NIS2 compliance checklist for IT teams: what you need to implement in 2026

What is NIS2 compliance, in one paragraph

NIS2 compliance means meeting the cybersecurity obligations set out in Directive (EU) 2022/2555, the European Union's updated Network and Information Security Directive. In practice, an in-scope organization must implement the ten risk management measures listed in Article 21, report significant incidents within strict deadlines (early warning within 24 hours, a full notification within 72 hours, a final report within one month), and prove that its management body actively oversees cybersecurity. Non-compliance can trigger fines of up to EUR 10 million or 2% of global annual turnover for essential entities, plus personal liability for executives.

This guide is written for the people who actually have to deliver that on the ground: IT managers, CIOs, IT operations leads and security teams. Most NIS2 content explains the law or sells a gap analysis. Very little of it tells an IT team what to configure, app by app, and what evidence to keep for the auditor. That gap is exactly what this checklist closes.

We map each NIS2 requirement to a concrete technical control and to the proof you need to produce during supervision. We also flag the one prerequisite that almost every other checklist skips: you cannot secure access, manage identities or document your assets if you do not first have full visibility over the SaaS applications your employees actually use.

For a higher-level view of what the directive means for your business case and budget, see our companion article on what the NIS2 directive means for your business. This page focuses on implementation.

Does NIS2 apply to your organization?

NIS2 applies to essential and important entities that operate in one of 18 critical sectors and meet the size thresholds, generally 50 or more employees, or more than EUR 10 million in annual revenue. The directive distinguishes two categories:

• Essential entities: medium and large organizations in high-criticality sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure and public administration. These face proactive supervision (regular audits, on-site inspections).
• Important entities: organizations in sectors such as postal services, waste management, chemicals, food production, manufacturing and digital providers. These face reactive supervision (triggered by an incident or evidence of non-compliance).

A few practical points IT teams should not get wrong:

• NIS2 is transposed into national law. The directive sets the floor, but the binding rules are the national implementing laws in each member state, and some go beyond the floor. Confirm your classification with your national competent authority.
• Scope reaches beyond your own entity. Through supply chain obligations, you can be pulled in as a supplier to an in-scope customer even if your own size or sector seems borderline.
• Already ISO 27001 certified? Good news: a certified ISMS already covers a large share of Article 21. The usual gaps are supply chain security, management accountability, incident reporting timelines and explicit MFA requirements. Treat NIS2 as a mapping exercise on top of your existing controls, not a project from scratch. Our guide on ISO 27001 and IAM covers that overlap in detail.

The 10 Article 21 measures, translated for IT teams

Article 21(2) of the directive lists ten minimum cybersecurity risk management measures that both essential and important entities must implement. The measures are deliberately technology-neutral and outcomes-based: the directive tells you what to achieve, not which product to buy. The proportionality principle in Article 21(1) means the depth of each control should match your risk exposure, size and the societal impact of a potential incident.

The problem for an IT team is that the legal wording is abstract. The table below translates each of the ten measures into the operational reality of running a modern, SaaS-heavy environment.

Notice how many of these measures hinge on identity and access: risk policies, supply chain access, access control, asset management, human resources security, MFA. This is why identity-focused vendors estimate that identity security alone touches around half of the Article 21 measures. For a mid-market IT team, that means your identity and access management approach is not one item on the checklist. It is the spine of the whole program.

The NIS2 compliance checklist for IT teams

Below is the full checklist, organized the way an IT team actually works rather than the way the directive is written. Each item states the action to implement and the evidence to keep for supervision. Work through it as a gap analysis: tick what you already have, flag what you do not, and assign an owner to each gap.

1. Asset and SaaS visibility (the prerequisite nobody mentions)

You cannot protect, govern or report on what you cannot see. Article 21 requires asset management and an accurate picture of your network and information systems, yet most organizations have no reliable inventory of the SaaS applications in active use. Shadow IT, the apps employees adopt without IT approval, is the single biggest blind spot for NIS2 readiness.

Implement:

• Build and maintain a live inventory of every SaaS application, including unsanctioned tools discovered through browser, finance and SSO signals.
• Map each application to its data sensitivity, its owner and the identities that can access it.
• Continuously detect new apps as they appear, rather than running a one-off audit that is stale within weeks.

Evidence to keep: a current application register with discovery dates, owners and risk classification.

Corma was built around this problem. Our SaaS management solution for full visibility to prevent shadow IT surfaces every application in use, including the ones nobody told you about. If the term is new to you, our explainer on what SaaS sprawl is and how to fix it is a useful starting point.

2. Access control and identity governance

Article 21(2)(i) explicitly names access control policies and human resources security. The auditor will want to see that the right people have the right access, that excess access is removed, and that you can prove who can reach what, and why.

Implement:

• Apply least-privilege and role-based access control across all applications, not only the ones behind your identity provider.
• Run periodic user access reviews so application owners recertify who should keep access.
• Govern access for human and non-human identities (service accounts, API keys, contractors).

Evidence to keep: access review records with reviewer, date, decision and remediation status.

Manual access reviews in spreadsheets do not survive an audit. Corma automates them through our IAM solution for automated and compliant access reviews, and our identity governance capability gives you a single, defensible view of access across the stack. For the methodology behind defensible reviews, see our user access reviews roadmap for ISO 27001 compliance.

3. User provisioning and deprovisioning

The fastest way to fail an access audit is an offboarded employee who still has live accounts. NIS2 expects access to be granted, changed and revoked in line with the employee lifecycle (the joiner, mover, leaver model).

Implement:

• Automate provisioning when someone joins or changes role, so access matches the role from day one.
• Automate deprovisioning at offboarding across every connected app, ideally on the same day the HR system records the departure.
• Cover applications that do not support SCIM, SAML or SSO, which are usually where orphaned accounts hide.

Evidence to keep: provisioning and deprovisioning logs tied to HR events, with timestamps.

Corma's IAM solution for automated provisioning and onboarding handles the full lifecycle, and our guide on managing identity lifecycle and offboarding for apps that do not support SCIM, SAML or SSO addresses the hardest part of the problem.

4. Multi-factor authentication and secure access

Article 21(2)(j) calls out multi-factor authentication or continuous authentication and secured communications. This is one of the gaps that ISO 27001 organizations are most often missing, because ISO treats MFA as a recommended control while NIS2 makes it explicit.

Implement:

• Enforce MFA on all privileged and remote access, and extend it as broadly as your tools allow.
• Use single sign-on to consolidate authentication and reduce password sprawl.
• Verify that critical applications outside your identity provider are also covered.

Evidence to keep: MFA coverage report showing enforced applications and exceptions with justification.

Understanding the protocols that make this work matters here. Our explainer on SCIM vs SAML and which one you need clarifies the standards behind modern provisioning and SSO.

5. Risk management and security policies

Article 21(2)(a) requires policies on risk analysis and information system security. The directive wants a living risk process, not a document written once and filed away.

Implement:

• Run regular, documented risk assessments covering your applications, identities and suppliers.
• Maintain an information security policy set that is approved, communicated and reviewed.
• Tie identified risks to owners and remediation deadlines.

Evidence to keep: dated risk assessments, approved policies and a risk register with treatment status.

6. Incident detection and reporting

Article 21(2)(b) and the reporting obligations in Article 23 are where many organizations fall short. NIS2 sets hard deadlines: an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month.

Implement:

• Establish detection, triage and escalation procedures with named roles and playbooks.
• Pre-configure reporting workflows so the 24 and 72-hour clocks do not catch you unprepared.
• Ensure you can quickly attribute an incident to the user, service or supplier access involved, which depends directly on the quality of your identity data.

Evidence to keep: incident records, escalation logs and copies of notifications sent to authorities.

7. Supply chain and third-party access

Article 21(2)(d) makes supply chain security a first-class obligation, and NIS2 goes further than ISO 27001 by extending due diligence beyond direct suppliers. Increasingly, attackers target organizations indirectly through vendor, contractor and partner identities.

Implement:

• Maintain a supplier register with risk classification, last assessment date and contractual security commitments.
• Govern and review third-party access the same way you govern employee access, with expiry and recertification.
• Remove vendor and contractor access promptly when an engagement ends.

Evidence to keep: supplier risk register, third-party access reviews and offboarding records.

This is also a people and process question, not only a tooling one. Our article on bridging the gap between finance and IT teams shows how security teams keep this under control while managing SaaS.

8. Business continuity and backup

Article 21(2)(c) requires business continuity, including backup management, disaster recovery and crisis management. The aim is to keep essential services running through and after an incident.

Implement:

• Document backup and restore processes with defined recovery time objectives.
• Test recovery on a schedule, not only on paper.
• Maintain a crisis management plan with clear roles.

Evidence to keep: backup policy, restore test results and a documented continuity plan.

9. Cryptography and encryption

Article 21(2)(h) names policies on the use of cryptography and encryption. Encrypt sensitive data at rest and in transit, and prefer SaaS vendors whose hosting and encryption align with EU data protection expectations.

Implement:

• Encrypt sensitive data at rest and enforce TLS in transit.
• Document your cryptography policy and key management approach.
• Factor data residency into your SaaS selection, since a directive built for the EU rewards EU-aligned hosting.

Evidence to keep: cryptography policy and an inventory of encryption applied per system.

10. Audit trail and evidence

Across the directive, supervision depends on evidence. Article 21(2)(f) requires you to assess the effectiveness of your measures, and competent authorities expect an auditable trail under the supervision articles.

Implement:

• Centralize logs of access grants, changes, reviews and removals.
• Keep a tamper-evident record of who did what, when, across applications.
• Make evidence retrievable on demand, because an inspector should not have to wait while you search.

Evidence to keep: consolidated audit logs and an evidence library indexed to each Article 21 measure.

11. Cyber hygiene and training

Article 21(2)(g) requires basic cyber hygiene practices and cybersecurity training. This extends to the management body, whose training is now an explicit obligation.

Implement:

• Run regular security awareness training for all staff, with attendance and results recorded.
• Provide dedicated cybersecurity briefings for the management body.
• Refresh content as the threat landscape and the national NIS2 rules evolve.

Evidence to keep: training logs with attendance, scores and completion dates, including leadership.

12. Governance and management accountability

Article 20 introduces personal accountability for the management body. Executives must approve and oversee cybersecurity measures, and can face sanctions, including being barred from management roles, for failing to do so.

Implement:

• Assign formal ownership of NIS2 compliance with the authority and budget to act.
• Put cybersecurity oversight on the management agenda with documented approvals.
• Report compliance status to leadership on a regular cadence.

Evidence to keep: governance records showing management approval and oversight of security measures.

Why SaaS visibility is the foundation of NIS2 for IT teams

Here is the through-line that connects every item above. Asset management, access control, provisioning, incident attribution and supplier access all assume you know which applications exist and who can reach them. If your environment is full of unmanaged SaaS adopted outside IT, every one of those controls has a hole in it.

That is why, for a mid-market IT team, NIS2 readiness starts with discovery, not with policy documents. Once you have a live picture of your applications and identities, the rest of the checklist becomes a series of solvable, automatable tasks rather than an open-ended audit nightmare.

This is also where most competing checklists stop short. They list the ten Article 21 measures and move on, without acknowledging that you cannot govern access to applications you have not discovered. Treat SaaS visibility as item zero, and the other twelve items fall into place.

How Corma helps IT teams meet NIS2 requirements

Corma is a European platform that combines SaaS Management and Identity Access Management in one place, built for IT teams at growing companies. Where other tools cover either spend or identity, Corma covers both, which maps almost one-to-one onto the access-heavy core of Article 21.

For NIS2 specifically, Corma helps IT teams across the checklist:

• Discover every application, including shadow IT, so your asset inventory is real and current.
• Automate access reviews so recertification produces audit-ready evidence instead of stale spreadsheets.
• Automate provisioning and deprovisioning across the employee lifecycle, including apps without SCIM or SSO, so orphaned accounts stop accumulating.
• Govern third-party and non-human access alongside employee access.
• Maintain a centralized audit trail that maps to Article 21 measures, ready to show an inspector.

Two differentiators matter for a directive written for Europe. Corma is ISO/IEC 27001:2022 certified, which accelerates the overlap between your existing ISMS and NIS2. And Corma offers EU data residency with native GDPR compliance, unlike many US-headquartered tools that treat European regulation as an add-on. Corma is also recognized in the 2025 Gartner Magic Quadrant for SaaS Management Platforms.

If you want to see how this works for your team, explore the IAM solution for IT teams to automate SaaS management and access, review our approach to security, or request a demo to walk through your own environment.

The capability table below summarizes how Corma maps to the checklist.

‍FAQ

What is the NIS2 compliance checklist for IT teams?

It is a practical list of the cybersecurity controls an IT team must implement to satisfy the NIS2 Directive, organized around Article 21's ten risk management measures and the directive's incident reporting and governance obligations. A good checklist pairs each requirement with a concrete technical action and the evidence to show at audit.

What are the 10 NIS2 Article 21 requirements?

They are: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in acquisition, development and maintenance; policies to assess the effectiveness of measures; cyber hygiene and training; cryptography and encryption; human resources security, access control and asset management; and multi-factor authentication with secure communications.

Who needs to comply with NIS2?

Essential and important entities in 18 critical sectors that have at least 50 employees or more than EUR 10 million in annual revenue. Smaller organizations can still be pulled in through supply chain obligations if they supply an in-scope entity. National transposition laws define the exact scope in each member state.

What is the NIS2 incident reporting deadline?

In-scope entities must submit an early warning within 24 hours of becoming aware of a significant incident, a detailed notification within 72 hours, and a final report within one month. Fast attribution of the incident to the affected user, service or supplier access is essential to meet these deadlines.

What are the penalties for NIS2 non-compliance?

Essential entities can face fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face up to EUR 7 million or 1.4% of turnover. NIS2 also introduces personal accountability for the management body, including the possibility of barring executives from management roles.

Does ISO 27001 cover NIS2 requirements?

A certified ISO 27001 ISMS addresses a significant share of Article 21, because the two frameworks overlap heavily. However, NIS2 adds obligations that go beyond ISO 27001, including explicit supply chain security, mandated incident reporting timelines, management body accountability and explicit MFA requirements. A mapping exercise is the efficient way to close the remaining gaps.

How does identity and access management support NIS2 compliance?

Identity and access management underpins roughly half of the Article 21 measures, including access control, human resources security, asset management and MFA. Strong IAM lets you prove who has access to what and why, revoke access cleanly at offboarding, govern supplier access, and attribute incidents quickly, all of which the directive expects you to demonstrate.

Where should an IT team start with NIS2?

Start with visibility. Build a complete inventory of your SaaS applications and the identities that can access them, including shadow IT. Without that foundation, asset management, access control, provisioning and incident attribution all have gaps. Once you can see your environment, the rest of the checklist becomes a set of automatable tasks.

NIS2 is not a one-off project but an ongoing cycle of assessing risk, applying controls, checking effectiveness and adjusting. For IT teams, the work is most manageable when it starts from a single source of truth for applications and identities. If you want to turn this checklist into action, request a demo of Corma and see how SaaS management and IAM come together to support NIS2 in one platform.