Regulatory Playbook
NIS2 Directive Preparedness Checklist & Implementation Guide
Is Your Organisation Truly Ready for NIS2 - Or Just Hoping for the Best?
The EU's NIS2 Directive (EU 2022/2555) is not a distant regulatory concept. It has been in force since January 2023, and Member States were required to transpose it into national law by October 2024. Right now, national competent authorities across Europe are beginning enforcement activities - and the organisations caught unprepared are facing fines of up to EUR 10 million or 2% of total global annual turnover, whichever is higher.
For organisations operating critical infrastructure - energy grids, water systems, transport networks, manufacturing facilities, oil and gas assets - the stakes are even greater. NIS2 places OT and ICS environments squarely within its compliance scope, and for the first time in EU cybersecurity regulation, management body members face personal liability for non-compliance.
The question is not whether your organisation needs to act. The question is: where do you stand right now, and what do you need to fix first?
Shieldworkz has developed a practitioner-grade NIS2 Preparedness Checklist and Implementation Guide - purpose-built for CISOs, CIOs, Risk Officers, Compliance Leads, and Executive Leadership teams operating in regulated critical infrastructure sectors.
Why This Checklist Matters for OT/ICS and Industrial Security Teams
Most NIS2 compliance resources available today were written for IT-centric organisations. They stop at governance policies, access control checklists, and incident reporting templates. For organisations running industrial control systems, SCADA platforms, PLCs, RTUs, and DCS environments, that level of guidance is dangerously incomplete.
NIS2 extends directly into your OT environment. Under Article 21, every Essential Entity operating in sectors like energy, transport, water, and manufacturing must address OT-specific security controls - from IEC 62443-aligned network segmentation to passive OT monitoring, engineering workstation hardening, and supply chain risk management for industrial vendors.
The Shieldworkz NIS2 Preparedness Checklist was built by OT and industrial cybersecurity practitioners who understand the operational constraints of ICS environments - legacy assets that cannot be patched on a 30-day cycle, flat IT/OT network architectures that developed over decades, and third-party integrators who need remote access to systems that directly control physical processes.
This is not a theoretical document. It maps every checklist item directly to an NIS2 Article obligation, includes evidence requirements, ownership guidance, KPIs, and maturity indicators - structured so that your team can immediately identify gaps and prioritise remediation with confidence.
Why It's Critical to Download This Checklist Now
Enforcement is no longer hypothetical. ENISA's guidance and signals from early national implementations indicate that regulators are prioritising incident reporting compliance, the adequacy of cybersecurity risk management measures, management body accountability, and supply chain security for Essential Entities.
Here is what that means practically. If your organisation does not have a 24/7 SOC or clearly defined escalation procedure, you cannot meet the 24-hour early warning reporting deadline under Article 23 - and the clock starts from when your organisation becomes aware of the incident, not when it occurred. If your board members have not completed NIS2-aligned cybersecurity training, they are personally exposed to regulatory sanction. If your OT network is not segmented from your IT environment, you have a critical gap against Article 21 requirements that regulators have specifically flagged.
The gap assessment workbook within this guide gives your compliance team a structured framework to score your current state against desired state across twelve control domains - governance, risk management, incident handling, incident reporting, business continuity, supply chain security, vulnerability management, identity and access management, encryption, OT security, security awareness, and compliance monitoring.
No other publicly available NIS2 checklist provides this depth of OT-specific coverage alongside board-level reporting tools and a maturity assessment framework aligned to real-world industrial environments.
Key Takeaways From the Checklist
The Shieldworkz NIS2 Preparedness Checklist and Implementation Guide covers more than 100 individual control requirements across 15 sections. Here is what you will walk away with:
A complete gap assessment workbook across all 12 NIS2 control domains, structured by Article obligation, risk rating, remediation action, and target timeline - ready to populate with your organisation's current state.
An OT-specific compliance checklist covering ICS/SCADA asset inventory, IT/OT network segmentation per IEC 62443-3-2, secure remote access to OT environments, OT vulnerability management under patch constraints, passive OT network monitoring, removable media controls, and OT-specific incident response planning.
Sector-specific implementation guidance for energy (electricity, oil and gas, hydrogen), transport (rail, road, aviation, maritime), and water and wastewater - addressing real operational challenges like safety-security interface compliance, SCADA anomaly detection, and manual fallback procedures for cyber-physical scenarios.
A five-level NIS2 maturity assessment framework across governance, incident detection and response, and supply chain security - so your leadership team understands where your organisation sits today and what achieving compliance requires.
An executive compliance dashboard template with RAG status across all 12 domains, pre-populated with the top 10 remediation priorities and indicative budget estimates - designed for board-level reporting.
KPIs and KRIs for each control domain, including Mean Time to Detect, patch SLA compliance, phishing click-through rates, and OT monitoring coverage - so compliance is measurable, not just claimed.
Incident reporting workflow guidance covering the three-stage NIS2 reporting timeline: 24-hour early warning, 72-hour incident notification, and one-month final report - including pre-built templates and alignment with GDPR notification obligations.
How Shieldworkz Supports Your NIS2 Compliance Journey
Shieldworkz is a global OT and industrial cybersecurity company. Our team works directly with operators of critical infrastructure across energy, utilities, transport, manufacturing, and water sectors - providing hands-on compliance assessments, technical remediation, and continuous monitoring capabilities built specifically for industrial environments.
We understand that NIS2 compliance in an OT context is fundamentally different from IT compliance. You cannot deploy an EDR agent on a PLC. Patching a SCADA historian has operational risk that a standard IT vulnerability management programme does not account for. Network segmentation in an industrial facility involves safety systems, operational constraints, and vendor dependencies that require specialist knowledge to navigate correctly.
Our NIS2 readiness assessments are conducted against actual Article obligations - not generic cybersecurity best practice checklists. We align findings to IEC 62443 security levels, NIST CSF 2.0, and ISO 27001:2022, and deliver gap assessment results and remediation roadmaps that are actionable, prioritised, and owned.
From your first NIS2 scope determination through to board-ready compliance reporting and ongoing monitoring, Shieldworkz provides the technical depth and regulatory knowledge your organisation needs to achieve and maintain compliance with confidence.
Download the Checklist & Book Your Free Expert Consultation
The Shieldworkz NIS2 Preparedness Checklist and Implementation Guide is available to download at no cost. Whether you are at the beginning of your NIS2 compliance programme or preparing for a regulatory inspection, this document gives you the structured framework your team needs to assess your current posture, identify your highest-priority gaps, and build a credible remediation plan.
Fill in the form below to download your copy and book a free 30-minute consultation with one of our OT and industrial cybersecurity specialists. We will review your sector, entity classification, and current compliance status - and give you a clear picture of where to focus first.
Download your copy today!
Get our free NIS2 Directive Preparedness Checklist & Implementation Guide and make sure you’re covering every critical control in your industrial network
