img img img img

NIS 2 Readiness assessment


NIS 2 Readiness Assessment

1 / 41

Do you adopt and adapt emerging technologies to enhance risk management processes?

2 / 41

Are cybersecurity training programmes tailored to employees’ specific roles and responsibilities?

3 / 41

Do you conduct interdependency analyses to understand how disruptions to one system or process could affect others?

4 / 41

Are advanced workshops or training sessions provided for the staff on specific cybersecurity threats and countermeasures?

5 / 41

Are regular security assessments conducted by internal or external parties to identify vulnerabilities and/or do penetration testing?

6 / 41

Are systems and software regularly updated to address security vulnerabilities?

7 / 41

Are all cybersecurity policies, procedures, and compliance measures well-documented and accessible?

8 / 41

Are escalation procedures clearly defined and known to all relevant staff for different types of security incidents and initial evaluation of the severity?

9 / 41

Is there an effective mechanism in place for employees to report cybersecurity concerns or incidents?

10 / 41

Is there a designated cybersecurity officer or team responsible for risk management?

11 / 41

Do you regularly evaluate the effectiveness of cybersecurity training programs?

12 / 41

Are cybersecurity risk management processes integrated with the overall risk management framework in the organization?

13 / 41

Are stakeholders regularly involved in identification, assessment and management of risk?

14 / 41

Do you have audit rights included in agreements with key suppliers to ensure compliance with your security requirements?

15 / 41

Is there a process in place for continual improvement of risk management strategies based on new threats and vulnerabilities?

16 / 41

Do you have specific plans for managing cybersecurity incidents that involve your supply chain?

17 / 41

Do you conduct regular business impact analyses to determine critical systems and data essential for your organization’s continuity?

18 / 41

Is there formal agreement clauses in place that require suppliers to report security incidents?

19 / 41

Are business continuity plans tested under different scenarios to check their effectiveness in various potential incidents?

20 / 41

Do you have a communication plan in place for coordinating with external stakeholders during a cybersecurity incident?

21 / 41

Is there a dedicated function or team monitoring changes in cybersecurity regulations and ensuring compliance?

22 / 41

Do you employ advanced threat detection technologies to identify potential cybersecurity threats?

23 / 41

Do you use user behavior analytics to detect potentially malicious activity?

24 / 41

Are employees trained on the legal aspects of cybersecurity, including the requirements for privacy, data and information protection including the NIS directive as well?

25 / 41

Are post-incident reviews conducted to analyze the response and identify areas for improvement?

26 / 41

Is supply chain risk management integrated into the overall organizational risk management framework?

27 / 41

Are business continuity plans updated based on lessons learned from actual incidents?

28 / 41

Is a Data Protection Officer (DPO) appointed to ensure compliance with data protection laws and regulations?

29 / 41

Do you regularly test employees with simulated phishing attacks to enhance their vigilance?

30 / 41

Are minimum cybersecurity standards defined and enforced for all suppliers and third-party service providers?

31 / 41

Are relevant staff encouraged or required to obtain cybersecurity certifications?

32 / 41

Are recovery time objectives (RTOs) defined, communicated, and tested for critical IT systems?

33 / 41

Do you have legal counsel to manage the reporting of cybersecurity incidents as per regulatory requirements?

34 / 41

Is there a formal mechanism for incorporating feedback from audits and incidents into the risk management process?

35 / 41

Are regular, detailed cybersecurity incident simulations conducted to test readiness?

36 / 41

Do you continuously monitor and review the security practices of your suppliers and third-party service providers?

37 / 41

Is there a dedicated incident response team with clearly defined roles and responsibilities?

38 / 41

Do you have arrangements with external cybersecurity firms for additional support during an incident?

39 / 41

Are you implementing or planning to implement a Zero Trust security model?

40 / 41

Is your security architecture periodically reviewed and updated to reflect current cybersecurity practices and threats?

41 / 41

Do you maintain redundant infrastructure or services to ensure continuity in the event of a significant cybersecurity incident?

Your score is

The NIS 2 readiness assessment has an objective to give insight about strong and weak points related to the organization which is evaluated. 

*The results of this assessment do not provide a diagnosis and further remediation, but rather information on the scope of the NIS 2 Directive and concrete organisation for non-experts. Please contact us if you require a professional assessment of your security posture against the requirements of NIS 2.

The main topics that are subject of  the assessment are described below:


Risk Management

Risk management in cybersecurity is the systematic identification, assessment and mitigation of risks to an organisation’s information assets. It starts with identifying information assets, pinpointing potential threats and vulnerabilities, assessing their likelihood and impact, and then implementing strategies to minimise these risks through preventive and reactive measures. Ongoing monitoring and periodic reviews ensure the effectiveness of risk management practices, adapting as necessary to new threats. Effective communication and compliance are integral, aligning risk management with regulatory requirements and keeping all levels of the organisation informed. This proactive approach is critical to maintaining robust cybersecurity defences and ensuring organisational resilience to various cyber threats.

Incident Response

Incident response in cybersecurity is a structured approach to managing and mitigating the impact of security breaches or attacks. It includes preparation, detection, containment, remediation and recovery phases, coupled with thorough documentation and communication throughout the process. Incident response teams quickly assess and respond to threats to minimise damage and restore system functionality. They also analyse the incident to learn and improve future responses. This cycle ensures that organisations can quickly adapt and strengthen their defences against new threats. Effective incident response is critical to maintaining trust, business continuity and regulatory compliance.

Supply chain security

Supply chain security in cyber security focuses on protecting the integrity, confidentiality and availability of goods and information flowing through the supply chain network. It involves assessing and mitigating the risks posed by third-party partners and suppliers, from sourcing to delivery. Effective supply chain security requires robust due diligence, continuous monitoring and the integration of security practices across all stakeholders. This includes the implementation of stringent cybersecurity measures, contractual obligations and regular audits to ensure compliance with security standards. As threats can compromise entire supply chains, proactive management is essential to protect against disruptions and maintain confidence in supply chain operations.

Security measures

Security measures in cybersecurity encompass a range of strategies and tools designed to protect digital systems, networks and data from unauthorised access, attack and damage. These measures include physical security controls, cybersecurity policies, user access management, and technological solutions such as firewalls, antivirus software, and encryption. Regular updates, vulnerability assessments and penetration testing are critical to ensure that these defences remain effective against evolving threats. In addition, implementing security protocols such as multi-factor authentication and secure coding practices will help mitigate risks. Organisations must adopt a layered approach to security, combining multiple defences to increase resilience and protect sensitive information and critical infrastructure.

Regulatory compliance

Regulatory compliance in cybersecurity refers to adherence to laws, regulations and guidelines designed to protect information and infrastructure from cyber threats. It involves implementing the necessary security policies, procedures, and controls to meet specific standards set by governing bodies. Compliance is critical not only to avoid legal penalties and financial loss, but also to maintain the trust of customers and stakeholders. Organisations need to regularly assess and update their compliance status in response to new and changing regulations. Effective compliance programmes include employee training, regular audits and continuous improvement to address the dynamic nature of cybersecurity threats and regulatory requirements.

Training and awareness

Cybersecurity training and awareness is a critical component of an organisation’s security posture, aimed at equipping employees with the knowledge and skills to recognise and respond effectively to cyber threats. These programmes include regular training sessions on security best practices, the latest cyber threats and organisational policies. Awareness initiatives are designed to keep cybersecurity at the forefront of employees’ minds and help prevent breaches caused by human error. Interactive exercises such as phishing simulations and workshops increase engagement and retention. Ultimately, a well-informed workforce is a critical layer of defence against cyberattacks and fosters a culture of security awareness throughout the organisation.

Business continuity and recovery

Business continuity and recovery in cybersecurity focuses on maintaining and restoring business operations in the event of a cyberattack or other disruption. This process involves the creation of detailed plans that outline the necessary actions to minimise downtime and financial loss, while ensuring the availability of critical services. These plans typically include data backup strategies, system redundancies and failover mechanisms to enable rapid recovery. Regular testing and updating of these plans is essential to adapt to new threats and changing business requirements. Effective business continuity and recovery strategies ensure that an organisation can recover quickly from disruptions, maintaining customer confidence and operational stability.