Determine whether you're an essential or important entity (sector + size threshold), and register with the relevant national authority where required. Don't skip the size-cap exceptions.
2. Put governance in place
Article 20 makes the management body responsible. Assign clear ownership, get the board to approve the risk-management approach, and ensure leadership receives cybersecurity training. Document it.
3. Build a current asset inventory
You can't secure or evidence what you can't see. Establish a live, reconciled inventory of systems, services and dependencies; this underpins almost every Article 21 measure.
4. Implement the Article 21 measures
- Risk analysis and security policies; incident handling; business continuity and backups.
- Supply-chain security; secure development and vulnerability handling.
- Cyber hygiene and training; cryptography; access control and asset management; MFA.
- Crucially: set up a way to assess the measures' effectiveness (measure 6).
5. Stand up incident reporting
Prepare for the Article 23 timeline before you need it: know your CSIRT channel, pre-build the 24-hour and 72-hour report templates, and rehearse who does what so the clock doesn't beat you.
6. Keep evidence continuous
Treat compliance as a living state, not an annual project. Maintain a hash-chained audit trail and a readiness score you can show at any time; that's what turns an audit from a scramble into a query.
Alexus was built to do exactly this. This checklist is general guidance, not legal advice; confirm specifics against your national NIS2 transposition.