Free · NIS2

How NIS2-ready
is your organisation?

Answer 20 questions across 5 NIS2 compliance areas. Get an instant AI-powered gap analysis with your top priorities — delivered to your inbox.

20 questions
~5 minutes
AI gap analysis
Free report by email
🛡️ Sensitive information notice: This assessment may ask about your security measures and incident history. Do not share specific IP addresses, system names, passwords, or details that could expose your infrastructure. Answer at a policy and practice level only.

Based on: Directive (EU) 2022/2555 — NIS2 ↗

🛡️
Free to try

NIS2 Readiness Assessment

Answer 20 questions across 5 NIS2 compliance areas. Get an AI-powered gap analysis with your top priorities — free with a free account.

Free account required · Results by email

Organisation profile Step 1 of 6
Step 1 of 6 — Organisation Profile

Tell us about your organisation

NIS2 applies differently depending on your sector, size, and whether you provide essential or important services. This helps us tailor your assessment.

Step 2 of 6 — Risk Management & Governance

Risk management & governance

NIS2 Art. 21 requires a risk management approach to cybersecurity. Management bodies are personally accountable for approving and overseeing these measures.

Does your organisation have a documented cybersecurity risk management policy approved by senior management?
NIS2 Art. 21(1) requires "all appropriate and proportionate technical, operational and organisational measures." Management bodies must personally approve risk management measures (Art. 20).
Have you conducted a formal risk assessment to identify cybersecurity threats and vulnerabilities relevant to your operations?
A risk assessment must underpin your security measures. It should identify assets, threats, vulnerabilities, and the potential impact of incidents.
Does your organisation have a business continuity plan and disaster recovery procedures that have been tested?
NIS2 Art. 21(2)(c) explicitly requires business continuity management and disaster recovery. Plans must be documented, tested, and regularly updated.
Do senior managers receive regular cybersecurity training and are they aware of their personal liability under NIS2?
NIS2 Art. 20(2) requires management bodies to follow cybersecurity training. They are personally liable for breaches of NIS2 obligations — including potential temporary bans from management roles.
Step 3 of 6 — Incident Handling & Reporting

Incident handling & reporting

NIS2 introduces strict incident notification deadlines. Significant incidents must be reported to national authorities within 24 hours of detection.

Do you have documented incident response procedures that define what constitutes a "significant incident" under NIS2?
A significant incident is one causing severe disruption to service delivery, financial loss, or impact to other entities. Your procedures must define thresholds and response steps clearly.
Can your organisation submit an early warning to your national CSIRT within 24 hours of detecting a significant incident?
NIS2 Art. 23 requires: (1) Early warning within 24h, (2) Incident notification within 72h, (3) Final report within 1 month. Do you know which national CSIRT to report to and how?
Do you have security monitoring tools in place to detect incidents in near real-time?
Effective incident detection typically requires SIEM, EDR, or similar tools. Manual processes alone are rarely sufficient to meet NIS2's 24-hour early warning requirement.
Are all staff trained to recognise and escalate potential security incidents?
Security awareness training is a basic NIS2 requirement. Many incidents begin with phishing or social engineering — staff must know what to look for and who to contact.
Step 4 of 6 — Supply Chain Security

Supply chain & third-party security

NIS2 Art. 21(2)(d) requires supply chain security. You are responsible for the security of services provided by your suppliers and technology vendors.

Do you have a documented process to assess the cybersecurity practices of your key suppliers and technology vendors?
NIS2 requires entities to consider supply chain vulnerabilities when managing risk. This includes assessing vendor security posture before onboarding and periodically thereafter.
Do your contracts with critical suppliers include cybersecurity obligations, incident notification requirements, and audit rights?
Your NIS2 obligations extend to your supply chain. Contracts with critical ICT and service providers should include minimum security standards, breach notification timelines, and your right to audit.
Do you maintain an inventory of all third-party software and services with access to your systems or data?
You cannot secure what you don't know about. A complete software and service inventory is the foundation for supply chain risk management under NIS2.
Step 5 of 6 — Access Control & Network Security

Access control & network security

NIS2 requires basic cyber hygiene measures including access control, encryption, and vulnerability management as part of minimum security standards.

Is multi-factor authentication (MFA) enforced for all remote access, privileged accounts, and critical systems?
MFA is explicitly listed as a NIS2 minimum measure (Art. 21(2)(j)). It is one of the single most effective controls against account compromise.
Do you apply the principle of least privilege — ensuring users and systems only have access to what they strictly need?
Privileged access management (PAM) and least-privilege access reduce the blast radius of a breach. Regularly review and remove unnecessary access rights.
Do you have a vulnerability management programme including regular patching, scanning, and penetration testing?
Vulnerability management is a core NIS2 requirement. This includes keeping software patched, running vulnerability scans, and periodic penetration tests of critical systems.
Is sensitive data encrypted in transit and at rest, and do you use network segmentation to isolate critical systems?
Encryption (Art. 21(2)(h)) and network security (Art. 21(2)(e)) are minimum NIS2 requirements. Network segmentation limits an attacker's ability to move laterally after initial access.
Step 6 of 6 — Get Your Report

Where should we send your report?

Your personalised NIS2 gap analysis is ready. Enter your email to receive it. The analysis is generated by AI — not legal advice.

Analysing your NIS2 readiness…

Our AI is mapping your answers against NIS2 Article 21 requirements.

Evaluating risk management controls
Checking incident reporting readiness
Assessing supply chain security
Reviewing access controls
Generating your report
NIS2 Readiness
Readiness Score

Top Priority Actions

NIS2 Articles at Risk

⚠️ This report is generated using AI (Claude by Anthropic) and constitutes an awareness check only — not legal advice, not a compliance certification. For formal NIS2 compliance work, engage a qualified cybersecurity specialist or legal advisor. See our Privacy Policy for details on data handling.

Need to go deeper?

This free check gives you a directional view of your NIS2 readiness. Talk to a cybersecurity specialist to build your formal compliance programme.

Contact us →

Informational use only. This tool is provided for awareness purposes to help businesses understand their current situation regarding EU regulations. It does not constitute legal, regulatory, or professional advice. Results are indicative only and should not be relied upon as a substitute for qualified legal counsel. Verdaio accepts no liability for decisions made based on this tool’s output. Your inputs are processed ephemerally and are not stored or used for model training.