Regulatory Playbook
NIS2 Compliance Comprehensive Assessment Questionnaire
Are you genuinely NIS2-ready - or are you assuming compliance where gaps already exist?
For organizations operating critical infrastructure, industrial control systems, or operational technology environments, NIS2 is not a checkbox exercise. Directive (EU) 2022/2555 holds management bodies personally accountable, mandates structured risk management across both IT and OT layers, and attaches administrative fines of up to €10 million or 2% of global annual turnover for Essential Entities that fall short.
Most readiness tools stop at the IT boundary. This one doesn't. Shieldworkz has developed a 40-domain, 150+ question NIS2 Compliance Comprehensive Assessment Questionnaire purpose-built for Essential and Important Entities whose operations include industrial control systems, SCADA, PLCs, DCS, HMIs, and safety-critical infrastructure. It is the only structured workbook that maps NIS2 obligations directly against IEC 62443 controls - the primary international standard governing OT/ICS security - giving OT security leaders, CISOs, compliance teams, and internal auditors a single, authoritative tool for assessing where they truly stand.
Why This Assessment Questionnaire Matters
Regulators are no longer satisfied with policies on paper. NIS2 supervisory authorities are now actively evaluating whether organizations can evidence implemented, measurable, and continuously improving security controls. That's a materially different bar.
What makes this particularly complex for industrial operators is the dual-layer nature of the obligation. Article 21 requires risk management measures across the organization's full network and information systems - which, for manufacturers, energy operators, water utilities, transport providers, and critical infrastructure sectors, means OT networks are explicitly in scope alongside IT. Article 20 requires management body approval of those measures, documented training for board members, and personal accountability for senior leaders.
Many organizations have mature IT security programs and assume OT coverage will follow. In practice, OT environments present fundamentally different challenges: legacy devices operating on protocols such as Modbus, DNP3, and IEC 61850 that predate security design principles; flat industrial network architectures that haven't been segmented; PLCs and RTUs running without change detection; and SCADA servers that haven't been patched in years because no maintenance window exists.
This questionnaire surfaces all of it - systematically, domain by domain, with evidence requirements, maturity scoring, and direct NIS2 article mapping at every step.
Why Download This Questionnaire?
Whether you are conducting an internal NIS2 readiness assessment, preparing for a regulatory inspection, or building a board-level remediation roadmap, this workbook gives your team a structured, defensible methodology from the first question to the final report.
It covers the complete assessment lifecycle: scoping your Essential or Important Entity classification, collecting structured evidence, scoring each control on a 0-5 CMMI-aligned maturity scale, applying Red/Amber/Green ratings, compiling a gap register mapped to NIS2 articles, and producing an executive summary your management body can act on.
For OT/ICS operators specifically, this questionnaire does something most NIS2 tools fail to do - it acknowledges that applying IT-centric security assessments to industrial environments, without adaptation, produces results that are both operationally dangerous and analytically incomplete.
Key Takeaways from the Assessment Questionnaire
40 assessment domains covering governance, risk management, asset management, network security, identity and access, vulnerability and patch management, incident response, business continuity, supply chain security, and a dedicated 13-domain OT/ICS track - from OT asset discovery through to IEC 62443 maturity alignment.
IT and OT assessed together. All 40 domains apply to Essential Entities. Important Entities work through domains 1-23 plus 37-40 as a baseline, supplementing with OT domains 24-36 wherever operational technology is in scope.
CMMI-aligned maturity scoring (0-5) at every question level, from "Not Implemented" through "Optimising," with a RAG status (Red/Amber/Green) framework that tells you which gaps require immediate escalation to the board and which are remediation-track items.
Direct NIS2 article mapping at every question - so you know exactly which regulatory obligation each finding implicates: Article 20(1) management accountability, Article 21(2)(a)-(i) security measures, Article 23 incident reporting, and Article 32 supervisory penalties.
IEC 62443 cross-mapping throughout the OT domains - including 62443-2-1 security management, 62443-3-2 zone and conduit risk assessment, and 62443-3-3 system security requirements - so your OT security posture assessment reflects the standard regulators expect to see evidenced.
Remediation prioritisation built in. A four-tier priority matrix (P1 Critical through P4 Low) with defined target timeframes and escalation paths turns your gap register into a structured remediation programme, not just a findings list.
OT-specific coverage that IT tools miss - including PLC logic change detection, default credential elimination on HMIs and RTUs, engineering workstation isolation, Safety Instrumented System network separation, removable media clean room processes, and OT backup restoration testing.
NIS2 Article 23 incident reporting readiness assessed as a standalone domain - because the 24-hour early warning obligation, the 72-hour full notification, and the one-month final report each require pre-prepared processes, templates, and named ownership to be achievable under incident pressure.
Board oversight evaluated directly - including whether management body members have received documented NIS2 training, whether they understand their personal liability under Article 20, and whether cybersecurity has a formal governance route to board-level decision-making.
How Shieldworkz Supports Your NIS2 Compliance Journey
Shieldworkz is an OT/ICS and industrial cybersecurity company with deep operational experience across energy, manufacturing, utilities, critical infrastructure, and industrial automation sectors. Our approach begins where most compliance tools end - at the OT boundary.
OT/ICS Security Assessments: Our practitioners conduct NIS2 readiness assessments, IEC 62443 gap analyses, and OT-specific risk assessments using the same methodology embedded in this questionnaire. We understand the operational constraints that make OT security materially different from IT - and we work within them, not around them.
Passive OT Asset Discovery and Visibility: You cannot secure what you cannot see. Shieldworkz deploys passive, non-intrusive OT discovery technology that builds a comprehensive asset inventory - including PLCs, DCS, RTUs, HMIs, engineering workstations, field devices, and the industrial protocols they use - without generating network traffic that could disrupt production.
OT Network Monitoring and Threat Detection: Shieldworkz provides continuous OT network monitoring with detection rules tuned to industrial protocol anomalies, unauthorized engineering workstation connections, PLC logic modifications, and OT-specific malware indicators - integrated with your SIEM or delivered as a managed service.
Compliance Programme Development: From building your NIS2 control framework mapping to developing your Article 23 incident notification process, we work alongside your CISO, OT security team, and compliance function to translate assessment findings into a prioritised, board-ready remediation roadmap.
Incident Response and Preparedness: We support OT-specific tabletop exercises, incident response plan development, and forensic capability building - so that when an incident happens, your team already knows what to do and when to notify.
Download the NIS2 Compliance Comprehensive Assessment Questionnaire
This questionnaire is available to download at no cost. It is designed for immediate operational use by CISOs, OT security leaders, plant managers, compliance teams, and internal auditors working within Essential and Important Entities.
Fill in the form to download the questionnaire and receive your copy directly. If your assessment reveals significant gaps - particularly in OT domains or NIS2 incident reporting readiness - our team is available for a free consultation to discuss your findings and prioritisation options.
Download your copy today!
Get our free NIS2 Compliance Comprehensive Assessment Questionnaire and make sure you’re covering every critical control in your industrial network
