NIS 2 Documents: Required-List under the Directive + CIR 2024/2690
The documents and records NIS 2 and Implementing Regulation 2024/2690 actually require — one to one with the regulation, no consultancy bloat.
This page lists the documents and records NIS 2 (Directive (EU) 2022/2555) and Implementing Regulation (EU) 2024/2690 actually require. The names and references come from the regulation texts, not a consultancy toolkit.
Intentionally compact: toolkit vendors split each requirement into a procedure + form + appendix and end up with 60+ documents. The regulation does not require that. One requirement = one document or record. The five-stage Article 23 reporting cascade is one incident progressing through five status phases, not five separate documents.
Last column: the exact nisd2.eu module where the document or evidence lives as data — version-controlled, audit-trailed, exportable at any time. Click the module to jump straight to the live view. The point is continuous posture, not a frozen Word template.
42 documents across 14 topic areas — 40 covered natively by the platform.
Sources
- Directive (EU) 2022/2555 (NIS 2) — Articles 20, 21(2)(a-j), 23, 27
- Implementing Regulation (EU) 2024/2690 — Annex sections 1-13
- BSIG (German transposition) — §§ 30, 32, 33, 38
- BSI TR-02102 (cryptography), TR-03107 (authentication) — where applicable
Entity Registration
1 document
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Entity Registration with Competent Authority | Art. 27, §33 BSIG — | Registration data submitted to the national competent authority: legal entity details, sector, contact points, services, EU presence. | REG/organization Organization module — registration data with versioned snapshots for audit. |
Governance & Top-level Policy
2 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Information System Security Policy | Art. 21(2)(a) CIR Annex 1 | Top-level policy approved by management that sets the cybersecurity direction, scope, roles and responsibilities, and is reviewed at planned intervals. | GOV/policies Policy editor (GOV 1.2) with management sign-off and version history. |
| Management Approval Record | Art. 20(1) CIR Annex 1.1 | Evidence that the management body has approved the cybersecurity risk-management measures and is overseeing their implementation. | GOV/policies Sign-off history (GOV 1.3, 1.4) — eIDAS-AES signature with checksummed snapshot. |
Risk Management
3 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Risk Management Framework | Art. 21(2)(a) CIR 2.1 | Defines how risks are identified, analysed, evaluated, treated, accepted and reviewed — including the criteria for risk acceptance. | RSK/compliance/risk-management Methodology editor (RSK 2.1) — likelihood/impact scales and acceptance thresholds. |
| Risk Register & Treatment Plan | Art. 21(1) CIR 2.1.1, 2.1.2 | List of identified risks with likelihood, impact, owner, treatment option (mitigate / accept / transfer / avoid), planned controls and deadlines. | RSK/risks Risk module (RSK 2.3) — register joined to assets, treatment status, residual-risk acceptance. |
| Residual Risk Acceptance | Art. 20(1) CIR 2.1.1 | Formal sign-off by management of risks that are accepted rather than mitigated, with rationale. | RSK/risks Per-risk acceptedBy / acceptedAt fields with management sign-off. |
Asset Management
3 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Asset Register | Art. 21(2)(i) CIR 12 | Authoritative inventory of ICT assets — owner, classification, criticality, location, operational state. Foundation for risk analysis and BCP. | RSK/assets Asset table with 30+ fields — referenced by 7+ requirements across 5 categories. |
| Asset Classification & Handling Procedure | Art. 21(2)(i) CIR 12 | How assets are classified by sensitivity and criticality, and the handling rules per classification level. | RSK/assets asset.isCritical + classification fields + RSK 2.2 classification methodology. |
| Secure Disposal & Destruction Policy | Art. 21(2)(i) CIR 12 | How media and devices are wiped or destroyed at end-of-life so that data cannot be recovered. | Not native Policy upload via the asset module — no dedicated decommissioning workflow yet. |
Incident Handling
3 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Incident Response Policy | Art. 21(2)(b) CIR 3.1 | Defines how incidents are detected, classified by severity, contained, eradicated, recovered from and reviewed. | INC/incidents Policy editor (INC 3.1) plus incident lifecycle module. |
| Incident Register | Art. 21(2)(b) CIR 3.4 | Chronological record of all incidents and near-misses, with timeline, classification, response actions and lessons learned. | INC/incidents Incident table is the register — root cause, countermeasures and preventive measures captured per record. |
| Post-Incident Review | Art. 21(2)(b) CIR 3.5 | Lessons-learned analysis after a significant incident: what failed, what worked, which controls or processes need adjustment. | INC/incidents rootCause + preventiveMeasures fields per incident, surfaced in management review inputs. |
Incident Reporting (Art. 23)
5 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Early Warning to CSIRT (within 24h) | Art. 23(4)(a) CIR 3.5 | Initial flag to the CSIRT or competent authority indicating whether the incident is suspected to be malicious or has cross-border impact. | INC/incidents Single incident record progresses through reporting phases — 24h field with deadline tracker. |
| Incident Notification (within 72h) | Art. 23(4)(b) CIR 3.5 | Initial assessment of severity, impact and indicators of compromise, submitted to the CSIRT within 72 hours. | INC/incidents Same record, 72h status — escalation engine reminds and escalates if missed. |
| Intermediate Report | Art. 23(4)(c) CIR 3.5 | Status update on request of the CSIRT or competent authority during the response phase. | INC/incidents Same record, intermediate status — fillable any time before final report. |
| Final Report (within 1 month) | Art. 23(4)(d) CIR 3.5 | Detailed description of the incident: severity and impact, threat type, root cause, mitigations applied and any cross-border impact. | INC/incidents Same record, final-report status — pulls in resolvedAt + root-cause fields automatically. |
| Notification to Recipients of Services | Art. 23(1), Art. 23(2) CIR 3.6 | Communication to customers/users likely affected by a significant incident or cyber threat, including any mitigations they can apply. | INC/incidents Customer-relationship broadcast (broadcastStatus / broadcastSentAt) per incident. |
Business Continuity & Recovery
5 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Business Impact Analysis | Art. 21(2)(c) CIR 4.1 | Identifies critical activities, their dependencies, recovery objectives (RTO/RPO) and the impact of disruption over time. | BCP/assets Per-asset RTO/RPO with criticality classification — feeds the BCP plan. |
| Business Continuity Plan | Art. 21(2)(c) CIR 4.1 | How essential operations are maintained during a disruption — alternative sites, fallback procedures, communication, decision authority. | BCP/policies Policy editor (BCP 4.1) plus exercise/test schedule with after-action reports. |
| Disaster Recovery Plan | Art. 21(2)(c) CIR 4.1 | Technical procedures for restoring IT systems and services after a disruptive event, with RTO/RPO targets per critical asset. | BCP/policies Policy editor (BCP 4.3) — per-system recovery procedures linked to asset register. |
| Backup Policy | Art. 21(2)(c) CIR 4.2 | What is backed up, how often, where backups are stored, retention periods, encryption, and how restores are tested. | BCP/policies Per-asset backup fields (frequency, location, last test) plus BCP 4.4 policy. |
| Crisis Management Plan | Art. 21(2)(c) CIR 4.3 | Decision-making process and communication structure during a crisis affecting the entity — escalation, command, internal/external communication. | BCP/policies BCP policy editor (crisis section) + key-contacts module + escalation chain. |
Supply Chain Security
3 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Supplier Security Policy | Art. 21(2)(d) CIR 5.1-5.2 | Security requirements for direct suppliers and service providers, due-diligence process, ongoing monitoring obligations. | SUP/suppliers Policy editor (SUP 5.1) plus supplier register with security-clause flags. |
| Supplier Register | Art. 21(2)(d) CIR 5.3 | Authoritative list of suppliers and service providers with criticality, services received, security clauses in place and risk status. | SUP/suppliers Supplier table — criticality, hasSecurityClauses, hasIncidentNotificationClause, hasAuditRights flags per supplier. |
| Supplier Risk Assessment | Art. 21(3) CIR 5.4 | Per-supplier risk evaluation considering supplier-specific vulnerabilities and the security practices of their development processes. | SUP/suppliers Per-supplier risk score linked to risk register; supplier-portal questionnaire collects evidence. |
Acquisition, Development & Maintenance
4 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Acquisition, Development & Maintenance Policy | Art. 21(2)(e) CIR 6.1-6.3 | Security requirements throughout the ICT lifecycle — acquisition criteria, secure development practices, vulnerability disclosure, decommissioning. | PRO/policies Policy editor (PRO 6.1) — covers procurement, dev and maintenance in a single artefact. |
| Change Management Procedure | Art. 21(2)(e) CIR 6.4 | How changes to ICT systems are requested, risk-assessed, approved, tested, deployed and rolled back if necessary. | PRO/changes Change-request module with approval workflow and rollback notes. |
| Vulnerability & Patch Management Procedure | Art. 21(2)(e) CIR 6.5, 6.10 | How vulnerabilities are discovered, classified by severity, prioritised, remediated and tracked, with SLAs by severity tier. | PRO/vulnerabilities Vulnerability + patch-record tables with severity, owner and deadline. |
| Configuration & Hardening Standards | Art. 21(2)(e) CIR 6.6 | Baseline secure configuration for ICT systems — what is enabled, what is disabled, default credentials handling, logging baselines. | PRO/policies Hardening reference fields per asset class plus PRO 6.4 policy. |
Cryptography
2 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Cryptography Policy | Art. 21(2)(h) CIR 9.1 | Approved algorithms and key lengths, where encryption is mandatory (data at rest, in transit, backups), key lifecycle management. | CRY/policies Policy editor with algorithm/keylength registry (BSI TR-02102 alignment). |
| Key Management Procedure | Art. 21(2)(h) CIR 9.2-9.3 | How cryptographic keys are generated, distributed, stored, rotated, archived and destroyed. | CRY/policies Key-management section of the cryptography policy editor. |
HR Security & Access Control
3 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Human Resources Security Policy | Art. 21(2)(i) CIR 10 | Background checks, onboarding, role changes, offboarding and confidentiality obligations across the employment lifecycle. | ACC/policies Policy editor (ACC 10.1) — onboarding/offboarding checklists tied to user lifecycle. |
| Access Control Policy | Art. 21(2)(i) CIR 11.1, 11.2, 11.3 | Rules for granting, reviewing and revoking access — least privilege, segregation of duties, privileged access, periodic recertification. | ACC/policies RBAC editor + access-review workflow per system. |
| Physical & Environmental Security Policy | Art. 21(2)(i) CIR 13 | Physical access controls to facilities, server rooms and data centres; environmental safeguards (fire, flood, power). | Not native Policy upload via the GOV module — no dedicated module yet. |
Authentication & Secure Communication
2 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Authentication Policy | Art. 21(2)(j) CIR 11.6 | MFA requirements, password rules, session controls, service-account handling, alignment with BSI TR-03107 where applicable. | AUT/policies Policy editor (AUT 11.3) plus per-system MFA-status field. |
| Secure Voice, Video & Emergency Communication Policy | Art. 21(2)(j) CIR 11.7 | Approved tools and channels for sensitive communications, with explicit rules for emergency communication if normal channels fail. | AUT/policies Policy editor (AUT 11.1) — captures channels, fallback procedures, key contacts. |
Cyber Hygiene & Training
2 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Cyber Hygiene & Training Programme | Art. 21(2)(g) CIR 8.1 | Training topics by audience (all staff, IT, security roles, top management), frequency, delivery method and effectiveness assessment. | TRN/training training_record module + course catalogue + per-employee completion tracking. |
| Management Cybersecurity Training Record | Art. 20(2) CIR 8.2 | Evidence that the management body has received cybersecurity training sufficient to assess risks and management practices. | TRN/training/nis2-ceo Dedicated CEO training course (§38(3) BSIG) with completion certificate. |
Effectiveness, Audit & Review
4 documents
| Document | Reference | Description | nisd2.eu |
|---|---|---|---|
| Effectiveness Measurement Programme | Art. 21(2)(f) CIR 7.1 | KPIs, frequency, data sources and reporting format used to assess whether the cybersecurity measures are working. | EFF/kpis KPI measurement module with target values, periodic capture and trend display. |
| Independent Review / Internal Audit Report | Art. 21(2)(f) CIR 7.2 | Periodic independent assessment of the cybersecurity measures, with findings (nonconformities, observations) and severity. | EFF/internal-audits internal_audit + audit_finding tables — scope, checklist, findings linked to corrective actions. |
| Management Review | Art. 20(1), Art. 21(2)(f) CIR 7.3 | Periodic top-management review of cybersecurity performance — KPI report, audit findings, incidents, decisions and assigned actions. | EFF/management-reviews management_review record — attendees, inputs, decisions, action items, minutes file. |
| Corrective Actions Register | Art. 21(4) CIR 7.4 | Tracking of all corrective actions arising from incidents, audits or reviews — root cause, owner, deadline, verification. | EFF/improvements improvement_item table joined to source (incident / audit_finding / review). |
Don't maintain these documents by hand
nisd2.eu generates these documents and evidence from your data — risks, suppliers, incidents, training, audits — with a durable audit trail. Free, no lock-in.
This list is maintained but does not replace a legal review. The authoritative texts are Directive 2022/2555, CIR 2024/2690, and the relevant national transposition.