NIS2 Compliance Checklist for Irish & EU SMEs (2026)

This NIS2 compliance checklist turns the NIS2 Directive — now in force across the EU — into the concrete steps Irish and EU SMEs need to take. NIS2 expects covered organisations to put governance and risk management in place, secure their supply chain, train staff, and report significant incidents fast. Miss it and fines reach €10M or 2% of global turnover, with personal liability for management. Use the checklist below to see what's required, tick off what you already have, and pinpoint the gaps to close first.

Does NIS2 apply to your business?

NIS2 (EU Directive 2022/2555) replaced the original NIS Directive and applies far more widely. As a rule of thumb you're in scope if you operate in one of the ~18 covered sectors and you're a medium-sized business or larger — generally 50+ employees or €10M+ in annual turnover. Some entities are covered regardless of size (for example, certain digital infrastructure, DNS and trust-service providers).

Covered organisations fall into two tiers:

Essential entities — energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, space.
Important entities — postal and courier services, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social platforms), and research.

Even if you're below the threshold, larger customers in scope will push their NIS2 obligations onto you through contracts — so the checklist is worth working through either way.

Not sure whether you're in scope or where you stand? You can run a free NIS2 assessment in about 15 minutes on ShieldIQ — no credit card, no setup call. Start your free NIS2 assessment →

The NIS2 compliance checklist, step by step

1. Governance & accountability

[ ] Get management on the hook. NIS2 makes the management body approve and oversee cybersecurity risk measures — and personally liable for failures. Assign a named owner at board/senior level.
[ ] Train the leadership. Management must complete cyber risk training and offer equivalent training to staff.
[ ] Register with your competent authority. In Ireland this is overseen by the NCSC; identify your regulator and complete any registration/notification required in your sector.

2. Risk management & information security

[ ] Run a risk assessment covering your systems, data and key services, and keep it current.
[ ] Document information security policies approved by management (the "policies on risk analysis and information system security" NIS2 expects).
[ ] Define how you measure effectiveness — policies and procedures to assess whether your controls actually work.

3. Technical & operational controls (Article 21 baseline)

[ ] Incident handling — detection, response and recovery procedures.
[ ] Business continuity — backups, disaster recovery and crisis management you have actually tested.
[ ] Cyber hygiene basics — patching, secure configuration, asset and access management.
[ ] Multi-factor authentication (MFA) and secured voice/video/text and emergency communications.
[ ] Cryptography and encryption policies, applied to data at rest and in transit.
[ ] HR security and access control — least privilege, joiners/movers/leavers, and asset management.
[ ] Security in acquisition, development and maintenance, including vulnerability handling and disclosure.

4. Supply chain security

[ ] Map your critical suppliers and service providers.
[ ] Assess their security — questionnaires, evidence, and contractual security requirements.
[ ] Track supplier risk over time, not just at onboarding.

5. Incident reporting — know the clock

NIS2 sets a strict, staged timeline for significant incidents:

[ ] Early warning within 24 hours of becoming aware of a significant incident.
[ ] Incident notification within 72 hours, with an initial assessment.
[ ] Final report within one month, covering root cause and mitigations.
[ ] Have the reporting workflow ready in advance — who decides, who notifies, and the template — so the clock never catches you cold.

6. Penalties — what's at stake

[ ] Understand the exposure. Essential entities face fines up to €10M or 2% of global annual turnover (whichever is higher); important entities up to €7M or 1.4%. Add management liability and possible suspension of responsible individuals.

How to close the gaps without a dedicated team

Most SMEs already do some of the above — the problem is proving it and spotting what's missing. The fastest way to turn this checklist into a plan is to assess yourself against the NIS2 framework, see your score per area, and let the gaps surface in priority order.

See exactly where you stand against this checklist in about 15 minutes — run a free NIS2 assessment on ShieldIQ, no card required. Start your free NIS2 assessment →