NIS2 Self-Check: Am I in Scope?
Free checklist to determine in 15 minutes whether your organisation falls under the NIS2 directive and which obligations apply.
NIS2 covers far more organisations than the original NIS directive. Our checklist walks you through the relevant criteria (sectors, headcount, revenue, critical activities) and lays out the specific obligations that NIS2 introduces — mapped against existing standards such as ISO 27001 and BSI IT-Grundschutz.
What’s inside?
- Decision tree for fast classification as an "essential" or "important" entity under NIS2
- Sector overview covering all 18 industries in scope of NIS2, including edge cases
- Threshold table (headcount, revenue, balance sheet) with guidance on group-level assessments
- Checklist of the ten core security obligations from Article 21 NIS2
- Overview of notification and registration duties, including deadlines (24 h, 72 h, 30 d)
- Mapping of NIS2 requirements against ISO 27001:2022 and BSI IT-Grundschutz
- Guide to sanctions, personal liability of management and evidence requirements
Who is this document for?
The checklist is aimed at managing directors, CISOs, Information Security Officers and compliance leads who need a robust quick assessment of whether their organisation is in scope of NIS2 and which topics require immediate attention. It also works as a template for supplier screenings within supply-chain risk management.
Frequently asked questions about this document
- Does the checklist reflect the current German NIS2 implementation law?
- Yes. The checklist reflects the current status of the national implementation (NIS2UmsuCG) as well as EU Directive 2022/2555 and is kept up to date.
- What do I do if the self-check shows I am in scope?
- The final section of the checklist provides a 30-day roadmap with immediate actions: registration with the BSI, risk analysis, notification and escalation process, supplier communication. We are happy to support you in a free initial consultation.
- Does NIS2 apply to mid-sized companies?
- Yes. From 50 employees or EUR 10 million revenue onwards, NIS2 applies within the covered sectors. Some particularly critical services (e.g. qualified trust services, DNS services) are covered regardless of company size.
- Is an ISO 27001 certificate enough to satisfy NIS2?
- ISO 27001 covers a large share of the requirements, especially around risk management and technical/organisational controls. The specific NIS2 obligations (registration, reporting deadlines, supply-chain security, management accountability) go beyond ISO 27001 and must be evidenced separately.
- May I share the checklist internally?
- Yes, the checklist may be distributed internally and used unchanged. Commercial redistribution to third parties is not permitted.
Ready for World-Class IT Security?
Contact us for a non-binding consultation and find out how we can take your information security to the next level.