Ten things to ask your IT team about NIS2 compliance

March 23rd, 2026
Kaseya
Cybersecurity

We previously discussed NIS2  and the obligations it places on organisations designated as “critical” and “important” by the EU. Here we discuss the core areas that underpin NIS2 compliance.

A key tenet of the legislation is that leadership teams can no longer rely on leaving IT to get on with the job — they have a fiduciary duty to proactively understand and ensure appropriate governance is enforced when it comes to cybersecurity and resilience.

Even if you are not directly affected by the legislation, this approach can help you do business with those who are affected while ensuring your company is ready to withstand security threats and recover from an incident.

Ten key areas to consider for NIS2 compliance

  1. Risk analysis & information system security: It’s vital to understand potential vulnerabilities and what the impact would be if a system were compromised. Do you know which systems could be exploited? Do you know how they are secured? Is this information clearly documented and easily accessible to those who need it?
  2. Incident handling: This informs everything from how you detect incidents to how you react and the information you can draw upon to report them to the relevant authorities. Reporting deadlines under NIS2 are strict — typically within 72 hours — so maintaining detailed audits and logs of every action is vital for meeting required timeframes.
  3. Business continuity measures: This focuses on how your business responds if the worst happens. Do you have the right backup strategy in place? What’s your disaster recovery plan? Do your teams know how to execute that plan and who they need to contact in an emergency?
  4. Supply chain security: There is an obligation to understand potential vulnerabilities of your suppliers and their cybersecurity practices. This is also why companies not directly subject to NIS2 can still indirectly be affected by the directive. You may even be both governed by and governing this part of the directive.
  5. Security in system acquisition, development and maintenance, including vulnerability handling and disclosure: This involves establishing the right security posture before the purchasing process begins. Once a new system is deployed, processes must ensure it remains secure and that vulnerabilities are addressed quickly. Coordinated vulnerability disclosure is also important so that security issues can be reported and addressed appropriately.
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures: This is the operational “glue” that assesses and continually monitors your security readiness. It covers everything from benchmarks on how you’re performing through to active monitoring and recording of processes and procedures.
  7. Basic computer hygiene and training: A core part of IT management is understanding what devices you have and who is using them. Most organisations already do this, but it’s important to see it as an integral part of your governance. You can’t manage and secure your infrastructure without knowing what assets exist within it.
  8. Policies on appropriate use of cryptography and encryption: Ensuring that your data is secure when at rest and in transit is important. This also includes defining how cryptographic tools are used within the organisation and ensuring proper procedures exist for their management and implementation.
  9. Human resources security, access control policies and asset management: Making sure the right training is in place to ensure users behave responsibly and understand their obligations around computer use is key. However, it’s also important that the right safeguards are implemented to ensure the right level of access to the right people at the right time.
  10. Use of multifactor, secured voice/video/text comm and secured emergency communication: Secure business communications are a must for any business. This includes the devices you use and the tools you use too. In addition, organisations should consider how employees would communicate during a serious incident or disruption.

These are just very high-level overviews to provide talking points. Underneath each one is a consistent need for robust processes and the right tools to provide adequate governance.

Watch the on-demand webinar

to learn the importance of NIS2 compliance for EMEA and UK organisations and explore steps to boost resilience and reduce regulatory risk.

Get Started

The need for evidence is critical

Documentation gaps are a direct compliance risk and a key part of demonstrating compliance.

  • It’s the need to show that processes were seen and approved with the “paper trail” to prove it.
  • It’s the ability to understand what has happened, what is happening and what should happen around any given incident.
  • It’s being able to show robust security processes and that they are being actively employed.

In the event of an incident, businesses must demonstrate the steps they took and the decisions they made, as well as explain the reasoning behind how they restored operations. However, a company may also be called upon to discuss and evidence what they did prior to the incident. It may need to demonstrate its processes, what it was recording and how it was acting on information then provide proof of that.

This creates a culture of continual evidence gathering, not just after something goes wrong.

This is also not achievable in a modern business using spreadsheets or relying on manual human intervention. It’s vital that teams have the right tools to do the job.

Don’t leave it to chance

Kaseya has been at the forefront of developing tools that help IT teams strengthen cybersecurity and resilience.

Directives and regulations may be introduced and evolve, but if you have the core principles of good governance in place and the right tools for the job, then appropriate compliance can follow. 

Solutions such as IT Glue for IT documentation offer the ability to track, find and know everything in under 30 seconds. While Datto provides the peace of mind that when something goes wrong, knowing the right backups and disaster recovery are in place for business continuity.

Book a demo today to find out more. 

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2025 Global MSP Benchmark Report

The 2025 Global MSP Benchmark Report from Kaseya is your go-to resource for understanding where the industry is headed.

Download Now

Explore Categories

Security information and incident management concepts. Officials are managing events and safety on virtual screens.

What is SIEM? How it works, use cases and benefits explained

Learn how security information and event management (SIEM) helps organizations proactively identify and address potential security threats and vulnerabilities.

Read blog post

Backup verification just got smarter: Introducing AI-powered screenshot verification

In an era of relentless cyberattacks, infrastructure complexity and rising client expectations, simply having backups is no longer enough. BackupsRead More

Read blog post
NIS2 cybersecurity regulation concept with digital hologram

Whether you’re based in the EU or not, NIS2 is a board-level concern that can’t be ignored. 

Even if your company isn’t directly affected, you’ve likely heard of the EU’s NIS directive and its successor NIS2. TheRead More

Read blog post