List of required documents according to NIS 2

If your company needs to comply with the NIS 2 Directive, you’ll have to write lots of new documents to cover cybersecurity and reporting requirements. This article presents all the documents that companies need to write according to NIS2 Chapter IV called “Cybersecurity risk-management measures and reporting obligations” — the reason why I focus only on this chapter is that it is the only one that specifies what essential and important entities need to do to comply with this Directive.

In its Chapter IV “Cybersecurity risk-management measures and reporting obligations,” NIS 2 requires about 30 documents to be written, including:
  • Risk Assessment Methodology
  • Risk Treatment Plan
  • Training and Awareness Plan
  • Incident Management Procedure
  • IT Security Policy
  • etc.

List of required documents and records

The table below shows NIS2 requirements, the relevant articles from Chapter IV of this Directive, and the best practice of documenting those requirements.

What must be documented NIS 2 article Usually documented through
Management bodies must approve the cybersecurity risk-management measures Article 20, paragraph 1 Risk Treatment Plan
Management bodies must oversee the implementation of cybersecurity risk-management measures Article 20, paragraph 1 Measurement Report + Internal Audit Report + Management Review Minutes
Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis Article 20, paragraph 2 Training and Awareness Plan
Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks Article 21, paragraph 1 Risk Treatment Table + Risk Treatment Plan + various policies and procedures mentioned below
When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact Article 21, paragraph 1 Risk Assessment Methodology + Risk Assessment Table
Policy on risk analysis Article 21, paragraph 2, point (a) Risk Assessment Methodology
Policy on information system security Article 21, paragraph 2, point (a) Policy on Information System Security
Incident handling Article 21, paragraph 2, point (b) Incident Management Procedure + Incident Log
Business continuity Article 21, paragraph 2, point (c) Business Continuity Plan
Backup management Article 21, paragraph 2, point (c) Backup Policy
Disaster recovery Article 21, paragraph 2, point (c) Disaster Recovery Plan
Crisis management Article 21, paragraph 2, point (c) Crisis Management Plan
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers Article 21, paragraph 2, point (d) Supplier Security Policy + Security Clauses for Suppliers and Partners + Confidentiality Statement
Security in network and information systems acquisition, development and maintenance Article 21, paragraph 2, point (e) Secure Development Policy + Specification of Information System Requirements
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures Article 21, paragraph 2, point (f) Measurement Methodology + Measurement Report + Internal Audit Procedure + Internal Audit Checklist + Internal Audit Report + Management Review Procedure
Basic cyber hygiene practices Article 21, paragraph 2, point (g) IT Security Policy
Cybersecurity training Article 21, paragraph 2, point (g) Training and Awareness Plan
Policies and procedures regarding the use of cryptography and encryption Article 21, paragraph 2, point (h) Policy on the Use of Encryption
Human resources security Article 21, paragraph 2, point (i) Security Policy for Human Resources
Access control policies Article 21, paragraph 2, point (i) Access Control Policy
Asset management Article 21, paragraph 2, point (i) Asset Management Procedure + Inventory of Assets
The use of multi-factor authentication or continuous authentication solutions Article 21, paragraph 2, point (j) Authentication Policy
Secured voice, video and text communications Article 21, paragraph 2, point (j) Information Transfer Policy + Secure Communication Policy
Secured emergency communication systems within the entity Article 21, paragraph 2, point (j) Secure Communication Policy
Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures Article 21, paragraph 3 Supplier Security Policy + Risk Assessment and Treatment Report
Take appropriate and proportionate corrective measures Article 21, paragraph 4 Procedure for Corrective Action + Corrective Action Form
Notify CSIRT or competent authority of significant incident Article 23, paragraph 1 Significant Incident Notification for CSIRT/Competent Authority
Notify the recipients of services of significant incidents that are likely to adversely affect the provision of those services Article 23, paragraph 1 Significant Incident Notification for Recipients of Services
Communicate to the recipients of services that are potentially affected by a significant cyber threat any measures or remedies that those recipients are able to take in response to that threat; also inform those recipients of the significant cyber threat itself Article 23, paragraph 2 Significant Incident Notification for Recipients of Services
An early warning that indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact Article 23, paragraph 4, point (a) Significant Incident Early Warning
An incident notification that indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise Article 23, paragraph 4, point (b) Significant Incident Notification for CSIRT/Competent Authority
An intermediate report on relevant status updates Article 23, paragraph 4, point (c) Significant Incident Intermediate Report
A final report not later than one month after the submission of the incident notification Article 23, paragraph 4, point (d) Significant Incident Final Report
A progress report – in the event of an ongoing incident at the time of the submission of the Final Report Article 23, paragraph 4, point (e) Significant Incident Progress Report

Common cybersecurity documents that are not required by NIS 2

Besides the required documents listed above, it is also recommended to write the following documents:

To find all the documents needed for complying with the NIS 2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic