Free NIS2 Assessment · Compliance self-evaluation in 15 minutes | OCIRIA
Fifteen minutes. Thirty-two questions. You will know whether NIS2 applies to you, what it requires and where to start.
NIS2 Assessment
In fifteen minutes, know how NIS2 affects you and where to start
[Glossary: NIS2] is the European cybersecurity directive in force since October 2024. It changes the rules of the game for thousands of companies that previously had no formal obligations. This free tool positions you at a glance: whether you are in scope, what it requires specifically and which gaps are most urgent.
[Button: Start assessment]
---
What NIS2 is
The NIS2 Directive (Network and Information Security 2) considerably broadens cybersecurity obligations for European companies. Its predecessor, NIS1, covered operators of essential services (energy, transport, banking, health). NIS2 expands to new sectors (postal services, waste management, food, manufacturing), incorporates important entities in addition to essential ones, raises the technical bar of required controls, and tightens penalties for non-compliance.
National transposition in EU member states is ongoing. Inspections are being prepared. Administrative penalties can reach 10 million euros or 2% of global turnover for essential entities (7 million or 1.4% for important ones), in addition to personal liability of management in case of serious non-compliance.
This tool does not replace a formal compliance analysis, but gives you the first operational answer: does it apply to me? what should I look at first? am I far or close to compliance?
---
Why it matters
The calendar is tight. The directive is in force. National transposition is ongoing or already done in several member states. Supervisory authorities are operational. The comfortable "I will look at it later" deadline no longer exists.
Penalties are material. Up to 10 million euros or 2% of annual global turnover for essential entities; up to 7 million or 1.4% for important entities. Penalties frequently come with public corrective measures that erode customer trust.
Liability reaches management. NIS2 introduces explicit liability of the management body. Approving measures, supervising implementation, receiving training. It is no longer fully delegated to the technical department.
Your customers will ask. If your customer falls under NIS2 and you provide them a relevant ICT service, they will pass the question to you. They can demand new contractual clauses, evidence of controls, capacity to notify incidents within deadlines. Anticipating it is competitive advantage.
---
What the assessment evaluates
The questionnaire has thirty-two questions organised in five sections:
Section 1 · Scope and coverage (6 questions). Activity sector, size (employees, turnover), type of service provided, geographical presence. Outcome: confirmation of whether you are essential entity, important entity or out of scope under the directive and its national transposition.
Section 2 · Governance and risk management (6 questions). Existence of approved security policy, assignment of responsibilities, training of the management body, documented risk management system, review and continuous improvement processes.
Section 3 · Technical measures (8 questions). Identity and access management, control of privileged accounts, logging and auditing, vulnerability management, network segmentation, data encryption, continuity and recovery, ICT supply chain management.
Section 4 · Incident management (6 questions). Existence of documented response plan, identified and trained team, criteria for notification to national authority within NIS2 deadlines (early warning 24h, notification 72h, final report 1 month), communication to affected users, periodic plan testing.
Section 5 · Supply chain and suppliers (6 questions). Inventory of critical ICT suppliers, contractual security clauses, periodic supplier risk evaluation, capacity for coordinated response to supplier incident.
Each question has guided options with contextual explanation; you do not need to be a specialist to answer.
---
Estimated time
Ten to fifteen minutes for someone with a view of the organisation (manager, CFO, IT or quality lead). You can save progress and continue later if you need to consult with your team.
---
Results you will see
When you close the questionnaire you obtain:
Scope verdict. We tell you explicitly whether NIS2 applies, in which category (essential entity · important entity · out of scope · grey zone with explanation), and why.
Global preparedness score. A 0-100 score estimating how your organisation stands against the directive's requirements. Includes breakdown by section with strong and weak points.
Radar chart by section. Visualisation of your relative position in the five sections of the questionnaire. Useful to show management at a glance where to concentrate effort.
Top three recommendations. The three actions that would have most impact on your compliance level, prioritised by effort-benefit ratio. Not a list of fifty things: the three that really matter now.
90-day action plan. A concrete guide of the suggested next steps in the next three months, with reasonable order and references to specific articles of the directive.
Warnings on critical gaps. If any answer reveals a gap the directive considers mandatory (for example, total absence of incident response plan), we flag it with maximum priority.
---
Downloadable PDF
The full result can be downloaded as a ten to fifteen page PDF, with:
- Executive summary for management.
- Result per section with answers given and contextual comments.
- Detailed 90-day action plan.
- Glossary of terms and references to directive articles.
- Tracking template to review quarterly progress.
The PDF is designed to be presented to the executive committee without further work. It downloads directly without leaving email. If you want to receive it by email as well, there is an optional field.
---
Who it is for
CISO or security lead who needs a first baseline before a full formal analysis.
CTO or technical director of a mid-sized company without dedicated security function, who wants to understand exposure before budgeting.
DPO or data protection lead who already knows GDPR and needs to position NIS2 relative to what they already manage.
CEO or general manager of SME and mid-market companies who have heard of NIS2 and need to know, in clear language, what it means for their organisation.
Compliance or quality lead who is mapping regulatory obligations and needs to incorporate NIS2 into the panel.
---
Frequently asked questions
Does it replace a formal compliance analysis?
No. It is a first map, not an exhaustive analysis. If after the result you consider you need a deep diagnosis, we can talk. If the result gives you the comfort you need to manage internally, perfect: the tool has saved you money and time.
What do you do with my answers?
If you download the PDF without leaving email, we keep nothing except anonymous aggregate statistics (how many companies in your sector answer similarly) to improve the tool. If you leave email, we only use it to send the PDF and, if you tick the specific box, to contact you with a proposal. No automatic newsletter or transfer to third parties.
Is it updated with national transposition?
Yes. We keep the tool up to date with transposition in Spain and monitor transpositions of other relevant member states. If your country's transposition has nuances, we indicate it in the result.
Can I save progress and come back later?
Yes. If you interrupt the questionnaire, you can request an email link to resume where you left off. Answers are encrypted and saved for 30 days, then deleted if you do not complete.
Is it really free and without catch?
Yes. Full result and downloadable PDF for free. The commercial option is voluntary: you tick a box if you want us to contact you. If you do not tick it, we do not contact you.
Can several members of the same company do it and compare answers?
Yes. It is a practice we recommend: have the IT lead and the general manager answer separately and compare. Discrepancies usually reveal perception gaps worth discussing before investing.
---
Want to go further?
If after the assessment you decide you need accompaniment to close gaps, we can talk about a formal diagnosis or the option of monthly vCISO to lead the adaptation programme. No pressure: if the tool has been useful as is, it has saved you money. That is gain already.
Let us talk · [[email protected]](mailto:[email protected])
[Button: Start assessment] · [Button: Try Email Scanner too](/en/tools/email-scanner)