NIS2 Readiness Assessment Guide 2026:
What EU Entities Must Know

The Network and Information Security Directive 2 (NIS2 — Directive EU 2022/2555) came into force across EU member states by October 2024, replacing the original NIS Directive with significantly expanded scope, stricter obligations, and personal liability for management bodies. If your organization operates critical infrastructure, essential services, or important entity functions within the EU — or supplies services to those that do — NIS2 compliance is not optional. This guide walks through how to conduct a structured NIS2 readiness assessment in 2026.

What Is NIS2 and Who Does It Apply To?

NIS2 applies to two categories of entities: Essential Entities (EE) and Important Entities (IE). Essential entities include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space sectors. Important entities encompass postal and courier services, waste management, chemical manufacturing, food production, medical device manufacturing, digital providers, and research organizations.

The directive uses a size-based threshold: organizations with 250+ employees or €50M+ annual turnover and €43M+ balance sheet total are automatically in scope for essential or important classification. Member states may lower these thresholds for critical-sector operators regardless of size.

Unlike the original NIS Directive, NIS2 explicitly holds management bodies personally liable for non-compliance. Senior executives can face temporary bans from management roles, and fines for essential entities can reach €10 million or 2% of global annual turnover — whichever is higher. For important entities, the cap is €7 million or 1.4% of turnover.

The Core Obligations: Article 21 Security Measures

Article 21 of NIS2 mandates that in-scope entities implement "appropriate and proportionate technical, operational and organizational measures" to manage cybersecurity risks. These measures must address at least the following ten areas:

1. Risk Analysis and Information Security Policies

Organizations must have a formal risk management framework with documented information security policies covering governance, roles, and responsibilities. This includes regular risk assessments that identify threats to network and information systems used for service delivery.

2. Incident Handling

NIS2 requires entities to establish, test, and maintain incident response plans. The directive introduces a three-stage notification regime: an early warning to the competent authority within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. "Significant" is defined as an incident that causes or is likely to cause severe operational disruption or financial loss.

3. Business Continuity and Crisis Management

Entities must have tested business continuity plans (BCPs) and crisis management procedures that cover backup management, disaster recovery, and restoration of systems. Untested BCPs are one of the most commonly cited gaps during NIS2 readiness assessments.

4. Supply Chain Security

Organizations must assess and manage cybersecurity risks introduced by their suppliers and service providers. This includes contractual obligations on third parties, supplier risk assessments, and monitoring of the overall supply chain — not just Tier 1 suppliers.

5. Security in Network and Information Systems Acquisition

Security requirements must be embedded in the procurement, development, and maintenance lifecycle of network and information systems. This includes vulnerability handling policies and coordinated vulnerability disclosure procedures.

6. Policies and Procedures for Assessing Security Measures

Entities must have procedures to evaluate the effectiveness of their cybersecurity measures. This typically includes regular audits, penetration testing, and threat intelligence integration — and for certain essential entities, TLPT (Threat-Led Penetration Testing) under DORA-equivalent frameworks.

7. Cyber Hygiene and Training

Basic cyber hygiene practices — including patching cadences, access control policies, multi-factor authentication, and privileged access management — must be documented and enforced. Security awareness training for all personnel, including executives, is mandatory.

8. Cryptography and Encryption

Use of cryptography and, where appropriate, encryption must be addressed in security policies. Organizations must have a documented approach to key management, certificate lifecycle, and appropriate encryption standards for data at rest and in transit.

9. Human Resources Security, Access Control, and Asset Management

NIS2 requires formal processes for onboarding, offboarding, and monitoring of personnel with access to critical systems. This includes background verification, least-privilege access control, and a comprehensive asset inventory of network and information systems.

10. Multi-Factor Authentication and Secured Communications

Multi-factor authentication (MFA) must be deployed for access to network and information systems wherever appropriate. Secured emergency communications and voice, video, and text communications in high-sensitivity contexts must also be addressed.

Most Common NIS2 Compliance Gaps in 2026

Based on NIS2 readiness engagements across critical infrastructure sectors, the following gaps appear most frequently:

• No formal risk management process: Many organizations have informal or ad-hoc risk assessment practices that do not meet NIS2's requirement for systematic risk analysis documentation.
• Weak or untested incident response: Incident response plans exist on paper but have never been exercised through a tabletop exercise or functional drill. NIS2 requires demonstrated capability, not just documented policy.
• 24-hour early warning process undefined: Organizations lack the detection and escalation procedures necessary to issue an early warning to the national CSIRT within 24 hours of a significant incident.
• Supply chain due diligence absent: Third-party risk programs address Tier 1 suppliers but do not extend to sub-processors or critical fourth-party dependencies.
• Management not trained or aware: Article 20 requires management bodies to approve cybersecurity risk management measures and oversee implementation — but most boards have received no formal NIS2 training.
• No asset inventory for OT/ICS systems: Organizations managing operational technology environments often have incomplete asset registers, making risk-based decision-making impossible.
• MFA not deployed on critical systems: Remote access and administrative interfaces for critical services often still rely on password-only authentication.

How to Conduct a NIS2 Readiness Assessment

A structured NIS2 readiness assessment follows five steps:

1. Scope determination: Confirm whether your organization qualifies as an Essential Entity or Important Entity. Review your sector classification and size thresholds against your member state's transposition law.
2. Gap analysis against Article 21: Map your current policies, procedures, and technical controls against each of the ten Article 21 security measure categories. Identify gaps with a traffic-light rating (compliant / partial / absent).
3. Risk assessment: Perform or update a risk assessment covering threats and vulnerabilities to your network and information systems. Document likelihood, impact, and risk treatment decisions.
4. Incident response exercise: Run a tabletop exercise simulating a significant cybersecurity incident. Test your early warning, 72-hour notification, and crisis management procedures. Document lessons learned.
5. Remediation roadmap: Prioritize gaps by severity and create a remediation roadmap with ownership, milestones, and resource requirements. Report progress to the management body quarterly.

NIS2 Compliance Checklist: 10 Key Items

Preparing for NIS2 Tabletop Exercises

NIS2 explicitly requires that incident response capabilities be demonstrated — not merely documented. The most effective way to validate your readiness is through a structured cybersecurity tabletop exercise that simulates a significant incident, tests your 24-hour early warning process, exercises your crisis communications, and verifies that your supply chain escalation paths are understood by all participants.

Tabletop exercises designed for NIS2 compliance should simulate realistic scenarios such as a ransomware attack on critical infrastructure, a supply chain compromise through a managed service provider, or a DDoS attack causing service disruption to essential services. Each exercise should test detection timing (can you identify a significant incident quickly enough to meet the 24-hour early warning window?), notification procedures, and management body engagement.

For organizations in OT/ICS sectors — energy, water, transport — exercises should also address the operational impact of cyber events on physical processes, which is a unique challenge that generic IT-focused exercises do not address adequately.

Next Steps: From Assessment to Compliance

The NIS2 readiness journey does not end with a gap analysis. Competent authorities in EU member states are actively conducting audits, requesting evidence of compliance, and issuing enforcement actions. The practical path forward involves three parallel workstreams: governance uplift (ensuring management body engagement and approval of security measures), technical remediation (closing identified control gaps with prioritized investments), and operational validation (running tabletop exercises and testing your incident response procedures under realistic conditions).

Organizations that begin with a structured assessment — mapping their current state against Article 21, identifying the highest-risk gaps, and building a credible remediation roadmap — are significantly better positioned for both regulatory scrutiny and real-world cyber incidents.