NIS2 Checklist 2026: 20 requirements you must document
NIS2 Article 21 requires all essential and important entities to implement concrete technical and organisational security measures. This checklist makes those requirements actionable — with a direct focus on certificates, TLS, and PKI — and shows exactly which 13 items CertControl covers automatically, and which 7 require your organisation to take a position.
EU transposition deadline: October 2024 (national laws vary — Denmark in force since July 2025) · Supervisory authority: your national NIS2 authority · Last updated: June 2026
Risk analysis and information system security
Incident management
Security in acquisition and maintenance of systems (TLS/PKI)
Supply chain security
Incident reporting to supervisory authority
Documentation for supervisory authorities and leadership
CertControl covers 13 of 20 items automatically — asset register, TLS scanning, OCSP monitoring, audit log, and reporting. The remaining 7 require organisational decisions: classification, procedures, and policy documents. CertControl provides the data — your organisation makes the call.
Frequently asked questions about the NIS2 checklist
Is there an official NIS2 checklist from the authorities?
No, there is no single official checklist. NIS2 Article 21 sets out ten security categories that all essential and important entities must implement. Your national NIS2 supervisory authority has published guidance, but it remains high-level. This checklist operationalises the requirements with a direct focus on TLS certificates, PKI, and the documentation that supervisory authorities expect to see.
When must my organisation be NIS2-compliant?
The EU deadline for transposing NIS2 into national law was 17 October 2024, though several member states finalised their laws later — Denmark's NIS 2 Act, for example, entered into force on 1 July 2025. Requirements apply from the date of entry into force — not from a future audit date. Your national supervisory authority can request documentation now. Asset registers and audit logs take time to establish — start immediately.
What happens if we fail to meet the NIS2 requirements?
Important entities can be fined up to €7 million or 1.4% of global turnover. Essential entities can be fined up to €10 million or 2% of global turnover. In addition, senior management can be held personally liable for failure to implement the requirements. Supervisory authorities can demand documentation at any time — not only in connection with an actual incident.
How many of the NIS2 checklist items does CertControl cover automatically?
CertControl covers 13 of the 20 checklist items automatically — including the certificate asset register, TLS scanning, OCSP monitoring, the audit log, and audit-ready reporting. The remaining 7 require organisational decisions, such as system classification, incident procedures, and policy documents. CertControl provides the underlying data, and your organisation makes the call on those items.
How does CertControl help meet the NIS2 Article 23 24-hour reporting deadline?
In the event of an outage, CertControl's continuous audit log and certificate register tell you immediately whether an expired certificate caused the incident — well within the NIS2 Article 23 24-hour reporting deadline for significant incidents. The audit log records every certificate change, alert, and renewal with a timestamp and user, giving you the documented root cause that essential and important entities must have ready when reporting to the national supervisory authority.
Ready to cover 13 requirements automatically?
Start your free trial and see in 5 minutes which certificates are in order — and which ones need action today.
14-day free trial · EU Hosted · NIS2 Article 21 ready
Primary sources
The regulatory facts on this page are drawn from the primary legislation and the responsible Danish authority. Confirm the current wording directly at the sources below.
- Directive (EU) 2022/2555 (NIS2) — full text on EUR-Lex, the EU's official law database.
- Styrelsen for Samfundssikkerhed (SAMSIK) — the Danish NIS2 authority: guidance, scope and the Danish NIS2 act (in force 1 July 2025).