NIS2 documentation generator
The NIS2 Directive raises cybersecurity requirements for essential and important entities across the EU, mandating risk-management measures, incident reporting and management accountability.
The NIS2 Directive significantly raises cybersecurity obligations for essential and important entities across the EU, with management held directly accountable. Compliance requires documented risk-management measures, an incident-reporting process that meets strict timelines, and supply-chain and continuity controls. CompliWiseAI generates the NIS2 documentation set so EU SMEs can show regulators a governed, evidence-backed cybersecurity programme.
Documents we generate for NIS2
9 required documents, each tailored to your company and structured for audit.
Cybersecurity Risk Management Policy
RequiredGovernance policy establishing the cyber risk-management measures required by NIS2.
Policy · Art. 21(2)
Cyber Risk Assessment & Register
RequiredIdentification and analysis of risks to network and information systems.
Risk register · Art. 21(2)(a)
Incident Handling & Reporting Plan
RequiredIncident handling with NIS2 reporting timelines (24h early warning, 72h notification, 1-month final report).
Incident response · Art. 21(2)(b), Art. 23
Business Continuity & Crisis Management Plan
RequiredBackup management, disaster recovery and crisis management to maintain operations.
SOP · Art. 21(2)(c)
Supply Chain Security Policy
RequiredSecurity requirements addressing risks from suppliers and service providers.
Policy · Art. 21(2)(d)
Vulnerability Handling & Disclosure Policy
RequiredProcesses for vulnerability identification, remediation and coordinated disclosure.
SOP · Art. 21(2)(e)
Access Control & MFA Policy
RequiredAccess control, multi-factor authentication and secured communications requirements.
Policy · Art. 21(2)(i)–(j)
Cryptography & Encryption Policy
RequiredUse of cryptography and encryption to protect information.
Policy · Art. 21(2)(h)
Cyber Hygiene & Security Training Programme
RequiredBasic cyber hygiene practices and security awareness training, including for management.
Training · Art. 21(2)(g)
Incident Reporting Register
Record of significant incidents and regulator notifications.
Log template · Art. 23
NIS2 readiness checklist
- Management body has approved cyber risk measures
- Cyber risk assessment completed
- 24h/72h incident reporting process in place
- Business continuity and backups tested
- Supply chain security addressed
- Vulnerability handling process operating
- MFA enforced on critical systems
- Security training delivered (incl. management)
- Entity registered with national authority where required
NIS2 — frequently asked questions
Who does NIS2 apply to?+
NIS2 applies to medium and large organizations in sectors deemed essential or important — including energy, transport, banking, health, digital infrastructure, ICT service management, manufacturing and more. Many SMEs are in scope as suppliers to these entities. Check your national transposition for exact thresholds.
What are the NIS2 incident reporting deadlines?+
For a significant incident, NIS2 requires an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. CompliWiseAI's incident handling and reporting plan is structured around exactly these timelines.
What risk-management measures does NIS2 require?+
Article 21 lists measures including risk analysis and information system security, incident handling, business continuity, supply chain security, vulnerability handling, cyber hygiene and training, cryptography, access control and multi-factor authentication. CompliWiseAI generates a policy or procedure for each.
Start your NIS2 documentation free
Create a workspace, add NIS2, and generate your first audit-ready document in minutes.