ESENRODEFRIT
Contact

2026-06-08 · Ibida Black Level S.L.

NIS2 self-assessment: 25 questions to check if your company complies

A 25-question NIS2 self-assessment for European mid-market companies. Operational, no FUD, no sales pitch. Take it in 20 minutes.

NIS2 self-assessment: 25 questions to check if your company complies

If your company has between 50 and 500 employees, operates in a sector that the NIS2 Directive considers essential or important, and you cannot answer this short test with documented evidence, you have a compliance gap. We did not design these questions to scare you. We designed them to give you, in twenty minutes, the same diagnostic snapshot we deliver during our paid initial assessment. If after going through them you decide you do not need us, that is a good outcome.

The test has five blocks of five questions: governance, risk and asset management, incident response, supply chain, and continuity. Each question has a binary answer (yes with evidence, or no) and a short explanation of what "yes with evidence" actually means in practice. There are no half-yes answers. NIS2 enforcement, when it arrives, will not accept them either.

1 · Governance and accountability (questions 1 to 5)

1. Does the management body of your company hold documented and dated training on cybersecurity, with attendance proof, at least once every 12 months?

"Yes with evidence" means signed attendance sheets or a learning management system record. A vague "we sent a slide deck" does not pass. NIS2 article 20 makes this an explicit obligation on management, not on the IT team. We routinely find companies where the CTO has done thirty hours of training and the management board has done zero.

2. Is there a designated cybersecurity leader, named in writing, with a clear reporting line to the management body and a budget allocated for the current fiscal year?

A CISO with no budget, no headcount, and a dotted line to IT operations is not a CISO. The directive is explicit about a defined responsibility, not about a job title.

3. Has the management body formally approved a written cybersecurity risk management policy, dated within the last 18 months?

Many mid-market companies still rely on an IT policy from 2019 that talks about firewalls and antivirus and forgets cloud, identity, and supply chain. NIS2 requires a risk management framework, not a perimeter-era list of products.

4. Are the personal liabilities of the management body in case of NIS2 non-compliance understood, documented in a board minute or equivalent, and reviewed yearly?

NIS2 introduced personal management liability for the first time. If your board has never seen a brief on what this means for them personally, you have an awareness gap, not a technical one.

5. Do you have a process to identify whether your company qualifies as an essential entity or an important entity under the local NIS2 transposition law, and have you registered with the competent national authority where required?

In Spain, INCIBE-CERT and the AEAT-managed registry are the reference points. In Romania, DNSC handles registration. We have seen companies operating in a clearly essential sector with no registration filed because nobody owned the question. That is enforcement risk, full stop.

2 · Risk and asset management (questions 6 to 10)

6. Do you have a current and reviewed-in-the-last-six-months inventory of all assets that store, process, or transmit information, including SaaS and shadow IT?

The inventory has to include the shadow IT tools that two finance team members signed up for last quarter. If the inventory only covers managed assets, it is incomplete by design.

7. Have you run a documented cybersecurity risk assessment in the last 12 months that identifies threats, vulnerabilities, likelihood, impact, and accepted vs treated risks?

NIS2 article 21 paragraph 2 line a explicitly requires this. A vendor security questionnaire is not a risk assessment.

8. Are technical and organisational controls in place to enforce least privilege on identity, access management, and administrative accounts, with reviews at least quarterly?

We find, in roughly four out of five mid-market diagnostics, at least one service account with administrative privileges that no one currently working in the company can fully explain.

9. Are all systems patched within an SLA written in your policy (typical mid-market range: 7 days critical, 30 days high, 90 days medium), with documented exceptions for the cases where the SLA cannot be met?

The exceptions are as important as the SLA. A blanket "we patch monthly" without an exception register is not a programme; it is a habit.

10. Are encryption controls (at rest, in transit, for backups) documented per system and validated through periodic technical evidence (configuration snapshots, cipher suite reviews, key rotation logs)?

The most common gap we find here is the backup encryption: enabled in the console, never validated by the team that would restore it under pressure.

3 · Incident response (questions 11 to 15)

11. Do you have a written incident response plan, dated within the last 12 months, with named roles, contact lists, decision trees, and escalation paths?

Not a one-page diagram. A plan with playbooks for the three or four most likely incident classes (ransomware, business email compromise, third-party breach, data exfiltration) is the realistic floor.

12. Have you run a tabletop exercise or technical drill simulating an incident in the last 9 months, with a written after-action report and assigned remediations?

A drill that does not produce an after-action report is theatre. The remediation list with owners and dates is the artefact NIS2 enforcement will look for.

13. Do you know exactly which national CSIRT or competent authority your company must notify under NIS2, and have you registered the contact path?

In Spain that is INCIBE-CERT for most sectors, with CCN-CERT for public administrations. In Romania that is DNSC. Knowing the URL is not enough; the contact path must be tested at least once.

14. Can you produce the early warning notification within 24 hours of detection of a significant incident, the incident notification within 72 hours, and the final report within one month, as required by article 23?

The 24-hour clock starts at detection, not at confirmation. Most mid-market companies that have not tested the process underestimate how long the internal validation alone takes.

15. Are logs centralised, retained for the period required by your sector and your incident response plan (typical mid-market range: 12 months minimum for security logs), and protected against tampering?

The retention period is not arbitrary. Several supervisory authorities have started asking for 12 to 24 months of authentication, network, and endpoint logs during follow-up requests.

4 · Supply chain and third parties (questions 16 to 20)

16. Do you maintain a list of critical third parties, ranked by criticality, with at least an annual review of their cybersecurity posture (questionnaire, certification reference, or audit report)?

NIS2 article 21 paragraph 2 line d makes supply chain risk an explicit obligation. The "we trust our CRM vendor" answer does not satisfy this.

17. Are cybersecurity clauses included in all contracts with critical suppliers, including notification obligations in case of incident affecting your data or services?

We have seen this clause missing in contracts signed in 2023 and 2024 with major cloud vendors, because the legal team did not see a template update and the procurement team did not ask.

18. Do you have a written process to assess the cybersecurity posture of new suppliers before contract signature, proportionate to the criticality and the data they will handle?

"Proportionate" is the keyword. A monolithic 200-question questionnaire for every supplier kills the process. A tiered questionnaire with a fast-track for low criticality is the realistic answer.

19. Is there a documented exit plan for each critical supplier, including data return, key rotation, and access revocation, that has been reviewed in the last 24 months?

The exit plan is the supply chain control nobody likes to discuss until the day it is needed and it does not exist.

20. Are you informed by your critical suppliers when they suffer a cybersecurity incident that could affect your services or data, within a timeframe that allows you to meet your own NIS2 notification obligations (typically 12 to 24 hours)?

Without this, your 24-hour clock against your own supervisor is going to be very, very tight.

5 · Continuity, backups, and recovery (questions 21 to 25)

21. Do you have an immutable or air-gapped backup of your critical systems, tested through a full restore in the last 6 months?

The most expensive lesson the ransomware wave of 2023-2025 taught mid-market Europe was that "we have backups" is not the same as "we have recoverable backups". A restore test six months old or younger is the realistic floor.

22. Are your recovery time objectives (RTO) and recovery point objectives (RPO) defined per critical service, agreed with the business owner, and measured in the last drill?

If your RTO is a number on a slide that nobody has ever measured under pressure, it is a wish, not an objective.

23. Do you have a business continuity plan that covers the loss of your primary office, the loss of your main cloud region, and the loss of your IT team for 72 hours?

The "loss of IT team" scenario sounds dramatic; it covers a successful targeted spear phishing of three people on the same day.

24. Are cybersecurity controls validated periodically through independent assessment (internal audit, external pentest, or external diagnostic) with a written report and a remediation tracker?

Independence matters. The same team that operates the controls should not be the only team that validates them.

25. Is there a written process to inform recipients of your services about a significant incident that could materially affect their ability to use them, within the timelines NIS2 requires?

This is the obligation many mid-market companies miss because it sits between communications, legal, and security. If no one owns it, the answer is no.

How to read your score

We do not give a score in the strict sense, because NIS2 enforcement does not. What we suggest:

> "A NIS2 self-assessment does not give you compliance. It gives you a list of evidence you can or cannot produce. The difference between the two becomes very visible the first time a supervisor asks." — IBL diagnostic methodology, internal note 2026

What to do next

If you completed the 25 questions and your honest answer count concerns you, the first thing to do is share the result with your management body. NIS2 obligations sit on them, not on the cybersecurity team alone. The second thing to do is decide whether you have the internal capacity to close the gaps or whether you need external support.

If you would like a second opinion on your self-assessment, you can request a 45-minute conversation with us. We will not try to sell you a programme in that call. We will ask you to walk us through three of your no-answers in detail, and we will tell you whether we think they are easy fixes, structural gaps, or something in between.

Write to [email protected]. We answer within one business day.

---

Ibida Black Level S.L. is a boutique cybersecurity advisory firm headquartered in Málaga, Spain, with an operational team in Romania. We focus on mid-market European companies that prefer technical honesty to vendor packaging. We were founded in 2026; we do not invent a longer history.

Related reading

Tags: nis2, compliance, mid-market, self-assessment, article-21, incident-notification, supply-chain