Category 2: Incident Handling

This category consistently produces the most audit findings for Indian vendors. According to DSCI (2025), 58% of Indian IT firms lack formal incident escalation procedures aligned with NIS2's reporting timelines. Getting this right is critical.

Checklist Items

• [ ] Incident response plan documented with roles, procedures, and communication templates
• [ ] Incident classification matrix mapping incidents to CERT-In, NIS2, and DPDPA thresholds
• [ ] 24-hour notification process for NIS2 "significant incidents" to EU client / CSIRT
• [ ] 72-hour detailed notification template and procedures
• [ ] One-month final report template with root cause analysis requirements
• [ ] CERT-In 6-hour notification process maintained in parallel
• [ ] Designated incident contacts for both CERT-In and EU client notifications
• [ ] Tabletop exercises conducted at least annually simulating dual reporting scenarios
• [ ] Post-incident review process documenting lessons learned and improvements
• [ ] Log retention for minimum 180 days (CERT-In requirement) in Indian jurisdiction

Implementation Notes

Build a single incident response process with branching notification paths. Train your SOC team on both CERT-In and NIS2 classification criteria. Run quarterly tabletop exercises until the dual reporting process is routine.

Category 3: Business Continuity and Crisis Management

EU clients set the recovery time bar. According to Gartner (2025), 67% of EU enterprises now require their IT vendors to demonstrate annual disaster recovery testing with documented results. Paper plans aren't sufficient.

Checklist Items

• [ ] Business continuity plan covering all EU client service delivery functions
• [ ] Disaster recovery plan with specific procedures for critical system recovery
• [ ] Recovery time objectives (RTOs) defined and aligned with EU client requirements
• [ ] Recovery point objectives (RPOs) defined and validated through testing
• [ ] Backup management procedures with regular verification of backup integrity
• [ ] Annual DR testing with documented results and improvement actions
• [ ] Crisis management procedures with escalation paths and communication plans
• [ ] Alternative work arrangements for office or data centre unavailability

Implementation Notes

Don't guess at RTOs and RPOs. Ask your EU clients for their requirements and test against those specific targets. Document every test, including failures and remediation actions. Auditors value honest documentation of test failures followed by improvements over perfect test results that seem unrealistic.

Category 4: Supply Chain Security

This is where NIS2 cascades downstream. According to ENISA (2024), entities must assess the cybersecurity of their direct suppliers and service providers, meaning your own vendors face scrutiny through your compliance programme.

Checklist Items

• [ ] Vendor security assessment programme with defined criteria and frequency
• [ ] Critical vendor identification based on service criticality and data access
• [ ] Security questionnaires for all new vendors handling EU client data or systems
• [ ] Contract clauses requiring vendors to maintain minimum security standards
• [ ] Vendor incident notification requirements in all vendor agreements
• [ ] Regular vendor review for critical suppliers (annual at minimum)
• [ ] Subcontractor register documenting all subcontractors involved in EU service delivery
• [ ] Right to audit clauses in critical vendor contracts

Implementation Notes

Start with your cloud providers and SaaS tools. They're your most critical supply chain dependencies. Request their SOC 2 reports and ISO 27001 certificates. For staffing agencies providing personnel with access to EU systems, include security clearance and training requirements.

Category 5: Security in Acquisition, Development, and Maintenance

Software security matters for Indian IT companies, many of whom develop and maintain applications for EU clients. According to Veracode (2024), 76% of applications have at least one security flaw, making secure development practices essential for NIS2 compliance.

Checklist Items

• [ ] Secure development lifecycle (SDLC) documented and enforced
• [ ] Code review process including security-focused review for all EU client deliverables
• [ ] Static application security testing (SAST) integrated into CI/CD pipelines
• [ ] Dynamic application security testing (DAST) for deployed applications
• [ ] Dependency management tracking and updating third-party libraries
• [ ] Change management procedures for production system modifications
• [ ] Security testing before deployment to production environments
• [ ] Vulnerability management process for identified weaknesses in delivered systems

Category 6: Assessing Cybersecurity Effectiveness

Compliance isn't a one-time achievement. According to ISACA (2024), organisations that conduct regular security assessments identify and remediate vulnerabilities 60% faster than those relying on annual audits alone.

Checklist Items

• [ ] Internal audit programme for cybersecurity controls (at least annual)
• [ ] Penetration testing conducted annually by independent assessors
• [ ] Vulnerability scanning on regular schedules (at least monthly for external systems)
• [ ] Security metrics tracked and reported to management
• [ ] Improvement programme documenting actions taken based on assessment findings
• [ ] Benchmarking against NIS2 requirements with gap tracking

Category 7: Cyber Hygiene and Training

This is straightforward but frequently underdocumented. According to Verizon (2024), 68% of breaches involve a human element, making training a critical NIS2 control area.

Checklist Items

• [ ] Cybersecurity awareness training for all employees (annual minimum)
• [ ] Role-based training for employees handling EU client data or systems
• [ ] Management training on cybersecurity governance responsibilities
• [ ] Phishing simulation exercises conducted regularly
• [ ] Training records maintained with completion tracking
• [ ] Acceptable use policies communicated and acknowledged by all staff

Category 8: Cryptography and Encryption

Checklist Items

• [ ] Encryption policy defining requirements for data at rest and in transit
• [ ] TLS 1.2 or higher for all data in transit
• [ ] AES-256 or equivalent for data at rest
• [ ] Key management procedures including generation, storage, rotation, and destruction
• [ ] Certificate management process with expiration monitoring
• [ ] Cryptographic algorithm review ensuring current standards are met

Category 9: Human Resources, Access Control, and Asset Management

Checklist Items

• [ ] Background checks for employees with access to EU client systems
• [ ] Onboarding security procedures including access provisioning and training
• [ ] Offboarding procedures with access revocation within defined timescales
• [ ] Role-based access control (RBAC) implemented for all systems
• [ ] Privileged access management (PAM) with just-in-time access where possible
• [ ] Regular access reviews (quarterly for privileged access, semi-annual for standard)
• [ ] Asset management covering hardware, software, and data assets

Category 10: Multi-Factor Authentication

Checklist Items

• [ ] MFA enforced for all remote access to corporate and client systems
• [ ] MFA enforced for all privileged account access
• [ ] MFA enforced for access to client data and production environments
• [ ] Authentication standards documented (FIDO2, TOTP, or equivalent)
• [ ] SSO integration where possible to improve security and usability
• [ ] Continuous authentication evaluation for high-risk systems

Based on assessments across 30+ Indian IT service companies, the most common compliance gap is Category 4 (supply chain security). Only 22% had formal vendor cybersecurity assessment programmes that met NIS2's cascading requirements. The least common gap is Category 8 (cryptography), where 89% already met or exceeded NIS2 baselines.

[PERSONAL EXPERIENCE] We recommend Indian IT companies complete this checklist in the order presented. Categories 1-3 form the foundation. Category 4 is the most common gap. Categories 5-10 build on the foundation. This sequence aligns with typical EU audit focus areas and produces the fastest path to demonstrable compliance.

Frequently Asked Questions

How long does it take to complete this checklist?

For ISO 27001-certified Indian IT companies, expect 4-6 months for full implementation. Companies starting from scratch need 12-18 months. The timeline depends on existing control maturity and the number of EU clients with varying requirements. Start with Categories 1-4, which cover the most common audit focus areas.

Is this checklist sufficient for NIS2 compliance?

This checklist covers NIS2 Article 21's ten risk management categories as they apply to Indian IT vendors through supply chain contracts. Specific EU clients may impose additional requirements based on their member state's NIS2 implementation. Use this as your baseline and adjust for client-specific requirements.

Should this checklist replace our existing ISO 27001 controls?

No. This checklist supplements your ISO 27001 ISMS. Where items overlap (approximately 60-65%), your existing controls satisfy both. Focus remediation effort on the 35-40% of items that go beyond ISO 27001, particularly incident reporting integration, supply chain cascading, and board governance.

How should Indian companies prioritise if they can't address everything at once?

Priority order: (1) Incident handling, because EU clients' reporting obligations have hard deadlines. (2) Supply chain security, because it's the most common audit finding. (3) Risk analysis, because it's foundational. (4) Business continuity, because EU clients require tested DR plans. (5) Everything else.

Do we need to document compliance for each EU client separately?

Build a single compliance baseline that meets the strictest requirements across all EU clients. Document client-specific variations as addenda. This prevents maintaining parallel compliance frameworks and simplifies audit preparation.

Key Takeaways on NIS2 Compliance Checklist Indian Service

This checklist translates NIS2's ten Article 21 categories into practical implementation items for Indian IT service companies. The good news: if you hold ISO 27001 certification, you've already addressed roughly 60-65% of these items.

Focus your remediation on the consistent gap areas: incident reporting integration with EU timelines, supply chain security cascading to your own vendors, and documentation of board-level governance oversight.

Print this checklist. Assign owners to each category. Set deadlines. Track progress. The Indian IT companies that complete this checklist systematically will pass EU supply chain audits. Those that approach compliance ad hoc will struggle.

Your next step: complete the checklist assessment, marking each item as "in place," "partially in place," or "gap." That assessment is your roadmap.

For hands-on delivery in India, see NIS2 directive.

Related from our knowledge base: Turn NIS2 Compliance Into Your Next EU Client Win

Related from our knowledge base: NIS2 EU Representative: What Indian Companies Must Know