RegulationsOffice starter checklist

NIS2 scope reads should split direct entity status from supplier evidence pressure

Boundary: Does not decide applicability without country/entity analysis.

First safe question:
Are we a relevant entity, supplier to one, or monitoring customer evidence pressure?

Checklist prompts:
- Identify direct entity, supplier, or monitoring-only role
- List countries, sectors, and digital-service classes touched
- Collect existing cyber-risk, incident, continuity, and supplier evidence
- Separate direct-scope questions from customer evidence pressure
- Prepare country/entity questions for qualified review before any applicability claim

Source:
European Commission NIS2 implementing-regulation material: https://digital-strategy.ec.europa.eu/en/library/nis2-commission-implementing-regulation-critical-entities-and-networks

Use: collect non-sensitive first-review context only. Do not send credentials, regulated internal documents, raw supplier exports, or confidential client evidence through a public form.