Most NIS2 checklists read like a legal brief. This one is built for a SaaS team with no dedicated security staff and a deal waiting on the answer. Ten steps, in order, each tied to the Article 21 measure it satisfies, and each marked with whether a 60-second external scan can prove it for you.
Before the Checklist: Confirm You Are In Scope
Do not spend a week on controls until you know which route pulls you in. NIS2 reaches you either directly (size plus covered sector) or through a covered customer’s supply-chain duty. Our scope self-check sorts that in two minutes. If a customer has already sent you a security questionnaire, you are in scope commercially, and that is enough reason to work the list.
The 10-Step Checklist
1. Register with your national authority
If you are directly in scope, register with the competent authority. In Germany that is the BSI. Missing registration is penalised on its own, before any breach. Article 21 context: governance. Scan proves it: no, this is an administrative filing.
2. Enforce modern TLS everywhere
Disable TLS 1.0 and 1.1 on every public endpoint. Serve TLS 1.2 and 1.3 only, with a complete, valid certificate chain and HSTS. Article 21(2)(h) cryptography. Scan proves it: yes.
3. Set your security headers
Add HSTS, a Content-Security-Policy, X-Content-Type-Options, and the rest of the baseline response headers. This is an afternoon of config on most stacks. Article 21(2)(g) cyber hygiene. Scan proves it: yes.
4. Close your external exposure
Take admin panels, staging environments, and source maps off the public internet. One exposed admin login does more audit damage than a missing policy line. Article 21(2)(i) access control. Scan proves it: yes.
5. Lock down email authentication
Publish SPF, DKIM, and DMARC records. This blocks spoofing of your domain and is a check reviewers run routinely. Article 21(2)(g) hygiene. Scan proves it: yes.
6. Track and patch vulnerable components
Know which JavaScript libraries and server versions you run, and patch known CVEs on a defined window: 14 days for critical, 30 for high. Article 21(2)(e) vulnerability handling. Scan proves it: partially, the external-facing parts.
7. Enforce MFA and role-based access
Require multi-factor authentication on the systems you control and grant access by role with approval. Article 21(2)(j) MFA and access. Scan proves it: no, this is internal to your IdP.
8. Write an incident-response runbook
Document detection, escalation, and the path to the NIS2 early warning within 24 hours and the fuller report within 72. Our 24-hour notification template gives you a starting point. Article 21(2)(b) incident handling. Scan proves it: no.
9. Assess your own supply chain
List your subprocessors and confirm each meets a baseline. NIS2 pushes the same duty you feel from customers down to your own vendors. Article 21(2)(d) supply chain. Scan proves it: no.
10. Keep dated evidence of all of the above
The measure existing on paper is step one. Being able to show it live, without a two-week scramble, is what a reviewer actually grades. Evidence goes stale as you ship, so date it and refresh it. Article 21 overall. Scan proves it: yes, for the external half.
What the Scan Automates, and What It Does Not
Six of the ten steps have an externally observable component: TLS, headers, exposure, email authentication, vulnerable components, and dated evidence. Those are exactly the checks a customer or auditor runs from outside without trusting your paperwork.
Run a free external scan on your domain and you get an A-F grade plus a pass/fail on each of those in about a minute. That tells you which checklist items are already green and which need an afternoon of work before your next security review. Our deeper guide on what auditors actually ask for maps each finding to its control.
The other four steps, registration, MFA, the incident runbook, and supply-chain assessment, are internal or administrative. No scan can prove them. You document those yourself.
Turn the Green Checks Into a Document
Once your external posture is clean, capture it. SaaSFort scans across 60 external checks, grades A to F, and maps each finding to its NIS2 Article 21 control. The one-time audit pack is €39: a dated, branded PDF that covers the observable half of this checklist in a form a reviewer files directly. No subscription, no card on the first scan.
It does not replace steps 1, 7, 8, and 9, you still do those. It does replace the scramble of screenshotting your TLS config and writing prose about your headers, which is the part of a security review that wastes the most time.
Get your NIS2 checklist evidence pack for €39
FAQ
Is this checklist enough to be NIS2 compliant? It covers the core Article 21 technical and procedural measures for a small SaaS. Full compliance also depends on your sector, your size class, and national specifics like BSI registration in Germany. Treat this as the working list, not a legal sign-off.
Which steps can I finish today? Steps 2, 3, and 5, TLS, headers, and email authentication, are usually same-day config changes. A scan tells you their current state in a minute, so you can fix them before a review rather than under one.
Do I need to do all ten before I can answer a customer? No. A clean external posture (steps 2 to 6) plus honest answers on the rest carries most mid-market security reviews. The external evidence is the part you can produce immediately with a scan.
How often should I re-check? Treat external evidence as perishable. Re-scan before any audit call or security review, because posture drifts every time you deploy. A report from last quarter tells a reviewer nothing about today.
Ready to put this into practice?
Two ways to start — pick what fits. Free Scan if you want to see your security grade in 60s with no commitment. Free 14-day Growth trial if you're ready to monitor multiple domains, export NIS2 reports, and download Deal Reports — no credit card required.
No credit card · Cancel anytime · GDPR-ready · EU-hosted