NIS2 Self-Check: How Ready Is Your Organization?

Does a cybersecurity strategy approved by senior management exist?

Is senior management demonstrably involved in monitoring cybersecurity measures (NIS2 Art. 20)?

Does senior management regularly participate in cybersecurity training?

Are cybersecurity risks considered in company-wide risk management?

Does a documented incident response plan for cybersecurity incidents exist?

Is the reporting process to BSI implemented according to NIS2 deadlines (early warning 24h, initial report 72h, final report 1 month)?

Are incident response exercises or tabletop exercises conducted regularly?

Has a Business Impact Analysis (BIA) for critical business processes been conducted?

Does an IT Disaster Recovery Plan with defined RTO/RPO values exist?

Are cybersecurity requirements contractually agreed with critical suppliers?

Does a process for monitoring the security posture of critical suppliers exist?

Does a network security architecture with segmentation and zone concepts exist?

Are security events centrally collected and correlated (SIEM)?

Are penetration tests or vulnerability scans conducted regularly?

Is data in transit and at rest protected by current encryption methods?

Does a key management process with defined responsibilities exist?

Is Multi-Factor Authentication (MFA) implemented for all remote access and privileged accounts?

Is the principle of least privilege consistently applied?

Are access rights regularly reviewed and recertified?