NIS2 Gap Analysis [Free Tool]

Find out your level of compliance with NIS 2

Instructions: The questions below cover all relevant NIS2 requirements - by filling out the answers, this tool will automatically calculate your company's level of compliance with this EU directive.

When answering questions, the following scale needs to be used:

1 — Not implemented: No process or activity implemented, or little/no evidence of any systematic achievement
2 — Planned: Activity or process is planned but is not implemented, or the implementation just started
3 — In progress: Activity or process is partially implemented, so that its full effects cannot be expected
4 — Mostly implemented: Activity or process is fully or mostly implemented, documented, and relevant people are trained, but monitoring, measurement, and improvement are not systematic
5 — Optimized: Activity or process is fully implemented, documented, and is continuously supervised, measured, and improved; relevant people are trained

1) Management bodies must approve the cybersecurity risk-management measures (Article 20, paragraph 1):

Tip

Use the following document to comply with this requirement: Risk Treatment Plan. See Preview

2) Management bodies must oversee the implementation of cybersecurity risk-management measures (Article 20, paragraph 1):

Tip

Use the following documents to comply with this requirement: Measurement Report + Internal Audit Report + Management Review Minutes. See Preview

3) Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis (Article 20, paragraph 2):

Tip

Use the following documents to comply with this requirement: Training and Awareness Plan. See Preview

4) Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks (Article 21, paragraph 1):

Tip

Use the following documents to comply with this requirement: Risk Treatment Table + Risk Treatment Plan + various policies and procedures mentioned below. See Preview

5) When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact (Article 21, paragraph 1):

Tip

Use the following documents to comply with this requirement: Risk Assessment Methodology + Risk Assessment Table. See Preview

6) Establish and implement a policy on risk analysis (Article 21, paragraph 2, point (a)):

Tip

Use the following documents to comply with this requirement: Risk Assessment Methodology. See Preview

7) Establish and implement a policy on information system security (Article 21, paragraph 2, point (a)):

Tip

Use the following documents to comply with this requirement: Policy on Information System Security. See Preview

8) Establish and implement documents for incident handling (Article 21, paragraph 2, point (b)):

Tip

Use the following documents to comply with this requirement: Incident Management Procedure + Incident Log. See Preview

9) Establish documents for business continuity (Article 21, paragraph 2, point (c)):

Tip

Use the following documents to comply with this requirement: Business Continuity Plan. See Preview

10) Establish and implement backup management (Article 21, paragraph 2, point (c)):

Tip

Use the following documents to comply with this requirement: Backup Policy. See Preview

11) Establish documents for disaster recovery (Article 21, paragraph 2, point (c)):

Tip

Use the following documents to comply with this requirement: Disaster Recovery Plan. See Preview

12) Establish documents for crisis management (Article 21, paragraph 2, point (c)):

Tip

Use the following documents to comply with this requirement: Crisis Management Plan. See Preview

13) Establish and implement supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers (Article 21, paragraph 2, point (d)):

Tip

Use the following documents to comply with this requirement: Supplier Security Policy + Security Clauses for Suppliers and Partners + Confidentiality Statement. See Preview

14) Establish and implement security in network and information systems acquisition, development and maintenance (Article 21, paragraph 2, point (e)):

Tip

Use the following documents to comply with this requirement: Secure Development Policy + Specification of Information System Requirements. See Preview

15) Establish and implement policies and procedures to assess the effectiveness of cybersecurity risk-management measures (Article 21, paragraph 2, point (f)):

Tip

Use the following documents to comply with this requirement: Measurement Methodology + Measurement Report + Internal Audit Procedure + Internal Audit Checklist + Internal Audit Report + Management Review Procedure. See Preview

16) Establish and implement basic cyber hygiene practices (Article 21, paragraph 2, point (g)):

Tip

Use the following documents to comply with this requirement: IT Security Policy. See Preview

17) Establish and implement cybersecurity training (Article 21, paragraph 2, point (g)):

Tip

Use the following documents to comply with this requirement: Training and Awareness Plan. See Preview

18) Establish and implement policies and procedures regarding the use of cryptography and encryption (Article 21, paragraph 2, point (h)):

Tip

Use the following documents to comply with this requirement: Policy on the Use of Encryption. See Preview

19) Establish and implement human resources security (Article 21, paragraph 2, point (i)):

Tip

Use the following documents to comply with this requirement: Security Policy for Human Resources. See Preview

20) Establish and implement access control policies (Article 21, paragraph 2, point (i)):

Tip

Use the following documents to comply with this requirement: Access Control Policy. See Preview

21) Establish and implement asset management (Article 21, paragraph 2, point (i)):

Tip

Use the following documents to comply with this requirement: Asset Management Procedure + Inventory of Assets. See Preview

22) Establish and implement the use of multi-factor authentication or continuous authentication solutions (Article 21, paragraph 2, point (j)):

Tip

Use the following documents to comply with this requirement: Authentication Policy. See Preview

23) Establish and implement secured voice, video and text communications (Article 21, paragraph 2, point (j)):

Tip

Use the following documents to comply with this requirement: Information Transfer Policy + Secure Communication Policy. See Preview

24) Establish and implement secured emergency communication systems within the entity (Article 21, paragraph 2, point (j)):

Tip

Use the following documents to comply with this requirement: Secure Communication Policy. See Preview

25) Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures (Article 21, paragraph 3):

Tip

Use the following documents to comply with this requirement: Supplier Security Policy + Risk Assessment and Treatment Report. See Preview

26) Take appropriate and proportionate corrective measures (Article 21, paragraph 4):

Tip

Use the following documents to comply with this requirement: Procedure for Corrective Action + Corrective Action Form. See Preview

27) Notify CSIRT or competent authority of significant incident (Article 23, paragraph 1):

Tip

Use the following documents to comply with this requirement: Significant Incident Notification for CSIRT/Competent Authority. See Preview

28) Notify the recipients of services of significant incidents that are likely to adversely affect the provision of those services (Article 23, paragraph 1):

Tip

Use the following documents to comply with this requirement: Significant Incident Notification for Recipients of Services. See Preview

29) Communicate to the recipients of services that are potentially affected by a significant cyber threat any measures or remedies that those recipients are able to take in response to that threat; also inform those recipients of the significant cyber threat itself (Article 23, paragraph 2):

Tip

Use the following documents to comply with this requirement: Significant Incident Notification for Recipients of Services. See Preview

30) Establish a document for an early warning that indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact (Article 23, paragraph 4, point (a)):

Tip

Use the following documents to comply with this requirement: Significant Incident Early Warning. See Preview

31) Establish a document for an incident notification that indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise (Article 23, paragraph 4, point (b)):

Tip

Use the following documents to comply with this requirement: Significant Incident Notification for CSIRT/Competent Authority. See Preview

32) Establish a document for an intermediate report on relevant status updates (Article 23, paragraph 4, point (c)):

Tip

Use the following documents to comply with this requirement: Significant Incident Intermediate Report. See Preview

33) Establish a document for a final report not later than one month after the submission of the incident notification (Article 23, paragraph 4, point (d)):

Tip

Use the following documents to comply with this requirement: Significant Incident Final Report. See Preview

34) Establish a document for a progress report - in the event of an ongoing incident at the time of the submission of the Final Report (Article 23, paragraph 4, point (e)):

Tip

Use the following documents to comply with this requirement: Significant Incident Progress Report. See Preview

NIS2 Gap Analysis Result:

Here's the percentage of your compliance with NIS2:

Enter your e-mail address

[The results will be sent to entered e-mail address]

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what your rights are, see this Privacy Notice.

Products by framework:

By Type

Where to Start

Other

Solutions for industries:

Leading Experts

NIS2 Gap Analysis [Free Tool]

Find out your level of compliance with NIS 2

Products

Resources

Standards & Regulations

Advisera

Help