01Home02Services03About us04Pricing05Vacancies06Contact
Security & NIS2

NIS2 checklist for SMEs: get the basics right in 10 steps

16 June 2026 · 5 min read

NIS2 sounds like a lot of work, but the basics are very manageable. This checklist of 10 concrete steps helps your SME get the most important measures in place: mapping risks, MFA and access management, backup and recovery, endpoint security, patch management, an incident reporting process, your supply chain, awareness, monitoring and management accountability. And you don't have to do it alone.

Max HoltropBy Max Holtrop

The NIS2 directive raises a lot of questions among SMEs. Does it apply to me? What does it mean in practice? And where do I start? Good news: you don't have to be a security expert to get the basics right. Most measures are simply good IT hygiene, written down in clear steps.

In this article we walk through a practical NIS2 checklist for SMEs in 10 concrete steps. For each step we briefly explain what it is and why it matters. Think of it as a roadmap: you don't have to get everything perfect in one go, but you'll know where you stand and what the next step is.

First, a quick recap: what is NIS2?

NIS2 is a European directive designed to strengthen the digital resilience of organisations. It applies to far more organisations than its predecessor, including medium-sized businesses in sectors such as manufacturing, transport, waste management, food and digital services. Whether you fall under NIS2 directly or indirectly (via your customers or suppliers), the measures are sensible for every organisation.

Would you like a gentle introduction first? Then read our article NIS2: how to prepare. After that, grab this checklist.

The NIS2 checklist in 10 steps

Step 1: Map your risks

Start with a risk assessment. Which systems, data and processes are critical to your business? What happens if they go down or fall into the wrong hands? By getting this clear first, you'll know where to focus your attention and budget.

Why this matters: without insight into your risks, you take measures based on gut feeling. With an assessment, you tackle your biggest vulnerabilities in a targeted way.

Step 2: Set up MFA and access management

Make sure everyone logs in using multi-factor authentication (MFA). A password alone is no longer enough. On top of that, give employees access only to what they really need and clean up old accounts.

Why this matters: most breaches start with a stolen password. MFA blocks the vast majority of those attacks, and tight access management limits the damage if something does go wrong.

Step 3: Get backup and recovery right

Back up your important data and systems regularly, keep at least one copy separate from your network, and test that you can actually restore. A backup you've never restored is a gamble.

Why this matters: in the event of ransomware or an outage, your backup determines whether you're up and running again within an hour or only after weeks. Testing recovery is just as important as the backup itself.

Step 4: Secure your endpoints

Laptops, PCs and phones are where things often go wrong. Make sure you have modern endpoint security that recognises suspicious behaviour and intervenes automatically, not just an old-fashioned virus scanner.

Why this matters: one infected laptop can hit your entire network. Good endpoint security stops attacks early, before they spread.

Step 5: Keep everything up to date with patch management

Install updates for operating systems, software and devices quickly and in a structured way. Many attacks exploit known vulnerabilities for which an update has long been available.

Why this matters: a missing update is an open door. With proper patch management, you can be sure nothing slips through the cracks.

Step 6: Set up an incident and reporting process

NIS2 expects you to recognise incidents, respond to them and report serious incidents on time. Agree in advance who does what during an incident, who you call and how you communicate. Capture this in a simple playbook.

Why this matters: during an incident there's no time to figure out who's responsible. A plan thought out in advance saves panic, damage and costly hours.

Step 7: Look at your supply chain

Your security is only as strong as the weakest link. Map out which suppliers and partners have access to your systems or data and make agreements about their security. NIS2 explicitly places responsibility for the supply chain on you.

Why this matters: a breach at a software vendor or service provider can find its way straight to you. Clear agreements prevent surprises.

Step 8: Invest in awareness and training

Your employees are your most important line of defence. Train them to recognise phishing emails, handle passwords securely and report anything suspicious. Short, repeated training sessions work better than one long session per year.

Why this matters: technology catches a lot, but people still click. Aware colleagues prevent incidents that no tool can stop.

Step 9: Turn on logging and monitoring

Make sure important systems record what happens and that someone keeps an eye on them. With good monitoring you spot suspicious activity in time, instead of only when something has already gone wrong.

Why this matters: attackers often move around a network unnoticed for weeks. Monitoring is your smoke detector: the sooner you spot it, the smaller the damage.

Step 10: Document policy and management accountability

NIS2 makes management explicitly responsible for cybersecurity. Document your policy, agreements and measures in clear documents and make sure management is and stays involved. Schedule a regular moment to review and adjust everything.

Why this matters: security is not a one-off project but an ongoing process. Management involvement keeps it on the agenda so it doesn't grind to a halt.

Where do you stand now?

Go through the ten steps and give yourself an honest score for each one: sorted, partly arranged or nothing yet. Chances are you already have a few steps in good shape, such as backup or MFA. That way you'll immediately know where work still needs to be done.

Would you prefer an objective picture? With our security check we map out where your organisation stands and which measures should take priority. That brings peace of mind and a concrete plan.

You don't have to do it alone

NIS2 may look like a mountain, but in practice it's a matter of strengthening the basics step by step. And luckily you don't have to figure it all out yourself.

IT-gemak helps SMEs in the Utrecht and Breukelen region with this every day. Whether you want help with your entire NIS2 preparation, want to tighten up your IT security or want to fully outsource your IT with our all-in IT management: we take care of it with one fixed team and one fixed rate, no surprises.

Schedule a no-obligation consultation and find out in half an hour where you stand and what the smartest next step is for your organisation.

← Back to news

Questions about this?

Want to spar with a specialist?

Curious what this means for your organisation? Book a no-obligation consult — we’re happy to think along.

Book a consultation →