NIS2 Mandatory Technical Measures: Operational Checklist for Businesses

Your lawyer just told you your company falls under NIS2. Or maybe your accountant flagged it. The NIS2 Directive (EU 2022/2555) requires mandatory technical measures — not recommendations, but legal obligations. What do you do now?

We, at Meteora Web, see it every day: Italian SMEs often run cybersecurity on autopilot — weak passwords, no backups, unmanaged vendors. NIS2 is the wake-up call. It's also a compliance deadline (national transposition by October 17, 2024) with fines up to 2% of global turnover.

This guide gives you a concrete operational checklist of the mandatory technical measures. No fluff. Let's start from the real problem: you need to prove you've done everything reasonable to secure your systems.

Why NIS2 Technical Measures Are a Legal Requirement, Not an Option

NIS2 applies to operators in critical sectors (energy, transport, banking, health, digital infrastructure) and important sectors (postal, waste, chemicals, food, manufacturing, digital). If you have more than 50 employees or turnover above €10 million, you're likely in scope.

Article 21 lists the technical measures. They are minimum requirements. The EU wants a risk-based, documented, verifiable approach. Practical translation: you must show you've done everything reasonably necessary to protect your systems.

We, at Meteora Web, have seen companies treat security as an unnecessary cost — until the ransomware hit. With NIS2, that cost becomes a mandatory investment. If you lack internal skills, it's better to rely on partners who understand both technology and business risk.

The 10 Mandatory Technical Measures — Operational Checklist

We group the Article 21 requirements into concrete actions. For each, we explain why it's mandatory and what to do now.

1. Risk Analysis and Security Policy

Why mandatory: Without a risk map, you don't know what to protect. NIS2 requires a documented, updated assessment.

Checklist:

• Appoint a security officer (CISO or equivalent).
• Conduct a risk assessment at least annually (ISO 27005, NIST SP 800-30).
• Write a security policy signed by top management.
• Create an asset inventory (hardware, software, data, people).

2. Incident Management

Why mandatory: NIS2 requires detection, response, and notification within 24 hours.

Checklist:

• Implement detection systems (SIEM, EDR, centralized logs).
• Define an incident response plan with roles, contacts, procedures.
• Test the plan with simulations at least annually.
• Set up a notification channel to the competent authority (e.g., national CSIRT).

3. Business Continuity and Disaster Recovery

Why mandatory: An attack or failure must not paralyze your business.

Checklist:

• Adopt the 3-2-1 backup rule (3 copies, 2 media, 1 off-site).
• Verify restoration quarterly (not just backup creation).
• Document a business continuity plan with RTO/RPO.
• Run a disaster recovery test at least annually.

4. Supply Chain Security

Why mandatory: An attack on a vendor can hit you.

Checklist:

• Map all vendors with access to your data or systems.
• Require security certifications (ISO 27001, SOC 2) or independent audits.
• Include contractual clauses obligating vendors to notify incidents.
• Review vendor risks periodically.

5. Secure Development and System Maintenance

Why mandatory: Unpatched software is the top entry point for attackers.

Checklist:

• Adopt a patch management process with criticality-based prioritization.
• Apply secure coding (OWASP Top 10) for in-house development.
• Run vulnerability scans monthly and penetration tests annually.
• Disable unnecessary services and ports.

6. Evaluation of Technical Measures Effectiveness

Why mandatory: Measures must be tested, not just declared.

Checklist:

• Conduct internal or external audits at least annually.
• Perform penetration tests on infrastructure and applications.
• Monitor security KPIs (mean time to detect, mean time to respond).
• Document results and corrective actions.

7. Cyber Hygiene and Training

Why mandatory: Human error causes most incidents.

Checklist:

• Organize cybersecurity training for all employees (at least once a year).
• Run phishing simulations to test awareness.
• Define policies for passwords, BYOD, and internet usage.
• Update procedures based on incidents.

8. Use of Cryptography

Why mandatory: Data in transit and at rest must be protected.

Checklist:

• Enable HTTPS on all web services.
• Encrypt sensitive data in databases (AES-256).
• Use TLS 1.3 for network communications.
• Manage cryptographic keys with a vault (e.g., HashiCorp Vault).

9. Access Control and Asset Management

Why mandatory: Only those who need access should have it.

Checklist:

• Apply least privilege principle.
• Use centralized identity management (Azure AD, LDAP).
• Revoke access immediately for vendors or former employees.
• Log every access in detail.

10. Multi-Factor Authentication and Secure Communications

Why mandatory: Passwords alone are insufficient.

Checklist:

• Enable MFA on all admin accounts, ideally on all users.
• Use encrypted VPN for remote access.
• Implement Single Sign-On with integrated MFA.
• Block insecure protocols (FTP, Telnet, SMBv1).

Real examples from our work

We, at Meteora Web, managed the ERP system of a clothing store for years. Without automated, tested backups, a ransomware attack would have wiped out seasons of data. With NIS2, those good practices become mandatory.

Another client called us after a credential theft because MFA wasn't active. We implemented MFA on all accesses, immediately reducing risk. NIS2 explicitly requires it.

For many SMEs in Southern Italy, cybersecurity is still an afterthought. We work to close the digital divide, including the geographical one: they deserve top-tier technology, not second-class solutions.

Summary checklist — print and pin it

1. Risk assessment documented annually.
2. Incident response plan tested, notification channel active.
3. 3-2-1 backup with quarterly restoration verification.
4. Vendor mapping and security clauses in contracts.
5. Patch management + monthly vulnerability scans.
6. Penetration test annually, external audit.
7. Training for all employees, phishing simulations.
8. Encryption of data in transit and at rest (TLS 1.3, AES-256).
9. Access with least privilege and centralized logs.
10. MFA everywhere possible, VPN for remote access.

In a nutshell — what to do now

1. Check if you're in NIS2 scope — review sector list and size criteria (>50 employees or >€10M turnover). 2. Perform a gap analysis using the checklist above. 3. Plan implementations with priorities: MFA, backup, patching, training. 4. Document everything — compliance is proven with evidence. 5. If internal expertise is lacking, trust a partner who knows the regulation and can translate it into practice. We, at Meteora Web, work daily on security and compliance — from SSL certificate management to SIEM configuration. Contact us for a tailored consultation.

For official references: NIS2 Directive (original text) and ENISA – NIS2.