Can You Answer These 10 NIS2 Questions? Most Organisations Can't
You have read the articles. You know the deadline. Maybe you have even started an internal inventory.
But can you actually answer these 10 questions?
They come from our 50-question NIS2 compliance assessment, and each one targets a specific blind spot that organisations consistently underestimate. They are not trick questions — they are the questions that regulators will ask when enforcement begins.
Be honest with yourself. If you hesitate on more than three, you have gaps that need attention.
How this works
Each question below maps to one of the 10 risk management measure categories under Article 21 of the NIS2 Directive. Together, these categories define what "appropriate and proportionate cybersecurity" looks like in practice.
We picked the single hardest question from each category — the one that separates organisations that have genuinely prepared from those that have only read the summary.
The 10 questions
1. Risk analysis and information system security
Can you show a documented, board-approved risk assessment that covers all NIS2-relevant assets, threats, and vulnerabilities — updated within the past 12 months?
Most organisations have some form of risk register. Few have one that is comprehensive, current, and approved by their management body as NIS2 Article 20 requires. A risk assessment from 2022 that covers IT but ignores OT, supply chain dependencies, or cloud services will not satisfy a regulator.
2. Incident handling
Do you have a tested process to detect, classify, and report a significant incident to your national authority within 24 hours?
NIS2 requires an early warning within 24 hours, a full notification within 72 hours, and a final report within one month. The keyword is "tested." A documented procedure that has never been rehearsed is a documented failure waiting to happen.
3. Business continuity and crisis management
When was the last time you tested your backup restoration and disaster recovery plan end-to-end — and can you prove it?
Having backups is not the same as having business continuity. NIS2 requires that you can actually restore operations after an incident. If your last restoration test was "we checked that the backup job ran successfully," that is not a test — that is hope.
4. Supply chain security
Can you demonstrate that you assess and monitor the cybersecurity practices of your critical suppliers — with documented criteria and regular reviews?
Supply chain security is where most organisations have the widest gap. NIS2 Article 21(3) explicitly requires you to address security risks arising from your relationships with direct suppliers and service providers. A standard vendor questionnaire sent once during onboarding does not meet this threshold.
5. Security in network and information system acquisition, development, and maintenance
Do your procurement and development processes include cybersecurity requirements from design through deployment — including vulnerability handling and disclosure?
This is not just about patching. NIS2 expects security to be embedded in how you acquire, build, and maintain systems. If your procurement process evaluates cost, features, and delivery time but not security, you have a structural gap.
6. Policies and procedures to assess the effectiveness of cybersecurity measures
How do you measure whether your cybersecurity measures actually work — and when did you last do it?
This is the question that stops most organisations cold. Having measures in place is step one. Proving they are effective is step two — and it is the step NIS2 explicitly requires. If your answer is "we have not been breached," that is not a measurement.
7. Basic cyber hygiene practices and cybersecurity training
Can you prove that all staff — including management — have received role-appropriate cybersecurity awareness training in the past 12 months?
Article 20(2) specifically requires management bodies to undergo training. Not optional. Not "when convenient." And "all staff" means everyone, including contractors and temporary workers with access to your systems. A single annual phishing simulation is not training.
8. Policies and procedures regarding the use of cryptography and encryption
Do you have a documented policy on when and how encryption is applied to data at rest and in transit — with defined standards and key management procedures?
Many organisations encrypt data in transit (HTTPS, VPN) but have no policy for data at rest. NIS2 requires documented policies and procedures, not ad-hoc practices. If your approach to cryptography is "we use whatever the vendor defaults to," that is not a policy.
9. Human resources security, access control, and asset management
Is there a documented process for granting, reviewing, and revoking access rights — including when someone changes role or leaves the organisation?
Orphaned accounts are one of the most common attack vectors. NIS2 expects you to manage access rights as a continuous process, not a one-time setup. If it takes more than 24 hours to fully revoke a departing employee's access to all systems, your process has gaps.
10. Multi-factor authentication and secured communication
Is MFA enforced for all privileged access, remote connections, and critical system administration — with documented exceptions and a timeline to close gaps?
NIS2 does not prescribe specific technologies, but it does require "where appropriate" use of multi-factor authentication. In practice, any organisation that does not enforce MFA for admin access and remote work will struggle to argue that their measures are "appropriate."
What your score tells you
Count the questions you can answer with a confident, documented "yes":
| Your score | What it means |
|---|---|
| 8–10 confident yes | Solid foundation. You are ahead of most organisations. Focus on documentation and continuous improvement. |
| 5–7 confident yes | Significant gaps. You understand the basics but lack the depth NIS2 requires. Prioritise the areas where you hesitated. |
| Fewer than 5 | Urgent action needed. Your organisation has material compliance gaps that could expose you to enforcement measures beyond fines. |
Remember: regulators will not ask whether you tried. They will ask whether you can demonstrate that your measures are appropriate and proportionate. Documentation is not bureaucracy — it is your evidence.
These are just 10 of 50
These questions are a sample from our full 50-question NIS2 compliance assessment, which covers all 10 Article 21 measure categories in depth.
The free quickscan gives you a structured overview of where you stand. The full assessment produces a detailed PDF report — the kind you can put in front of your board and say: "here is exactly where we are, and here is what we need to do."
Whether you are an IT consultant assessing clients, a compliance officer reporting to the board, or a CISO building a business case — the assessment gives you the structured, evidence-based starting point that NIS2 demands.