
Regulatory Playbook
NIS2 30th June Readiness Kit
A Practical Audit-Ready Compliance Toolkit For Essential & Important Entities
The Audit-Ready Toolkit for Essential and Important Entities Running Industrial Operations
NIS2 is in force, and the first wave of audit activity is no longer a future-tense risk. If your organisation runs PLCs, SCADA platforms, DCS systems, or any other form of operational technology across the EU, or supplies into a critical infrastructure sector, your readiness clock started the day your entity was classified, not the day an auditor calls.
Most compliance teams prepare a generic governance file and assume it will hold up against a control environment it was never written for. It will not. Article 21's risk-management obligations reach directly into process networks where a Safety Instrumented System cannot run an endpoint agent, a PLC commissioned in 2009 has no concept of multi-factor authentication, and an active vulnerability scan can trip a control loop instead of finding a vulnerability.
The Shieldworkz NIS2 30 June Readiness Kit closes that exact gap: a practical, audit-ready compliance toolkit built for Essential and Important Entities, labelled control by control so your team and your auditors know precisely what is a binding legal requirement under Directive (EU) 2022/2555 and what is recommended practice , with a dedicated OT/IEC 62443 layer wherever industrial environments need a different answer than IT.
What's Inside the Kit
An executive readiness overview covering entity classification, Article 20 accountability, and the Article 32–34 penalty structure. A complete Article 23 incident-handling toolkit, fillable 24-hour, 72-hour, and one-month report templates, a severity decision tree, and a RACI matrix. A business continuity package with BCP, DRP, and Crisis Management Plan structures. A supply chain toolkit addressing Article 21(2)(d) and 21(3), vendor questionnaires and risk scoring. An access control kit covering MFA, privileged access, and the joiner-mover-leaver process audits trip on most often. And a dedicated OT/ICS section mapping Article 21 onto asset inventory, zones-and-conduits segmentation, and safety-aware incident response , plus nine compliance checklists, a maturity scorecard, a 90-day roadmap, and a board-ready executive dashboard.
Why This Matters
The NIS2 Directive itself does not set one EU-wide statutory date of 30 June 2026 for every entity to pass a first compliance audit, supervisory cadence is left to each Member State's transposing law. But three converging facts have made 30 June 2026 the date that matters in practice: Hungary's national implementation names it as the statutory first-audit deadline; the informally tracked EU-wide target has already slipped once, from 31 December 2025 to 30 June 2026; and Italy's annual entity categorisation window closes on the same date. None of this changes when your obligations apply. It changes when "we'll get to it eventually" stops being viable.
OT environments carry the hardest version of this problem. Article 21 is technology-neutral, it does not carve out legacy industrial equipment. A control system left unpatched for a decade because patching risks an unplanned shutdown is not a theoretical finding; it is the specific, recurring gap supervisory authorities already flag as the weakest point in early NIS2 enforcement. This is the gap the Kit closes: passive discovery instead of active scanning that could disrupt a control loop, and engineering-approved response instead of automated containment that could itself trigger a safety event.
Why You Need to Download This Kit Now
Most NIS2 compliance resources are written for IT security teams. This Kit was written for the people who carry the audit risk, OT security leads, CISOs, plant managers fielding regulator requests, and compliance teams who need a defensible answer for a competent authority. Inside: fillable incident-notification templates mapped to the exact Article 23 deadlines, a labelled mandatory-versus-recommended checklist set, a maturity scorecard, and a 90-day remediation roadmap sequenced so the cheap, high-visibility gaps close first.
Compliance work has a predictable failure pattern: it gets treated as a documentation exercise that starts the week an audit notice arrives. By then, a dated board minute or a restore-tested backup log cannot be manufactured retroactively. The Kit exists to move that work earlier, while there is still time to do it properly instead of urgently.
Key Takeaways From the Kit
Classification drives everything. Whether you're an Essential or Important entity changes your supervisory model and your exposure under Articles 32–34: up to €10 million or 2% of global turnover for Essential entities, €7 million or 1.4% for Important entities.
Article 20 accountability is personal, not just corporate. A programme never formally approved by the board is, on paper, an Article 20 gap, and it is consistently the first thing a supervisory authority asks to see.
The 24/72-hour reporting clock is not theoretical. Organisations that have not rehearsed the escalation path from control room to CISO to CSIRT will not meet the deadline under pressure.
OT needs its own playbook, not a retrofitted IT one. Passive discovery and engineering-approved containment are how Article 21 gets implemented without creating a safety incident in the process of trying to prevent a cyber one.
How Shieldworkz Supports Your NIS2 Readiness Journey
A toolkit gets you most of the way. It does not replace the judgment of a team that has walked into industrial environments, mapped real control networks, and sat across the table from auditors. Shieldworkz is a specialist OT and ICS cybersecurity company with deployments across energy, manufacturing, utilities, oil and gas, and critical infrastructure globally, built specifically for the industrial environment, not adapted from an IT security programme with an OT brochure attached.
Our NIS2/IEC 62443 services cover every phase: from the initial OT security assessment that turns the Kit's checklists into a real, evidenced picture of your environment, through passive asset discovery and IT/OT segmentation design, to OT SOC integration and managed threat intelligence. Every engagement is led by practitioners who understand what a Modbus function-code anomaly means and what a CVSS score means in a process-control context , not a server rack. The goal isn't a longer document. It's making sure the one you have holds up the day it actually matters.
Download the Kit and Book Your Free Expert Consultation
The NIS2 30 June Readiness Kit is available to download at no cost, written for decision-makers who need accurate, practitioner-level guidance, not marketing material dressed up as a compliance resource. Fill the form to download your copy, and start using it immediately: pull the incident-reporting templates into your next tabletop exercise, run the gap-assessment scorecard against your current environment, and hand the executive dashboard structure to whoever owns your next board update.
Once you've reviewed the Kit, book your free consultation with a Shieldworkz OT security specialist to discuss your readiness posture, your highest-priority Article 21 gaps, and the most effective first steps for your sector and regulatory timeline.
Don't wait for the audit notice to find out where the gaps are.
Download your copy today!
Get our free NIS2 30th June Readiness Kit and make sure you're audit-ready across every Article 21 control in your industrial environment
