Checklist

NIS2 self-check: are you in scope?

Three blocks of questions, honest answers — afterwards you know whether NIS2 applies to you and what comes first if it does. For the team meeting or the printer.

1. Sector: are you in a covered industry?

  • Energy, transport or traffic
  • Banking, financial markets or insurance
  • Healthcare (including labs and medical device manufacturers)
  • Drinking water, wastewater or waste management
  • Digital infrastructure, IT services or telecommunications
  • Post, courier, chemicals, food, or manufacturing (incl. machinery, vehicles, electronics)
  • Digital services (marketplaces, search engines, social networks) or research

2. Size: do you cross the thresholds?

  • At least 50 employees — or
  • More than €10m in annual revenue and balance sheet total
  • Careful: linked enterprises count (EU Recommendation 2003/361) — include parent and sister companies
  • Also possible below the thresholds: critical facilities, trust services and some special cases are covered regardless of size

3. If yes: are the baseline duties in place?

  • Risk management: you know which systems are critical and what their outage means
  • Backups exist AND the restore has demonstrably been tested
  • Incidents: who reports what, when, is settled — before things burn
  • Updates and patches run on a schedule, not “when there is time”
  • Multi-factor authentication for admin and remote access
  • Supply chain: you know which service providers are critical for you
  • Management knows its accountability — NIS2 makes it personally liable

This self-check is technical orientation, not legal advice. The binding classification is for your lawyer — the technical foundation for it is something we can build together.

Newsletter

Practical notes on self-hosting, digital sovereignty, and IT security for SMEs — about once a month, no spam, unsubscribe anytime.

Unsure about one of the points?

In a free first call we go through your situation — no panic, no sales pressure.