# NIS2 Evidence Checklist for SMEs

Use this checklist to see the evidence categories your SME may need before customer questions, insurer requests, procurement checks, tenders, or NIS2-related supply-chain pressure arrive.

This checklist is not a legal scope assessment, audit, or certification tool. It is a practical starting point for finding evidence, identifying gaps, and deciding what to do next.

## 1. Ownership and governance

- Named person or group responsible for cyber decisions
- Management awareness of key cyber risks
- Record of major decisions or actions
- Owner for customer security responses

## 2. Risk and policy

- Cyber or information security policy
- Risk register or risk notes
- Acceptable use or staff security expectations
- Policy review date and owner

## 3. Assets and suppliers

- List of key systems and services
- List of important suppliers and providers
- MSP or IT provider contract/service summary
- Supplier security evidence where available

## 4. Access and identity

- MFA status for key systems
- User access review evidence
- Joiner/mover/leaver process
- Privileged access notes

## 5. Backup and continuity

- Backup approach and owner
- Backup success evidence or reports
- Restore test evidence if available
- Continuity or recovery plan notes

## 6. Incident handling

- Incident contact list
- Escalation process
- Record of previous incidents or tests if relevant
- MSP or provider incident support details

## 7. Security checks

- Patch or update routine evidence
- Security tool summary if available
- Vulnerability scan or review evidence if available
- Action tracking for known issues

## 8. Customer-safe evidence

- Approved wording for common cyber questions
- Evidence that can be shared externally
- Evidence that should stay internal
- Questions requiring legal, audit, MSP, or management review

## Next step

Checklist complete but evidence still scattered?

The NIS2 Evidence Pack turns checklist items into an organised evidence register, gap map, owner list, and readiness plan.