hero-bg

NIS2 Checklist for Management and IT: See What Your Company Needs to Do

A NIS2 checklist helps you quickly assess whether your company is ready for the new cybersecurity obligations. In this article, you will check whether your organization is subject to the rules, what management should do, what IT is responsible for, and where to start so the implementation does not turn into costly improvisation.

Who is this checklist for?

This article is for anyone in a manufacturing company who is responsible for security, compliance, IT, or management decisions. This may be the CEO, a board member, operations director, head of IT, maintenance manager, or the person responsible for audits.

In manufacturing, cybersecurity affects not only email and servers, but also ERP systems, MES, machines, suppliers, remote service access, backups, technical documentation, and business continuity across the plant.

The biggest risk appears where everyone knows something needs to be done, but there is no single list of decisions, owners, and deadlines. That is why a NIS2 checklist should start with management and only then move down to IT tools.

The NIS2 Directive: What changes for companies?

The NIS2 Directive is EU legislation on cybersecurity for entities that are important to the economy and public services. In Poland, it was implemented through an amendment to the Act on the National Cybersecurity System.

For a manufacturing company, the four most important areas are:

  1. self-identification, meaning checking whether the company is an essential or important entity,
  2. entry in the National Cybersecurity System register if the company meets the criteria,
  3. implementation of an information security management system, or ISMS,
  4. reporting serious incidents and maintaining readiness to respond.

Not every manufacturing company will be covered by NIS2 in the same way. The sector, scale of operations, role in the supply chain, and criteria specified in the regulations all matter.

NIS2 Directive: When does it apply in Poland?

The amendment to the Act on the National Cybersecurity System of January 23, 2026, entered into force on April 3, 2026.

For companies, three dates are especially important:

Deadline What it means for the company
April 3, 2026 the amendment to the National Cybersecurity System Act enters into force
October 3, 2026 deadline to submit an application for entry in the National Cybersecurity System register after self-assessment
April 3, 2027 deadline to implement ISMS obligations for entities that met the criteria on April 3, 2026

If you wait until the last quarter to start the analysis, you shorten your implementation window. Entry in the register alone does not solve the issue. The company must also have evidence that it manages risk, trains employees, controls access, responds to incidents, and secures business continuity.

NIS2 obligations for manufacturing companies: Where should you start?

The first step is to check whether the company is subject to the regulations. Do not start by buying tools. Start by answering the questions that determine the company’s status.

Check:

Example: a manufacturing plant may have a well-maintained machine park, but remote service access to a production line may still run through an account used by several people. This kind of detail can undermine expensive security measures because no one knows who actually logged into the system.

NIS2 checklist for management

Management does not need to configure firewalls, but it should ensure that the company has the people, budget, procedures, and oversight in place. NIS2 strongly moves cybersecurity away from being just an IT issue and into the area of organizational responsibility.

Management should know whether:

Most often, it is not technology that fails, but the lack of decisions. IT sees the risks, production wants to operate without interruptions, finance controls costs, and management receives the topic only when a budget needs to be approved. A NIS2 checklist organizes responsibility before an incident happens.

NIS2 checklist for the IT department

The IT department needs a clear map of systems, access rights, and security measures. In a manufacturing company, this also needs to include OT environments, automation, computers located near machines, and service accounts.

IT should know whether:

Manufacturing example: if the ERP stores orders, the MES stores process data, and spreadsheets are used as a manual workaround for system gaps, the recovery plan must account for the order in which these elements come back online. A server backup alone is not enough when no one knows which process the company should restore first.

Książka Adriana Stelmacha "15 kroków do zakupu systemu informatycznego" - dowiedz się więcej o tym, jak wybrać odpowiedni system IT dla swojej fabryki!

Get 5 chapters of the book for free!

Join the newsletter and gain access to 40% of the book
”15 Steps to Buying an Information System”

What needs to be documented?

NIS2 does not require paperwork for the sake of paperwork. Documents should prove that the company understands its risks and can act according to agreed rules.

Minimum items to check:

Area Document or evidence
company status result of NIS2 self-identification
responsibility management decision, program owner, roles
risk risk register for systems and processes
assets inventory of systems, devices, accounts, and suppliers
incidents incident reporting and response procedure
business continuity recovery plan, backup tests
suppliers security requirements in contracts
training training list and attendance confirmations

You will see the greatest risk in places that are not on anyone’s list: old accounts, access left behind after a former employee, a machine-side computer with no updates, or an external service technician with permanent access.

NIS2 implementation in Poland: A 30-day plan

Start with a short review that shows where the company stands.

First 30 days:

  1. Complete NIS2 self-identification.
  2. Appoint an owner for the topic on the management side.
  3. Collect a list of systems important to production and administration.
  4. Check remote access, administrator accounts, and MFA.
  5. Verify backups through a restore test.
  6. Describe the incident reporting path.
  7. Review contracts with IT, OT, cloud, and service providers.
  8. Identify which gaps require a budget decision.

This type of review gives management a real picture of the company: what is compliant, what needs work, and what could stop production during the first major incident.

NIS2 checklist - 30-day plan (employees discussing data)

Where can the right tool help?

A tool makes sense only when the company knows what it wants to control. If data on risks, suppliers, assets, incidents, and corrective actions is scattered across spreadsheets, emails, and folders, management does not have a simple view of progress.

It is worth considering a solution that can help organize the register of actions, risks, suppliers, and compliance evidence in one place. The biggest benefit is not simply having a system, but giving the topic owner visibility into what has been done, what is waiting for a decision, and where evidence is missing.

NIS2 checklist: The shortest version for decision-makers

If you can only run one review right now, check these points:

This NIS2 checklist provides a quick maturity test. If the answer to several points is “I don’t know,” you need a short initial audit and a decision on who will lead the topic.

Key takeaway for management and IT

NIS2 does not reward companies for declarations. It rewards decisions, responsibility, and evidence of action. In manufacturing, the most expensive gaps are often small: permanent service access, untested backups, no incident owner, or an outdated system inventory.

A good NIS2 checklist shortens the conversation because it shows what has been done, what is missing, and who needs to make a decision. It is the best first step before the regulations are tested by an auditor, a customer, or an incident.

NIS2 checklist - key takeaway (developer coding on a computer)

FAQ

Does every manufacturing company fall under NIS2?

No. The sector, scale of operations, and criteria specified in the law need to be checked. That is why the first step is self-identification.

When does the NIS2 Directive start applying to companies in Poland?

The Polish amendment to the National Cybersecurity System Act entered into force on April 3, 2026. For many companies, the important deadline is October 3, 2026, for entry in the National Cybersecurity System register, and April 3, 2027, for implementing ISMS obligations if they met the criteria on April 3, 2026.

Is NIS2 only an IT department issue?

No. IT is responsible for many safeguards, but management is responsible for decisions, budget, oversight, roles, and risk management.

What should you do first?

First, complete self-identification. Then check systems, access rights, backups, suppliers, and the incident response procedure. Only then should you define the implementation plan.

Does NIS2 require buying a new system?

Not always. First, the company needs to identify the gaps. A tool can help when the organization wants to manage actions, risks, suppliers, and compliance evidence in one place.

Get ready for NIS2. Let’s take the first step together.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.