Free self-assessment
Is your company NIS2-ready?
Question 1 / 200%
Question 1 / 20
What sector does your company operate in?
NIS2 primarily applies to companies in critical and important sectors.
Question 2 / 20
How large is your company?
NIS2 generally applies to medium and large companies.
Question 3 / 20
Do you have a written information security policy and risk management framework?
NIS2 Art. 21.2a requires documented risk analysis and security policies.
Question 4 / 20
Do you conduct regular information security risk assessments (e.g. per ISO 27005)?
Risk assessment is the foundation of NIS2 compliance — without it you do not know what to protect.
Question 5 / 20
Do you have a documented procedure for handling cyber incidents?
NIS2 requires initial notification within 24 hours, interim report within 72 hours, final report within 30 days.
Question 6 / 20
Do you have tools for detecting and logging cyber incidents?
Without logging you cannot detect an incident or meet the 24-hour reporting deadline.
Question 7 / 20
Do you have a Business Continuity Plan (BCP)?
NIS2 Art. 21.2c requires backup management, disaster recovery and business continuity planning.
Question 8 / 20
Are backups taken regularly and is restoration tested?
An untested backup is not a backup — it is hope.
Question 9 / 20
Have you assessed the cybersecurity posture of your critical suppliers?
NIS2 Art. 21.2d extends responsibility to suppliers — their vulnerabilities are your risk.
Question 10 / 20
Do your IT supplier contracts include security and incident notification requirements?
Without contractual security obligations you cannot get the information you need from a supplier during an incident.
Question 11 / 20
Do you have a process for managing software vulnerabilities and security patches?
Unpatched systems are a primary target for cyber attackers.
Question 12 / 20
Do you have an up-to-date inventory of all IT assets (devices, software, data)?
You cannot protect what you do not know exists — asset inventory is the foundation of security.
Question 13 / 20
Do you conduct regular security audits, penetration tests or other effectiveness assessments?
NIS2 Art. 21.2f requires you to assess the actual effectiveness of your security measures.
Question 14 / 20
Do staff receive regular cybersecurity training?
Human error is the largest security risk — training significantly reduces it.
Question 15 / 20
Has management received cybersecurity training and does it understand its NIS2 liability?
NIS2 places personal liability on management — ignorance is not a defence.
Question 16 / 20
Are sensitive data encrypted both in transit and at rest?
NIS2 Art. 21.2h requires the use of cryptography to protect data.
Question 17 / 20
Is multi-factor authentication (MFA) deployed on all critical systems?
NIS2 Art. 21.2i requires strong authentication — a password alone is not sufficient.
Question 18 / 20
Are access rights based on the least-privilege principle and reviewed regularly?
Overly broad permissions significantly expand the attack surface.
Question 19 / 20
Are background checks conducted before granting access to sensitive systems?
Personnel risk is one of the underestimated elements of NIS2 requirements.
Question 20 / 20
Has your organisation designated a person responsible for information security and NIS2 compliance?
Clear assignment of responsibility is a prerequisite for NIS2 implementation.
–
Critical
–
Needs attention
–
OK
Get personalised recommendations
Enter your details and I will follow up — we review the results and plan the next steps together.