Skip to content
FortaRisks
All toolsEuropean Union · NIS2

NIS2 readiness assessment

In a few minutes, gauge your compliance with the NIS2 Directive, and leave with your priorities.

≈ 5 minutes · no sign-up

NIS2 applies to a wide range of essential and important entities across the EU, and to many suppliers in their supply chain. Answer the 18 statements below: everything is computed in your browser, and no answer is stored.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 18 answered

1.Governance and accountability

Management bodies approve and oversee cybersecurity risk-management measures, and leaders are trained.

Management bodies approve and oversee cybersecurity risk-management measures, and leaders are trained.

You have documented policies on information system security and risk analysis.

You have documented policies on information system security and risk analysis.

You have determined whether you are an essential or important entity, and registered with the competent authority.

You have determined whether you are an essential or important entity, and registered with the competent authority.

2.Risk-management measures

Incident handling procedures are defined and applied.

Incident handling procedures are defined and applied.

Business continuity, backup and disaster recovery are in place and tested.

Business continuity, backup and disaster recovery are in place and tested.

Policies on cryptography and encryption are applied.

Policies on cryptography and encryption are applied.

3.Supply chain security

Security is addressed in your relationships with suppliers and service providers.

Security is addressed in your relationships with suppliers and service providers.

You assess the security posture of your critical suppliers.

You assess the security posture of your critical suppliers.

You handle vulnerabilities and coordinated disclosure.

You handle vulnerabilities and coordinated disclosure.

4.Detection and access control

You monitor and detect incidents continuously.

You monitor and detect incidents continuously.

A vulnerability handling and management process exists.

A vulnerability handling and management process exists.

Access control and multi-factor authentication are enforced.

Access control and multi-factor authentication are enforced.

5.Incident reporting

You can issue an early warning to the CSIRT or authority within 24 hours.

You can issue an early warning to the CSIRT or authority within 24 hours.

You can notify an incident within 72 hours.

You can notify an incident within 72 hours.

You can deliver a final report within one month.

You can deliver a final report within one month.

6.Resilience and hygiene

Staff receive regular cyber hygiene training.

Staff receive regular cyber hygiene training.

You test the effectiveness of your security measures.

You test the effectiveness of your security measures.

You keep an asset inventory and manage human resources security.

You keep an asset inventory and manage human resources security.

Answer every statement to reveal your score.

FAQ

What is NIS2?

NIS2 is the EU directive on the security of network and information systems, replacing NIS. It expands scope to more sectors and strengthens requirements on risk management, incident reporting and management accountability.

Who is subject to it?

"Essential" and "important" entities across many sectors, plus many organizations pulled into scope through the supply chain of those entities.

What are the deadlines?

The transposition deadline for member states was October 2024. Enforcement is now underway, with strict reporting deadlines: 24 hours, 72 hours and one month.

What are the penalties?

For essential entities, fines can reach 10 million EUR or 2% of total worldwide annual turnover, whichever is higher. Management can be held liable.

Does this assessment replace legal advice?

No. It is an indicative tool to gauge your maturity and prioritize your actions. It does not constitute legal advice.