26 sections · 328 audit questions · every article, annex and clause · v2024-10-17
This page lists every regulatory leaf of NIS2 Impl. in the order it appears in the regulation — each article, annex and clause. The audit checklist treats every leaf as a separate audit row, including the permissive ones.
Click a row's citation to jump to it. The audit-question count shows how many auditable rows the checklist generates from that leaf (zero means the leaf is informational only).
| Citation | Kind | Title | Audit questions |
|---|---|---|---|
| Annex §1 | Annex | Policy on the security of network and information systems (NIS2 Art. 21(2)(a)) | 18 |
| Annex §2 | Annex | Risk management policy (NIS2 Art. 21(2)(a)) | 21 |
| Annex §3 | Annex | Incident handling (NIS2 Art. 21(2)(b)) | 34 |
| Annex §4 | Annex | Business continuity and crisis management (NIS2 Art. 21(2)(c)) | 16 |
| Annex §5 | Annex | Supply chain security (NIS2 Art. 21(2)(d)) | 11 |
| Annex §6 | Annex | Security in network and information systems acquisition, development and maintenance (NIS2 Art. 21(2)(e)) | 67 |
| Annex §7 | Annex | Policies and procedures to assess the effectiveness of cybersecurity risk-management measures (NIS2 Art. 21(2)(f)) | 3 |
| Annex §8 | Annex | Basic cyber hygiene practices and security training (NIS2 Art. 21(2)(g)) | 8 |
| Annex §9 | Annex | Cryptography (NIS2 Art. 21(2)(h)) | 5 |
| Annex §10 | Annex | Human resources security (NIS2 Art. 21(2)(i)) | 13 |
| Annex §11 | Annex | Access control (NIS2 Art. 21(2)(i) and (j)) | 41 |
| Annex §12 | Annex | Asset management (NIS2 Art. 21(2)(i)) | 20 |
| Annex §13 | Annex | Environmental and physical security (NIS2 Art. 21(2)(c), (e) and (i)) | 19 |
| Article 2 | Article | Technical and methodological requirements | 2 |
| Article 3 | Article | Significant incidents | 10 |
| Article 4 | Article | Recurring incidents | 1 |
| Article 5 | Article | Significant incidents with regard to DNS service providers | 3 |
| Article 6 | Article | Significant incidents with regard to TLD name registries | 3 |
| Article 7 | Article | Significant incidents with regard to cloud computing service providers | 4 |
| Article 8 | Article | Significant incidents with regard to data centre service providers | 4 |
| Article 9 | Article | Significant incidents with regard to content delivery network providers | 4 |
| Article 10 | Article | Significant incidents with regard to managed service providers and managed security service providers | 4 |
| Article 11 | Article | Significant incidents with regard to providers of online marketplaces | 4 |
| Article 12 | Article | Significant incidents with regard to providers of online search engines | 4 |
| Article 13 | Article | Significant incidents with regard to providers of social networking services platforms | 4 |
| Article 14 | Article | Significant incidents with regard to trust service providers | 5 |
The Compliance Matrix is the verification document — every paragraph in scope on one PDF. The audit checklist bundle is the per-question working document (328 questions, 5 artefact formats).