Free self-assessment

Is your company NIS2-ready?

20 questions · ~8 minutes · All NIS2 Art. 21 areas covered Anonymous — no data collected
Question 1 / 200%
Question 1 / 20
What sector does your company operate in?
NIS2 primarily applies to companies in critical and important sectors.
Energy, transport, healthcare, banking, financial market infrastructure, drinking water, digital infrastructure, public administration
Definitely in scope
IT services, cloud, data centres, food, chemicals, waste management, postal, digital services, manufacturing
Likely in scope
Other sector (retail, construction, real estate, etc.)
Likely out of scope
Question 2 / 20
How large is your company?
NIS2 generally applies to medium and large companies.
250+ employees or turnover over €50m
Essential entity
50–249 employees or turnover €10–50m
Important entity
10–49 employees or turnover €2–10m
May be in scope
Fewer than 10 employees and turnover under €2m
Micro — generally out of scope
Question 3 / 20
Do you have a written information security policy and risk management framework?
NIS2 Art. 21.2a requires documented risk analysis and security policies.
Yes — current, reviewed within the last 12 months
In order
Exists but over 2 years old and not updated
Needs updating
No — no written policy exists
Critical gap
Question 4 / 20
Do you conduct regular information security risk assessments (e.g. per ISO 27005)?
Risk assessment is the foundation of NIS2 compliance — without it you do not know what to protect.
Yes — at least annually, results documented
Very good
Done once but not on a regular basis
Insufficient
No — no risk assessments are carried out
Critical gap
Question 5 / 20
Do you have a documented procedure for handling cyber incidents?
NIS2 requires initial notification within 24 hours, interim report within 72 hours, final report within 30 days.
Yes — procedure documented, staff trained, reporting templates in place
In order
Procedure exists but reporting timelines are unclear
Needs completing
No — incidents are handled ad hoc
Critical gap
Question 6 / 20
Do you have tools for detecting and logging cyber incidents?
Without logging you cannot detect an incident or meet the 24-hour reporting deadline.
Yes — SIEM, audit logs or other detection system in use
In order
Some logs exist but no centralised detection
Needs improvement
No — cyber incidents are not systematically monitored
Critical gap
Question 7 / 20
Do you have a Business Continuity Plan (BCP)?
NIS2 Art. 21.2c requires backup management, disaster recovery and business continuity planning.
Yes — documented, tested and communicated to staff
In order
Exists but not tested or updated
Insufficient
No — no BCP exists
Critical gap
Question 8 / 20
Are backups taken regularly and is restoration tested?
An untested backup is not a backup — it is hope.
Yes — automated backups, restoration tested within the last 6 months
In order
Backups taken but restoration never tested
Needs attention
Backups are irregular or absent
Critical gap
Question 9 / 20
Have you assessed the cybersecurity posture of your critical suppliers?
NIS2 Art. 21.2d extends responsibility to suppliers — their vulnerabilities are your risk.
Yes — suppliers classified by criticality, high-risk suppliers assessed
In order
Some suppliers assessed but not systematically
Needs expanding
No — supply chain security risks not assessed
Critical gap
Question 10 / 20
Do your IT supplier contracts include security and incident notification requirements?
Without contractual security obligations you cannot get the information you need from a supplier during an incident.
Yes — all critical IT contracts include security requirements and notification obligations
In order
Some contracts include them, others do not
Needs completing
No — contracts contain no security obligations
Gap
Question 11 / 20
Do you have a process for managing software vulnerabilities and security patches?
Unpatched systems are a primary target for cyber attackers.
Yes — vulnerabilities scanned regularly, patches applied within defined SLA
In order
Patches applied but process is irregular
Needs improving
No — vulnerability management does not happen systematically
Critical gap
Question 12 / 20
Do you have an up-to-date inventory of all IT assets (devices, software, data)?
You cannot protect what you do not know exists — asset inventory is the foundation of security.
Yes — current asset register maintained and continuously updated
In order
Partial inventory exists but not complete or current
Needs completing
No — no asset inventory
Critical gap
Question 13 / 20
Do you conduct regular security audits, penetration tests or other effectiveness assessments?
NIS2 Art. 21.2f requires you to assess the actual effectiveness of your security measures.
Yes — audits and/or pentests carried out at least annually
Very good
Done once but not on a regular basis
Insufficient
No — no security effectiveness assessment takes place
Gap
Question 14 / 20
Do staff receive regular cybersecurity training?
Human error is the largest security risk — training significantly reduces it.
Yes — annual training including phishing simulations
Very good
One-off onboarding training for new staff only
Insufficient
No — no cybersecurity training takes place
Critical gap
Question 15 / 20
Has management received cybersecurity training and does it understand its NIS2 liability?
NIS2 places personal liability on management — ignorance is not a defence.
Yes — management trained and has formally approved security measures
Very good
Management is aware but no formal approval given
Needs attention
No — management has not received cybersecurity training
Personal liability risk
Question 16 / 20
Are sensitive data encrypted both in transit and at rest?
NIS2 Art. 21.2h requires the use of cryptography to protect data.
Yes — TLS/HTTPS in transit, encryption in databases and on devices
In order
Encrypted in transit but not fully at rest
Partial
No — sensitive data not systematically encrypted
Critical gap
Question 17 / 20
Is multi-factor authentication (MFA) deployed on all critical systems?
NIS2 Art. 21.2i requires strong authentication — a password alone is not sufficient.
Yes — MFA active on all critical systems including email, VPN, cloud services
In order
MFA on some systems but not all critical ones
Needs expanding
No — MFA not used
Critical gap
Question 18 / 20
Are access rights based on the least-privilege principle and reviewed regularly?
Overly broad permissions significantly expand the attack surface.
Yes — role-based access, reviewed at least annually
In order
Role-based but reviews are irregular
Needs improving
No — many users have excessive or never-reviewed permissions
Critical gap
Question 19 / 20
Are background checks conducted before granting access to sensitive systems?
Personnel risk is one of the underestimated elements of NIS2 requirements.
Yes — background checks are standard for sensitive roles
In order
Done for some roles but not systematically
Partial
No — no background checks conducted
Gap
Question 20 / 20
Has your organisation designated a person responsible for information security and NIS2 compliance?
Clear assignment of responsibility is a prerequisite for NIS2 implementation.
Yes — CISO, IT manager or other responsible person formally designated
In order
Responsibility informally understood but not formally assigned
Needs clarifying
No — nobody is formally responsible for information security
Critical gap
Critical
Needs attention
OK

Get personalised recommendations

Enter your details and I will follow up — we review the results and plan the next steps together.

Prefer to book directly? Reserve a 30-min call →