If your company needs to comply with the NIS 2 Directive, you’ll have to write lots of new documents to cover cybersecurity and reporting requirements. This article presents all the documents that companies need to write according to NIS2 Chapter IV called “Cybersecurity risk-management measures and reporting obligations” — the reason why I focus only on this chapter is that it is the only one that specifies what essential and important entities need to do to comply with this Directive.
- Risk Assessment Methodology
- Risk Treatment Plan
- Training and Awareness Plan
- Incident Handling Policy
- IT Security Policy
- etc.
List of required documents and records
The table below shows NIS2 requirements, the relevant articles from Chapter IV of this Directive, and the best practice of documenting those requirements.
What must be documented | NIS 2 / CIR article | Usually documented through |
Management bodies must approve the cybersecurity risk-management measures | Article 20, paragraph 1 | Risk Treatment Plan |
Management bodies must oversee the implementation of cybersecurity risk-management measures | Article 20, paragraph 1 | Measurement Report + Internal Audit Report + Management Review Minutes |
Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis | Article 20, paragraph 2 | Training and Awareness Plan |
Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks | Article 21, paragraph 1
CIR 2024/2690 Annex point 2.1 |
Risk Treatment Table + Risk Treatment Plan + various policies and procedures mentioned below |
When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact | Article 21, paragraph 1
CIR 2024/2690 Annex point 2.1 |
Risk Assessment Methodology + Risk Assessment Table |
Policy on risk analysis | Article 21, paragraph 2, point (a)
CIR 2024/2690 Annex point 2.1 |
Risk Assessment Methodology |
Policy on information system security | Article 21, paragraph 2, point (a) | Policy on Information System Security |
Incident handling | Article 21, paragraph 2, point (b)
CIR 2024/2690 Articles 3 to 14 and Annex points 3.1, 3.3, 3.4, 3.5, 3.6, and 4.3.3 |
Incident Handling Policy + Incident Log |
Business continuity | Article 21, paragraph 2, point (c) | Business Continuity Plan |
Backup management | Article 21, paragraph 2, point (c) | Backup Policy |
Disaster recovery | Article 21, paragraph 2, point (c)
CIR 2024/2690 Annex point 4.1 |
Disaster Recovery Plan |
Crisis management | Article 21, paragraph 2, point (c) | Crisis Management Plan |
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | Article 21, paragraph 2, point (d) | Supplier Security Policy + Security Clauses for Suppliers and Partners + Confidentiality Statement |
Security in network and information systems acquisition, development and maintenance | Article 21, paragraph 2, point (e) | Policy for the Acquisition, Development, and Maintenance of ICT Systems + Specification of Acquisition, Development, and Maintenance Requirements of ICT System |
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Article 21, paragraph 2, point (f)
CIR 2024/2690 Annex point 7 |
Measurement Methodology + Measurement Report + Internal Audit Procedure + Internal Audit Checklist + Internal Audit Report + Management Review Procedure |
Basic cyber hygiene practices | Article 21, paragraph 2, point (g) | IT Security Policy |
Cybersecurity training | Article 21, paragraph 2, point (g)
CIR 2024/2690 Annex point 8 |
Training and Awareness Plan |
Policies and procedures regarding the use of cryptography and encryption | Article 21, paragraph 2, point (h) | Policy on Encryption and Cryptographic Controls |
Human resources security | Article 21, paragraph 2, point (i) | Security Policy for Human Resources |
Access control policies | Article 21, paragraph 2, point (i) | Access Control Policy |
Asset management | Article 21, paragraph 2, point (i) | Asset Management Procedure + IT Asset Register |
The use of multi-factor authentication or continuous authentication solutions | Article 21, paragraph 2, point (j) | Authentication Policy |
Secured voice, video and text communications | Article 21, paragraph 2, point (j) | Information Transfer Policy + Secure Communication Policy |
Secured emergency communication systems within the entity | Article 21, paragraph 2, point (j) | Secure Communication Policy |
Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures | Article 21, paragraph 3 | Supplier Security Policy + Risk Assessment and Treatment Report |
Take appropriate and proportionate corrective measures | Article 21, paragraph 4 | Procedure for Corrective Action + Corrective Action Form |
Notify CSIRT or competent authority of significant incident | Article 23, paragraph 1 | Significant Incident Notification for CSIRT/Competent Authority |
Notify the recipients of services of significant incidents that are likely to adversely affect the provision of those services | Article 23, paragraph 1 | Significant Incident Notification for Recipients of Services |
Communicate to the recipients of services that are potentially affected by a significant cyber threat any measures or remedies that those recipients are able to take in response to that threat; also inform those recipients of the significant cyber threat itself | Article 23, paragraph 2
CIR 2024/2690 Annex point 3.3 |
Significant Incident Notification for Recipients of Services |
An early warning that indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact | Article 23, paragraph 4, point (a)
CIR 2024/2690 Annex point 3.5 |
Significant Incident Early Warning |
An incident notification that indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise | Article 23, paragraph 4, point (b)
CIR 2024/2690 Annex point 3.5 |
Significant Incident Notification for CSIRT/Competent Authority |
An intermediate report on relevant status updates | Article 23, paragraph 4, point (c)
CIR 2024/2690 Annex point 3.5 |
Significant Incident Intermediate Report |
A final report not later than one month after the submission of the incident notification | Article 23, paragraph 4, point (d)
CIR 2024/2690 Annex point 3.5 |
Significant Incident Final Report |
A progress report – in the event of an ongoing incident at the time of the submission of the Final Report | Article 23, paragraph 4, point (e)
CIR 2024/2690 Annex point 3.5 |
Significant Incident Progress Report |
Cybersecurity documents required by CIR 2024/2690
Besides the required documents listed above, if a company is a digital critical infrastructure company (any of the following: DNS service provider; TLD name registry; cloud computing service provider; data center service provider; content delivery network provider; managed service provider; managed security service provider; trust service provider; or the provider of an online marketplace, an online search engine, or a social networking services platform), the following documents are also mandatory:
- Acceptance of Residual Risks – document used to formally accept the risks that are left after the cybersecurity measures are applied.
- Physical Security Policy — defines security rules for data centers, archives, and other areas that need special protection.
- Information Classification Policy — provides clear rules on how to classify documents and other information, and how to protect those assets according to classification level.
- Network Security Policy – defines basic rules for ensuring the security of networks against intrusions and data misuse.
- Vulnerability and Patch Management Procedure – aims to ensure the correct and secure application of software code changes or updates, known as patches, to fix security or functionality problems, add new capabilities, or improve the performance of software and ICT equipment.
- ICT Change Management Procedure — defines rules on how to perform changes in production systems, in order to decrease security risks.
- Business Impact Analysis Methodology – defines the methodology and process for assessing the impacts of disruptive activities and determines continuity and recovery priorities, objectives, and targets.
- Business Continuity Strategy – defines which options and solutions a company will utilize to ensure that all conditions for the resumption of business activities in the case of disaster or other disruptive incident are met.
- Recovery Time Objectives for Activities – determines recovery time objectives for each activity, taking into account dependencies on other activities.
- Activity Recovery Strategy for an individual activity – defines the recovery strategy for an individual activity, and solutions to implement that strategy.
- Disruptive Incident Response Plan – defines solutions for direct response to the occurrence of various types of incidents.
- List of Business Continuity Sites – specifies all provided alternative sites.
- Key Contacts – specifies the contact information for all key contacts within the company.
- Exercising and Testing Plan – determines the frequency and methods of testing in order to assess the feasibility of measures and solutions for business continuity management, and to establish necessary corrective actions.
- Exercising and Testing Report – specifies the results of exercising and testing, appropriate corrective actions that must be initiated, and other recommendations for improvement.
- Directory of Suppliers and Service Providers – registry of the company’s direct suppliers and service providers.
- Minor Incident Response Procedure – ensures a timely, consistent, and systematic response to incidents that are not considered disruptive.
- Post Incident Review Form – used to assess all the relevant aspects of handling an incident.
Common cybersecurity documents that are not required by NIS 2
Besides the required documents listed above, it is also recommended to write the following documents:
- Mobile Device and Work from Home Policy — specifies the rules for using laptops, smartphones, and other devices outside of company premises.
- Bring Your Own Device (BYOD) Policy — specifies security aspects if employees are using their private devices for work.
- Disposal and Destruction Policy — specifies how to dispose of devices and media, in order to delete all sensitive data and avoid breaking intellectual property rights.
- Clear Desk and Clear Screen Policy — defines rules for each employee on how to protect his/her workspace.
- Security Procedures for IT Department — provides security operating procedures for activities that are not covered in other documents.
To find all the documents needed for complying with the NIS 2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.