Free Assessment12 Questions~3 MinutesGap Report

NIS2 Compliance Self-Assessment

Find out where your organization stands on NIS2 — in 3 minutes.

NIS2 is enforceable across the EU, with penalties reaching €10M or 2% of global turnover for essential entities. This 12-question assessment covers all 10 core NIS2 requirement areas and gives you an instant compliance gap report — so you know exactly where to focus.

What you'll get

→A NIS2 readiness score across all 10 requirement areas
→A compliance gap rating: NIS2 Ready / Partial / Significant Gaps / Non-Compliant
→Recommended next steps tailored to your score

0 of 12 answered

GovernanceArticle 20

1.Does your organization have a named individual with executive accountability for cybersecurity (e.g. CISO, board-level owner)?

Risk ManagementArticle 21(a)

2.Do you have a documented, regularly reviewed cybersecurity risk management policy?

Incident HandlingArticle 21(b)

3.Do you have a documented incident response plan that has been tested within the last 12 months?

Incident HandlingArticle 21(b)

4.Can your organization detect and report a significant incident to the national authority within 24 hours of becoming aware of it?

Business ContinuityArticle 21(c)

5.Do you have tested business continuity and disaster recovery plans covering critical systems and services?

Supply Chain SecurityArticle 21(d)

6.Do you formally assess the cybersecurity posture of critical suppliers and third-party service providers?

Network & System SecurityArticle 21(e)

7.Do you have controls in place to secure your network infrastructure and information systems (e.g. firewalls, segmentation, patching)?

Vulnerability ManagementArticle 21(e)

8.Does your organization conduct regular vulnerability scanning and penetration testing?

CryptographyArticle 21(f)

9.Do you encrypt sensitive data at rest and in transit using current, approved cryptographic standards?

Human Resources SecurityArticle 21(g)

10.Do staff with access to sensitive systems receive regular cybersecurity awareness training?

Access Control & MFAArticle 21(h)

11.Is multi-factor authentication (MFA) enforced for access to critical systems and remote access?

Policies & Scope AwarenessArticle 3

12.Has your organization formally assessed whether it falls within NIS2 scope, and identified the applicable sector and obligations?

The 10 NIS2 Requirement Areas

NIS2 Article 21 defines 10 areas where organizations must implement appropriate technical and organisational measures. This assessment covers all 10.

Risk management policiesArt. 21(a)

Incident handlingArt. 21(b)

Business continuityArt. 21(c)

Supply chain securityArt. 21(d)

Network & information system securityArt. 21(e)

Effectiveness of security measuresArt. 21(e)

Cybersecurity hygiene & trainingArt. 21(g)

Cryptography & encryptionArt. 21(f)

Human resources security & access controlArt. 21(h)

Multi-factor authenticationArt. 21(h)

Need a full NIS2 compliance assessment?

Atumcell's GRC team delivers formal NIS2 gap assessments with a prioritised remediation roadmap — structured for board reporting and regulatory review.

Speak to an expert View GRC services

Frequently asked questions

What is NIS2 and who does it apply to?

NIS2 is the EU's updated Network and Information Security directive, enforceable from October 2024. It applies to medium and large organizations in essential sectors — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. It also applies to important sectors including postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Organizations in scope face fines of up to €10M or 2% of global turnover (essential entities) or €7M or 1.4% of turnover (important entities).

What are the main NIS2 security requirements?

NIS2 Article 21 requires organizations to implement appropriate technical and organisational measures across 10 areas: risk analysis and information systems security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information systems acquisition; policies and procedures to assess effectiveness of measures; cybersecurity hygiene practices and training; cryptography and encryption; human resources security and access control policies; and use of multi-factor authentication.

What are the NIS2 incident reporting requirements?

Under NIS2, organizations must report significant incidents in a three-stage process: an early warning within 24 hours of becoming aware of the incident; an incident notification with an initial assessment within 72 hours; and a final report within one month of the incident notification. Significant incidents are those causing severe operational disruption, affecting safety, or affecting other organizations or Member States.

How is NIS2 different from the original NIS Directive?

NIS2 significantly expands scope compared to the original NIS Directive. It covers more sectors and more organization sizes (medium-sized and above, not just large operators). It introduces explicit board-level responsibility for cybersecurity, stricter incident reporting timelines, supply chain security requirements, and higher maximum penalties. Member States also have less flexibility in how they implement the directive — harmonisation across the EU is much stricter.