Download the NIS2 self-assessment
What Is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) is the European Union’s primary legislation for cybersecurity. It replaced the original NIS Directive in January 2023 and significantly expanded both the scope of organisations covered and the obligations they must meet. The transposition deadline for EU member states was October 2024, and enforcement is now active.
NIS2 requires covered organisations to implement risk-based cybersecurity measures, establish clear governance and accountability at board level, build incident detection and reporting capabilities, and manage cybersecurity risk across their supply chains. It applies to a wide range of sectors, including energy, transport, banking, health, digital infrastructure, managed IT services and cloud platforms, and extends to both large organisations and many medium-sized companies operating in those sectors.
What Is the NIS2 10-Point Self-Assessment?
This free checklist gives you a fast, structured way to evaluate your organisation’s readiness across the ten areas that NIS2 most directly requires you to evidence. Each question maps to a real obligation under the Directive, from governance and risk management to incident reporting timelines, supply chain controls and continuous improvement. Complete it and you will have a clear view of your current maturity level, a score that indicates your overall risk exposure, and a prioritised picture of where to focus first.
Who Is This Self-Assessment For?
This checklist is designed for compliance officers and legal teams conducting an initial NIS2 gap review, security managers and CTOs preparing for a supervisory authority audit, board members and senior management who need a fast overview of their organisation’s exposure, and external advisers running readiness checks on behalf of clients. It is also useful for organisations that are not yet certain whether they fall in scope and want a structured way to find out.
Benefits of NIS2 Compliance
Treating NIS2 as an opportunity rather than a burden pays off in practical terms. Organisations that can demonstrate NIS2 compliance strengthen their position in enterprise sales conversations and public tenders, where many buyers and procurement bodies now require evidence of cybersecurity maturity as a condition of doing business.
Compliance also reduces the risk of fines, which for essential entities can reach €10 million or 2% of total worldwide annual turnover, and of the operational disruption and reputational damage that follows a serious incident.
Beyond risk reduction, a well-implemented NIS2 programme builds internal resilience and gives boards the visibility they need to make informed decisions about cybersecurity risk.
How PrivaLex Can Help
At PrivaLex Partners we support organisations across the full NIS2 compliance journey, from initial scope determination and gap assessment through to control implementation, policy documentation, supply chain reviews and audit preparation.
Our approach is adapted to your sector, your size and your current maturity level. We focus on building controls that are proportionate to your actual risk profile, not on generating paperwork. For organisations that need ongoing support, we provide continuous compliance advisory services that keep your NIS2 posture current as your operations and the regulatory environment evolve.
Download the self-assessment to see where you stand today. Then contact PrivaLex for a free initial consultation to understand what a realistic, prioritised path to NIS2 compliance looks like for your organisation.
Frequently Asked Questions (FAQs)
Is NIS2 already in force?
Yes. The NIS2 Directive entered into force in January 2023 and the transposition deadline for EU member states was October 2024. Most member states have now incorporated it into national law and enforcement authorities are applying the requirements. If your organisation is in scope, compliance obligations are active now, not upcoming.
How do I know if my company is in scope for NIS2?
NIS2 covers organisations operating in sectors listed in Annexes I and II of the Directive, including energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, managed services, and several others. Both essential and important entity classifications apply depending on sector and size. If you are unsure whether your organisation is in scope, the first question in this checklist is your starting point, and PrivaLex can carry out a formal scope determination as part of an initial assessment.
What is the difference between an essential and an important entity under NIS2?
Essential entities are generally large organisations in highly critical sectors such as energy, transport, banking, health and digital infrastructure. Important entities cover a broader set of sectors and typically include medium-sized companies meeting certain thresholds. The distinction matters because supervisory regimes differ: essential entities are subject to proactive oversight, while important entities are subject to reactive supervision. Penalties also differ, essential entities face higher maximum fines.
What happens if my organisation is non-compliant with NIS2?
National supervisory authorities can impose a range of enforcement measures, including binding instructions, remediation orders and financial penalties. For essential entities, fines can reach €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities the ceiling is €7 million or 1.4% of turnover. In serious cases, authorities can also temporarily restrict the functions of responsible management.
How long does NIS2 compliance take?
It depends on your starting point. Organisations with existing ISO 27001 certification or a mature security management system can often close the NIS2 gap in a matter of weeks. Organisations starting from a low baseline should plan for a structured programme of several months. The score from this self-assessment gives you the first data point you need to estimate where you sit and what a realistic roadmap looks like.