NIS2 checklist for SMEs: get the basics right in 10 steps
NIS2 sounds like a lot of work, but the basics are very manageable. This checklist of 10 concrete steps helps your SME get the most important measures in place: mapping risks, MFA and access management, backup and recovery, endpoint security, patch management, an incident reporting process, your supply chain, awareness, monitoring and management accountability. And you don't have to do it alone.
By Max HoltropThe NIS2 directive raises a lot of questions among SMEs. Does it apply to me? What does it mean in practice? And where do I start? Good news: you don't have to be a security expert to get the basics right. Most measures are simply good IT hygiene, written down in clear steps.
In this article we walk through a practical NIS2 checklist for SMEs in 10 concrete steps. For each step we briefly explain what it is and why it matters. Think of it as a roadmap: you don't have to get everything perfect in one go, but you'll know where you stand and what the next step is.
First, a quick recap: what is NIS2?
NIS2 is a European directive designed to strengthen the digital resilience of organisations. It applies to far more organisations than its predecessor, including medium-sized businesses in sectors such as manufacturing, transport, waste management, food and digital services. Whether you fall under NIS2 directly or indirectly (via your customers or suppliers), the measures are sensible for every organisation.
Would you like a gentle introduction first? Then read our article NIS2: how to prepare. After that, grab this checklist.
The NIS2 checklist in 10 steps
Step 1: Map your risks
Start with a risk assessment. Which systems, data and processes are critical to your business? What happens if they go down or fall into the wrong hands? By getting this clear first, you'll know where to focus your attention and budget.
Why this matters: without insight into your risks, you take measures based on gut feeling. With an assessment, you tackle your biggest vulnerabilities in a targeted way.
Step 2: Set up MFA and access management
Make sure everyone logs in using multi-factor authentication (MFA). A password alone is no longer enough. On top of that, give employees access only to what they really need and clean up old accounts.
Why this matters: most breaches start with a stolen password. MFA blocks the vast majority of those attacks, and tight access management limits the damage if something does go wrong.
Step 3: Get backup and recovery right
Back up your important data and systems regularly, keep at least one copy separate from your network, and test that you can actually restore. A backup you've never restored is a gamble.
Why this matters: in the event of ransomware or an outage, your backup determines whether you're up and running again within an hour or only after weeks. Testing recovery is just as important as the backup itself.
Step 4: Secure your endpoints
Laptops, PCs and phones are where things often go wrong. Make sure you have modern endpoint security that recognises suspicious behaviour and intervenes automatically, not just an old-fashioned virus scanner.
Why this matters: one infected laptop can hit your entire network. Good endpoint security stops attacks early, before they spread.
Step 5: Keep everything up to date with patch management
Install updates for operating systems, software and devices quickly and in a structured way. Many attacks exploit known vulnerabilities for which an update has long been available.
Why this matters: a missing update is an open door. With proper patch management, you can be sure nothing slips through the cracks.
Step 6: Set up an incident and reporting process
NIS2 expects you to recognise incidents, respond to them and report serious incidents on time. Agree in advance who does what during an incident, who you call and how you communicate. Capture this in a simple playbook.
Why this matters: during an incident there's no time to figure out who's responsible. A plan thought out in advance saves panic, damage and costly hours.
Step 7: Look at your supply chain
Your security is only as strong as the weakest link. Map out which suppliers and partners have access to your systems or data and make agreements about their security. NIS2 explicitly places responsibility for the supply chain on you.
Why this matters: a breach at a software vendor or service provider can find its way straight to you. Clear agreements prevent surprises.
Step 8: Invest in awareness and training
Your employees are your most important line of defence. Train them to recognise phishing emails, handle passwords securely and report anything suspicious. Short, repeated training sessions work better than one long session per year.
Why this matters: technology catches a lot, but people still click. Aware colleagues prevent incidents that no tool can stop.
Step 9: Turn on logging and monitoring
Make sure important systems record what happens and that someone keeps an eye on them. With good monitoring you spot suspicious activity in time, instead of only when something has already gone wrong.
Why this matters: attackers often move around a network unnoticed for weeks. Monitoring is your smoke detector: the sooner you spot it, the smaller the damage.
Step 10: Document policy and management accountability
NIS2 makes management explicitly responsible for cybersecurity. Document your policy, agreements and measures in clear documents and make sure management is and stays involved. Schedule a regular moment to review and adjust everything.
Why this matters: security is not a one-off project but an ongoing process. Management involvement keeps it on the agenda so it doesn't grind to a halt.
Where do you stand now?
Go through the ten steps and give yourself an honest score for each one: sorted, partly arranged or nothing yet. Chances are you already have a few steps in good shape, such as backup or MFA. That way you'll immediately know where work still needs to be done.
Would you prefer an objective picture? With our security check we map out where your organisation stands and which measures should take priority. That brings peace of mind and a concrete plan.
You don't have to do it alone
NIS2 may look like a mountain, but in practice it's a matter of strengthening the basics step by step. And luckily you don't have to figure it all out yourself.
IT-gemak helps SMEs in the Utrecht and Breukelen region with this every day. Whether you want help with your entire NIS2 preparation, want to tighten up your IT security or want to fully outsource your IT with our all-in IT management: we take care of it with one fixed team and one fixed rate, no surprises.
Schedule a no-obligation consultation and find out in half an hour where you stand and what the smartest next step is for your organisation.
Related services
ICT Security & NIS2
Control over your business information and demonstrable compliance, for the law and for your clients.
Read more →Keeper Password Security
Secure password management for your entire organisation: strong passwords, shared and under control.
Read more →Microsoft 365 security licenses
The right Microsoft security licenses for your organization: advice, setup and management.
Read more →Related articles
NIS2 for SMEs: do you have to comply?
NIS2 affects far more SMEs than you might think, often indirectly through customers and suppliers. We explain clearly who the law applies to and how to get the basics in order.
Read more →NIS2 is coming: how to start preparing now
The Dutch implementation of NIS2 is expected in 2026. Does it apply to you, and what can you already do today? A practical overview.
Read more →Business WiFi that works everywhere: what to look out for
Office WiFi often falters due to too few access points, consumer-grade equipment and channel interference. In this article you'll learn what defines good business WiFi, why a single cohesive platform like Ubiquiti UniFi makes all the difference, and how IT-gemak designs, sets up and manages your network.
Read more →Want to spar with a specialist?
Curious what this means for your organisation? Book a no-obligation consult — we’re happy to think along.
