# NIS 2 Directive Readiness Pack > Working readiness template for the EU Network and Information Security Directive 2 (NIS 2), Directive (EU) 2022/2555. Scoping questionnaire, the 10 cybersecurity risk-management measures in Article 21, incident reporting timelines in Article 23, and the 72-hour crisis playbook. MIT licensed. Adapt to your national transposition. **Status:** NIS 2 repealed NIS 1 on **2024-10-18**. Member States were required to transpose by **2024-10-17**. National laws differ in detail; this pack uses the Directive text as the canonical source. If a national transposition (BSIG in Germany, UK NIS amending to the UK NIS Regulations, etc.) conflicts, national law wins. --- ## 0. Pack contents | Section | Purpose | |---|---| | 1. Am I in scope? | Entity classification | | 2. Essential vs important | Regulatory posture | | 3. Register with competent authority | Practical step | | 4. Article 21 — 10 measures | Core controls | | 5. Management accountability | Article 20 | | 6. Article 23 incident reporting | 24 / 72h / 1-month clocks | | 7. 72-hour crisis playbook | Live-incident use | | 8. Supply chain | Article 21(2)(d) | | 9. Evidence pack | What the regulator will ask for | | 10. Gap assessment quick-check | 15-question readiness | --- ## 1. Am I in scope? NIS 2 uses **size + sector**. You are in scope if you operate in a listed sector and are at least medium-sized, with some sectors catching all sizes. **Essential-entity sectors (Annex I):** - Energy (electricity, district heating, oil, gas, hydrogen) - Transport (air, rail, water, road) - Banking - Financial market infrastructures - Health - Drinking water - Waste water - Digital infrastructure (DNS, TLD registries, cloud, data centres, CDNs, trust services, public electronic communications) - ICT service management (B2B; MSPs, MSSPs) - Public administration (central + regional; local optional per Member State) - Space **Important-entity sectors (Annex II):** - Postal + courier - Waste management - Chemicals - Food - Manufacturing (medical devices, electronics, motor vehicles, etc.) - Digital providers (online marketplaces, search engines, social networks) - Research **Size thresholds (default):** - Medium = ≥ 50 staff **or** ≥ €10M turnover **and** ≥ €10M balance sheet. - Essential if large (≥ 250 staff OR ≥ €50M turnover + ≥ €43M balance sheet) in an Annex I sector. - Some entities in scope **regardless of size** — e.g. DNS registrars, TLDs, cloud & data centres, CDN, public admin bodies designated as critical. If in scope, you have ~90 days from designation to register with your national CSIRT / competent authority (varies by Member State). --- ## 2. Essential vs Important The controls in Article 21 are the **same** for both. The supervision regime differs: | Aspect | Essential | Important | |---|---|---| | Supervision | *Ex-ante* (audits, on-site inspections, ad-hoc reviews before incidents) | *Ex-post* (when something has happened or evidence suggests non-compliance) | | Administrative fines | Up to **€10M or 2% global turnover**, whichever is higher | Up to **€7M or 1.4%** | | Management sanctions | Possible suspension of management duties | No | | Binding instructions | Yes | Yes | --- ## 3. Registration Each Member State designates a competent authority and a single point of contact. Most require: - Entity name, legal form, registered address - Contact details for a responsible person (24/7 reachable) - IP ranges + domain inventory (for digital infrastructure) - Sector, subsector, activities - Services provided + countries served Get this registration in before the first incident. Re-registering during a crisis is not a good look. --- ## 4. Article 21 — Ten cybersecurity risk-management measures These are the **minimum** controls every in-scope entity must have. Document each with a policy + technical evidence. ### 4.1 Policies on risk analysis and information system security - [ ] ISMS policy approved at management level, with version and review cycle - [ ] Risk management methodology (ISO 31000 / NIST RMF / national equivalent) - [ ] Risk register with owner, treatment, review date - [ ] Annual risk assessment with dated evidence + change-triggered reassessments ### 4.2 Incident handling - [ ] Incident response policy + playbook set - [ ] 24/7 incident contact mechanism (not just business hours) - [ ] Severity model that links to Article 23 reporting thresholds (Section 6 below) - [ ] Tabletop exercise at least annually - [ ] Post-incident review process with action items tracked ### 4.3 Business continuity - [ ] Business continuity plan with RTO / RPO declared per critical service - [ ] Backup strategy including offline / air-gapped component - [ ] Disaster recovery plan tested at least annually - [ ] Crisis management team with named roles + deputies ### 4.4 Supply-chain security - [ ] Supplier inventory with risk tiering - [ ] Supplier assessment before onboarding - [ ] Contractual clauses: security requirements, incident notification, right to audit - [ ] Periodic reassessment (annual for critical suppliers) - [ ] Exit / termination procedure with data return / destruction ### 4.5 Security in acquisition, development and maintenance - [ ] Secure SDLC - [ ] Vulnerability handling policy with public disclosure route - [ ] Patch management with SLAs (critical within days, not months) - [ ] Change management with security review gate ### 4.6 Effectiveness of cybersecurity risk-management measures - [ ] Internal audit / control testing programme - [ ] External assessment (pen test, audit) at least annually - [ ] Metrics reported to management: phishing click-through, patch SLA, incident MTTR ### 4.7 Basic cyber hygiene + training - [ ] Awareness training on hire + annual refresh - [ ] Role-specific training for privileged / developer staff - [ ] Phishing simulations - [ ] Attestation records for training completion ### 4.8 Cryptography policy + use - [ ] Crypto policy defining approved algorithms, key lengths, lifecycles - [ ] TLS 1.2+ enforced, weak ciphers disabled - [ ] Key management: creation, storage, rotation, revocation - [ ] Cryptographic inventory (systems, algorithms, keys, certs) ### 4.9 Human resources security, access control, asset management - [ ] Background checks proportionate to role - [ ] Joiner / mover / leaver procedure with SLA - [ ] Access provisioning with approval + periodic review - [ ] Asset inventory including software, hardware, data, cloud accounts ### 4.10 Multi-factor authentication + secured communications - [ ] MFA on all administrative access - [ ] MFA on remote access - [ ] MFA on critical business applications - [ ] Secure voice / video / text channels for crisis comms (not just email) - [ ] Emergency-communication system tested periodically --- ## 5. Article 20 — Management accountability This is the culture-shift bit. Management bodies: - **Must approve** the cybersecurity risk-management measures. - **Must oversee** their implementation. - **Can be held liable** for violations. - **Must follow training** — adequate to identify and assess risks and management practices. Practical artefacts: - [ ] Board / management approval of the ISMS (dated minute / resolution) - [ ] Standing cybersecurity agenda item at board / exec meetings (at least quarterly) - [ ] Training log for management body members - [ ] Assignment of accountable role (CISO or equivalent) with direct line to board --- ## 6. Article 23 — Incident reporting A **significant incident** triggers three reporting stages. "Significant" means caused or is capable of causing severe operational disruption or financial loss, or affected / capable of affecting others with considerable material or non-material damage. ### The three-stage clock | Clock | Deadline | Required content | |---|---|---| | **Early warning** | Within **24 hours** of becoming aware | Is it *suspected* to be caused by unlawful or malicious acts? Does it have cross-border impact? | | **Incident notification** | Within **72 hours** of becoming aware | Updated assessment, severity, impact, indicators of compromise | | **Final report** | Within **1 month** | Detailed description, cause, mitigation, cross-border impact | Plus **intermediate reports** on request by the CSIRT or competent authority. ### Recipient - The **CSIRT** or the **competent authority** of your Member State. - In some Member States, both (split responsibilities). ### Customer notification Where an incident is likely to adversely affect service provision to customers, you **must** notify them without undue delay, especially if cybersecurity measures by the customer could mitigate. Put this into your incident comms template. --- ## 7. 72-hour crisis playbook When the clock starts, you have minutes not hours to act. Pre-load the ready-made templates below. ### Hour 0 — detection + early warning draft - Named Incident Commander on the call within 15 min - SEV assigned (use your own severity model; map to Article 23 "significant" threshold) - Legal + Comms looped in immediately if SEV1 / significant - Early-warning notification template filled (Section 7.1) and sent within 24h ### Hour 0 — 24 — containment + early warning submitted Parallel workstreams: - **Technical:** contain, preserve evidence, engage IR retainer if needed - **Legal:** check parallel regimes (GDPR Art 33/34, sector-specific, cyber insurance policy notification) - **Comms:** holding statements for customers, regulators, press - **Exec:** status cadence (hourly for SEV1) ### Hour 24 — 72 — incident notification Update includes: - Severity + cross-border impact - Impact on users / services quantified - Initial root cause hypothesis - Containment status - IoCs + adversary TTPs if known ### Day 3 — Day 30 — final report Final report structure (see `/post-mortem-facilitator` + `/incident-responder` skills in this library): - Timeline - Root cause (technical + contributing organisational factors) - Impact assessment - Remediation + hardening steps with dates - Lessons learned ### 7.1 Early warning template (fill on detection) ``` To: [national CSIRT / competent authority] From: [entity name], sector: [essential / important], service: [name] Reference: [internal ticket ID] Detected: [UTC time] Reported at: [UTC time, must be within 24h of awareness] 1. Is the incident suspected to be caused by unlawful or malicious act? [ ] Yes [ ] No [ ] Unknown 2. Cross-border impact? [ ] Yes: [Member States affected] [ ] No [ ] Unknown 3. Current impact (1-liner): [Service X degraded / unavailable for Y users from Z time] 4. Entity contact (24/7): [Name, role, phone, email, PGP key fingerprint] ``` ### 7.2 Incident notification template (at 72h) ``` [All fields from 7.1 plus:] 5. Incident severity: [critical / high / medium] 6. Affected services: [list] 7. Affected users / volume: [count] 8. Suspected root cause: [brief] 9. Indicators of compromise: [file hashes, IPs, domains] 10. Containment status: [contained / contained with residual risk / active] 11. Mitigation actions: [list] 12. Cross-border impact updated: [details] ``` --- ## 8. Supply chain (Article 21(2)(d)) NIS 2 explicitly covers supply chain security — this is new pressure compared to NIS 1. - [ ] Supplier inventory with tier (critical / significant / standard) - [ ] Contractual cybersecurity clauses - [ ] Incident notification clauses (your supplier's incidents that affect you) - [ ] Audit rights + attestation evidence - [ ] Exit plan in case of supplier compromise Regulators can issue **guidance** on specific supplier types and on coordinated risk assessments. Follow ENISA publications. --- ## 9. Evidence pack for the competent authority Build a folder that maps to Article 21 item numbers: ``` /NIS2/ 01-risk-policies/ ISMS-policy-v4.2.pdf risk-management-methodology.pdf risk-register-export-2026-Q1.xlsx 02-incident-handling/ IR-policy.pdf playbooks/ tabletop-2026-03.pdf 03-bcp-dr/ BCP-v3.1.pdf DR-test-2026-02-evidence.pdf 04-supply-chain/ supplier-inventory.xlsx template-clauses.md 05-sdlc/ 06-effectiveness/ audit-plan.pdf pen-test-2026.pdf 07-training/ awareness-attestations-2026.csv 08-crypto/ crypto-policy.pdf cert-inventory.xlsx 09-hr-access-assets/ JML-procedure.pdf asset-inventory.xlsx 10-mfa-comms/ MFA-enforcement-evidence.pdf crisis-comms-setup.pdf 20-management/ board-approval-2026-01.pdf training-log.csv 23-reporting/ templates/ past-incidents/ ``` If the competent authority requests evidence you can hand over the sub-folder in minutes. --- ## 10. Fast-track gap assessment Fifteen yes/no questions. Each "no" is a gap. 1. Have we confirmed our NIS 2 classification (essential / important)? 2. Are we registered with the national competent authority? 3. Do we have a documented ISMS with management sign-off? 4. Is there a named accountable person with 24/7 reachability? 5. Is MFA enforced on all admin + remote + critical-app access? 6. Is our incident response plan tested in the last 12 months? 7. Can we issue an Article 23 early warning within 24 hours? 8. Can we produce a 72-hour incident notification template within 1 hour? 9. Do we have a 1-month final report process? 10. Is our supplier inventory tiered and contracts updated? 11. Is there an annual pen test or equivalent external assessment? 12. Has our board approved the cybersecurity measures in the last 12 months? 13. Have board members completed cybersecurity training? 14. Do we have offline backups and a tested restore for critical data? 15. Can we prove MFA, logging coverage, and access review evidence in one folder today? 15/15 = you are in position. 10–14 = you have a known remediation roadmap. Below 10 = start now. --- ## Attribution Built by **Hak** at **VantagePoint Networks**. Based on Directive (EU) 2022/2555 normative text + ENISA guidance + cross-referenced national transpositions. MIT licensed — fork, customise, ship.