What each document is
NIS2 Risk Register
A risk register is a structured record of identified cybersecurity risks. Each entry describes a specific threat (who or what could cause harm), the event that could occur, the likelihood given existing controls, the potential impact on your operations, and the decision on how to treat the risk.
The risk register is the output of a risk assessment process — such as NIST SP 800-30 — and is a living document that must be maintained and reviewed regularly.
NIS2 Compliance Checklist
A NIS2 checklist lists the 10 mandatory security measures from Article 21(2) and records whether each is implemented. It answers a simple binary question: do we have this control in place, yes or no?
A checklist gives a snapshot of your compliance status at a point in time. It is useful for management reporting and board oversight, but it does not tell you which risks are most severe or where to invest first.
How they relate
The risk register drives the checklist: your risk assessment identifies which threats matter most for your specific environment, which informs which Article 21 measures are most critical to implement.
The checklist then tracks whether those measures are in place. Together they demonstrate both that you have thought about your risks and that you have done something about them.
Risk register vs checklist — side by side
| Dimension | NIS2 Risk Register | NIS2 Compliance Checklist |
|---|---|---|
| Primary question | What could go wrong, and how bad? | Do we have the required controls in place? |
| Output format | Table of risks with scores and treatment | List of measures with yes / partial / no status |
| Depth | Detailed — specific threats, assets, and scenarios | High-level — control categories only |
| Tailored to your organisation | Yes — specific to your assets and environment | No — same 10 measures for all entities |
| Quantifies severity | Yes — likelihood × impact scoring | No — binary or three-state only |
| Supports prioritisation | Yes — highest-risk items first | No |
| Required by NIS2 | Yes — Article 21(2)(a) | Yes — Article 21(1) and (2) |
| Audience | Security team, IT, operations | Management, board, auditors, regulators |
| Update frequency | Continuously or annually at minimum | Annually or after significant change |
Frequently asked questions
A NIS2 risk register is a structured document that records identified cybersecurity risks for a specific network or information system. Each entry includes a threat source, threat event, likelihood score, impact score, risk level, and treatment decision. It is a living document that should be reviewed and updated at least annually.
A NIS2 compliance checklist lists all 10 mandatory security measures from NIS2 Article 21(2) and tracks whether each is implemented, partially implemented, or missing. It gives a binary or three-state view of compliance status, without quantifying risk.
Yes. NIS2 Article 21 requires both a risk assessment (which produces a risk register) and implementation of the 10 specific security measures (which a checklist tracks). The risk register tells you what to prioritise; the checklist confirms what you have implemented.
Open Risk Register generates a full risk register through its NIST SP 800-30 workflow. The Article 21 security measures are mapped throughout the assessment, so your risk register inherently covers the checklist categories. For a standalone checklist view, see the NIS2 Article 21 Checklist page.
Start with a basic gap analysis (checklist) to understand your current state quickly. Then do a full risk assessment to quantify and prioritise the gaps. Use the risk register to drive your remediation plan, and revisit the checklist periodically to track progress.
Build your NIS2 risk register today
Free, browser-based, open source. No account. Your data never leaves your device.
Start Risk Assessment →