DEV Community

Roy Morken
Roy Morken

Posted on • Originally published at ismycodesafe.com

NIS2 Compliance Checklist for Developers: 10 Security Measures You Must Implement

#security #compliance #webdev #devops

What Is NIS2? 

    The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive from 2016. It entered into force in January 2023, with EU member states required to transpose it into national law by October 2024. It significantly expands the scope, requirements, and penalties for cybersecurity in the EU.




    Where NIS1 focused narrowly on operators of essential services and digital service providers, NIS2 covers 18 sectors and introduces two categories: "essential entities" and "important entities." The full text is available on [EUR-Lex](https://eur-lex.europa.eu/eli/dir/2022/2555).


  ## Who It Applies To
Enter fullscreen mode Exit fullscreen mode

Essential entities (highest requirements):

    - Energy (electricity, oil, gas, hydrogen)
    - Transport (air, rail, water, road)
    - Banking and financial market infrastructure
    - Health (hospitals, labs, pharma, medical devices)
    - Drinking water and wastewater
    - Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
    - ICT service management (managed services, managed security services)
    - Public administration
    - Space
Enter fullscreen mode Exit fullscreen mode

Important entities (slightly lower requirements):

    - Postal and courier services
    - Waste management
    - Chemical manufacturing and distribution
    - Food production and distribution
    - Manufacturing (medical devices, electronics, machinery, motor vehicles)
    - Digital providers (online marketplaces, search engines, social platforms)
    - Research organizations




    Size matters: NIS2 generally applies to medium-sized and large entities (50+ employees or €10M+ turnover). But some entities are covered regardless of size — DNS services, TLD registries, and qualified trust services, for example.


  ## Security Requirements
Enter fullscreen mode Exit fullscreen mode

Article 21 lists minimum cybersecurity risk management measures:

    - Risk analysis and information system security policies
    - Incident handling (prevention, detection, response)
    - Business continuity and crisis management (backups, disaster recovery)
    - Supply chain security (security requirements for suppliers)
    - Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
    - Policies and procedures to assess the effectiveness of cybersecurity measures
    - Basic cyber hygiene practices and cybersecurity training
    - Policies on the use of cryptography and encryption
    - Human resources security, access control policies, and asset management
    - Multi-factor authentication (MFA) or continuous authentication solutions


  ## Incident Reporting
Enter fullscreen mode Exit fullscreen mode

NIS2 introduces a three-stage reporting obligation for significant incidents:

    - **Early warning within 24 hours** — Notify the national CSIRT (Computer Security Incident Response Team) or competent authority. Include whether the incident is suspected to be caused by unlawful or malicious acts.
    - **Incident notification within 72 hours** — Update with an initial assessment: severity, impact, and indicators of compromise.
    - **Final report within one month** — Detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact if applicable.




    A "significant incident" is one that causes or could cause severe operational disruption or financial loss, or affects other entities by causing considerable damage. [ENISA](https://www.enisa.europa.eu/topics/nis-directive) provides guidance on classification.


  ## Management Liability


    NIS2 Article 20 requires that management bodies of essential and important entities approve cybersecurity risk management measures and oversee their implementation. Management must undergo cybersecurity training.




    The directive explicitly states that management bodies can be held personally liable for non-compliance. Member states can implement measures that allow competent authorities to require specific remediation — and to temporarily ban individuals from exercising managerial functions in case of repeated violations.


  ## Penalties


      Entity TypeMaximum Fine


      Essential entities€10 million or 2% of global annual turnover
      Important entities€7 million or 1.4% of global annual turnover
Enter fullscreen mode Exit fullscreen mode

National authorities can also impose periodic penalty payments, order compliance audits, issue binding instructions, and require public disclosure of non-compliance.

  ## How to Prepare


    - **Determine if NIS2 applies to you.** Check your sector and size against the categories above.
    - **Conduct a risk assessment.** Identify your critical systems, data flows, and threats.
    - **Implement Article 21 measures.** Start with MFA, encryption, backup, and vulnerability management.
    - **Establish incident response.** Create a documented plan with clear roles, communication templates, and CSIRT contact details.
    - **Audit your supply chain.** Map your suppliers and assess their security practices.
    - **Train management.** Board-level cybersecurity awareness is a legal requirement.
    - **Run regular vulnerability scans.** [ismycodesafe.com](/) covers web application security across 110 checks. Use it alongside infrastructure-level scanning tools.
Enter fullscreen mode Exit fullscreen mode

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

Top comments (0)