If you only need to access the whistleblower channel, you can access here

Contact sales

About ithikios

Request Demo
Request Demo
Start for Free
Contact us

Contact us

nis2

The 10 minimum NIS2 controls (and how to implement them without dying trying)

The definitive practical guide to NIS2 compliance

The NIS2 Directive introduces the most demanding digital resilience framework in Europe. Unlike other standards, the Directive does not propose long lists of controls: it establishes 10 mandatory minimum measures that all critical and important entities must implement.

The key is to understand what each one means, how to apply them in the actual business and how to document them correctly to avoid penalties or non-compliance.

Here is the official breakdown (art. 21) explained in a simple, actionable and results-oriented manner

Risk analysis and security policies for information systems.

This control requires the creation of a formal digital risk management framework.

How to implement it without suffering:

  • Identifies critical assets (data, systems, people, suppliers).
  • Evaluates impact × probability.
  • Documents risks and their mitigation measures.
  • Check at least once a year.

In the Trust Center:
✓ Preconfigured risks
✓ Centralized evidence
✓ NIS2 compliance dashboard.

2. Cybersecurity Incident Management

Includes detection, registration, response and official notification.

Practical keys:

  • Defines response procedure.
  • Determine roles: who investigates, who communicates, who notifies.
  • Keep records of all incidents.
  • Mandatory notification within 24 hours (early warning).

In the Trust Center:
Breach Manager for recording, managing and documenting incidents
✓ Guided notification flow.

3. Business Continuity and Recovery (backups, DR, crisis management)

NIS2 requires ensuring that the company can continue to operate during a major incident.

Minimum steps:

  • Identifies essential processes.
  • Define RTO/RPO.
  • Establish regularly tested backups.
  • Create a contingency plan and test it.

In the Trust Center:
✓ Continuity plan templates
✓ Test and evidence log.

4. Security in the supply chain and relations with third parties.

One of the most critical points. You must ensure that your suppliers are not your weak point.

How to comply:

  • Classifies critical suppliers.
  • Request policies, certifications or evidence.
  • Evaluates risks associated with the service.
  • Defines contractual security clauses.

In the Trust Center:
Third Party Manager
✓ Automatic Evaluations
✓ Saved Evidence and Contracts.

5. Security in acquisition, development and maintenance (including vulnerability management/disclosure).

Any software, tool or system must be incorporated with security controls.

Practical checklist:

  • Code reviews or automatic scans.
  • Software life cycle management.
  • Updated security patches.
  • Clear vulnerability disclosure policy.

In the Trust Center:
✓ Patch log
✓ Version control
✓ Secure development policy templates.

6. Continuous evaluation of the effectiveness of the measures

It is not enough to have policies: they must be shown to work.

How to comply:

  • Annual internal audit.
  • Quarterly review of controls.
  • Centralized evidence.
  • Automatic reports to management.

In the Trust Center:
✓ Dashboard
✓ Guided internal audits
✓ Evidence with traceability.

7. Cyber hygiene practices and cybersecurity training.

NIS2 is clear: training is mandatory.

Simple implementation:

  • Annual training for the entire workforce.
  • Phishing simulations.
  • Acceptable use policies.
  • Registration of participation.

In the Trust Center:
Trust Center posting
✓ Acceptance log
✓ Evidence of training.

8. Cryptography and encryption

Protection of data in transit and at rest.

How to apply it:

  • HTTPS on all services.
  • AES-256 encryption at rest.
  • Secure key management.
  • Prohibit obsolete protocols.

In the Trust Center:
✓ Evidence + checklist
✓ Periodic verification.

9. Human resources security, access control and asset management.

Includes IAM, discharges/discharges, privileges, roles and protection during the work cycle.

How to comply:

  • MFA mandatory.
  • Quarterly review of accesses.
  • Formal onboarding and offboarding process.
  • Live inventory of assets.

In the Trust Center:
✓ Asset control
✓ Logging of access and responsible parties
✓ Evidence of IAM.

10. Use of multifactor authentication, secure communications and emergency channels.

It is an explicit and very concrete control.

Practical checklist:

  • MFA enabled in all critical applications.
  • Secure VPN.
  • Alternative emergency channels (telephone, SMS…).
  • End-to-end encrypted communications.

In the Trust Center:
✓ Validation of MFA
✓ Registration of technical measures
✓ Checklist of compliance.

How to implement the 10 controls without dying in the attempt

NIS2 is not just a directive: it is a cultural change. But it doesn’t have to be complex if you have a tool that centralizes everything:

Why the Trust Center simplifies NIS2 for you:

  • Controls already mapped according to Art. 21
  • NIS2 Readiness” panel
  • Evidence, policies, acceptances, audits and suppliers in one place
  • Plug-and-play modules: Breach Manager, Policy Manager, Third Party Manager, Risk Manager

Less dispersion. More control. Real compliance. ithikiosTrust Center

Related articles

Compliance Forms: Much More Than Just an Online Form

In compliance, information is everything. But simply having it isn’t enough: what matters is how it is requested, how it is stored, how it is evaluated, and how it is...

Leer más

ithikios adds Google authentication and expands its integration capabilities

We continue to develop the platform to facilitate secure access to and connection with our customers’ systems. Starting now, ithikios users can sign in with their Google account—a new option...

Leer más

Do you want to try our whistleblower channel?

Do it from here for 15 days, without commitment, without cards,…

Request demo

Want to see how ithikios can help you?

Get started today. Be compliant within hours. And when you grow up, ithikiosis with you.

Shall we talk?