NIS2 is now the cybersecurity baseline across the EU. Member States were required to transpose the directive by 17 October 2024, and the rules have applied since 18 October 2024. NIS1 was repealed the same day, so the expectations in NIS2: risk management, incident reporting, and verifiable evidence—are the ones that will be tested in audits going forward.
A key shift is the classification of organisations as essential or important entities based on their sector (Annex I/II) and size (the “size‑cap” rule). In practical terms, if you operate in a listed sector and meet the size criteria, you’re likely in scope. Member States are also required to compile and keep updated lists of essential and important entities by 17 April 2025, which makes scoping decisions more concrete for businesses.
Who’s in scope—and what that means day to day
NIS2 broadens coverage to sectors such as energy, transport, health, digital infrastructure and many more. “Essential” status brings stronger supervision, but both essential and important entities must implement proportionate cybersecurity measures and be able to prove those measures work. That proof is not just policies: regulators and auditors want to see the paper trail—the records, approvals, logs and reports that show controls are active, reviewed and effective.
What NIS2 expects: the risk‑management measures, explained
The Commission adopted an Implementing Regulation in October 2024 that spells out technical and methodological requirements for certain digital infrastructure providers and clarifies when incidents are considered significant. ENISA followed up in June 2025 with practical implementation guidance that maps each measure to examples of acceptable evidence. Treat that guidance like a companion manual: it won’t replace the law, but it shows “what good looks like” in audits.
Below is a plain‑English tour of the measures you’ll actually operate. For each area, keep the records that prove you do what your policy says.
Governance & policy
Management needs to sign off an overarching security policy and topic‑specific policies (risk, incident handling, supply chain, testing, access control and more). The point is accountability: auditors look for evidence that leadership understands cyber risk and drives remediation. Keep: signed policies with version history; board/management minutes showing approvals and reviews.
Risk management
Run a documented risk process: identify assets and threats, assess risks, agree treatments, and review regularly (ENISA’s guidance points to at least annual reviews or after major changes). Keep: a current risk register with owners and status; treatment plans and review logs.
Incident handling
Have playbooks, roles and a communication plan, and be ready to meet the multi‑stage reporting timeline (see below). Keep: incident tickets and timelines; regulator submissions; post‑incident reviews with actions and owners.
Business continuity & crisis management
Document how you’ll operate through disruption, test your recovery, and record the results. Keep: BCP/DR plans; restore test evidence; improvement actions with sign‑offs.
Supply‑chain security
You’re expected to know your ICT suppliers, assess them, and build security requirements (including exit plans) into contracts. Keep: a supplier register with service descriptions and data types; due‑diligence records; contracts with security clauses; renewal and exit checklists.
Secure change & maintenance
Changes, patches and vulnerabilities should be tracked with approvals and time‑bound treatment. Keep: change tickets; patch windows; vulnerability findings and risk acceptances.
Effectiveness measurement & audit
Don’t just run controls—measure them. Set KPIs/KRIs, run internal audits, and brief management. Keep: dashboards; internal audit reports; management review minutes and action logs.
People, hygiene & training
NIS2 expects basic cyber hygiene and role‑appropriate training. Keep: training plans and attendance; outcomes of phishing exercises or awareness campaigns.
Cryptography, HR, access control, asset & physical security
Define crypto standards and key management; align joiner‑mover‑leaver processes with access reviews; maintain asset and information classification; secure facilities and environmental controls. Keep: key inventories and rotation logs; access review sign‑offs; up‑to‑date asset lists; site access logs and site assessments.
The incident‑reporting timeline (and what to include)
NIS2 formalises a multi‑stage process for significant incidents. You must send an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month of the incident notification (with a progress report if it’s still ongoing). Trust service providers have a stricter 24‑hour window for the incident notification. These timelines and contents are set out in Article 23 and explained in the Commission’s 2023 guidance.
- Early warning (≤24h): alert your CSIRT/authority; indicate if it looks malicious/unlawful and whether it could have cross‑border impact.
- Incident notification (≤72h): update the early warning, give an initial assessment of severity/impact, and include any indicators of compromise.
- Final report (≤1 month after the notification): provide a full description, root cause, mitigation and any cross‑border impacts; submit a progress report if the incident is still ongoing, then the final report within one month of handling it.
Turning requirements into evidence: how a DMS helps you prove it
Policies and processes are necessary, but audits hinge on evidence—who did what, when, and with which approvals. A modern DMS lets you embed that evidence into daily work so it’s captured automatically.
- Audit trails & version history: Every file/folder action is logged with user, time and event, and each document keeps its version history—critical for reconstructing changes or proving the state of a policy when it was approved.
- Retention automation & legal‑hold patterns: Apply series‑based retention to folders or specific files; automatically archive, recycle, or delete based on rules, and freeze records for investigations or litigation.
- Single sign‑on (SSO) & access reviews: Connect Microsoft Entra ID, Okta or Google SSO to enforce least‑privilege and simplify periodic access reviews—another common audit ask.
- Approvals & acknowledgements: Route policies for approval and send acknowledgement requests to confirm that people have read what they must—a simple way to show governance is working.
- Structured metadata & templates: Standardise registers for risks, incidents and suppliers with required fields for owners, severity, renewal dates, and more. (This is what turns files into reliable “evidence objects”.)
Example workflows that stand up in audits
- Incident pack: incident ticket → early warning draft → 72‑hour notification → lessons learned → exported audit log of all edits and approvals attached to the record.
- Supplier register: one folder per provider with contract, due diligence, security addendum, exit plan, and renewal reminder metadata; easy to produce on request.
- Policy lifecycle: draft → review → approval → acknowledgement sent to affected teams, with read receipts and version history for traceability.
A realistic 30‑day plan
Week 1 – Scope & leadership:
Confirm whether you’re an essential or important entity using sector/size criteria, brief management on duties, and approve a top‑level security policy.
Week 2 – Evidence foundations:
Create three core registers—risk, incident, and supplier—as DMS templates with mandatory metadata and retention rules. This is where most audit sampling starts.
Week 3 – Incident readiness:
Dry‑run the 24h/72h/one‑month flow with a tabletop exercise. Capture drafts and submissions inside the incident record so the audit trail tells the full story.
Week 4 – Access & assurance:
Turn on SSO, run a first access review, and file the sign‑off. Close the month with a management review note that references the new registers, tabletop results and any follow‑up actions.
FAQs
Does NIS2 really apply already?
Yes. The transposition deadline was 17 October 2024, and the rules have applied since 18 October 2024. NIS1 was repealed at the same time.
How do I know if I’m “essential” or “important”?
Check your sector against Annex I/II and apply the size‑cap rule. Member States must also create and maintain national lists by 17 April 2025, which helps confirm status.
What exactly must be in each incident report?
Article 23 sets out content, and the Commission’s 2023 guidance explains it clearly: early warning in 24h, notification in 72h, and a final report within one month (progress report if still ongoing). Trust service providers have a stricter 24‑hour notification.
Start a free Folderit trial and ask for the NIS2 evidence workspace: risk/incident/supplier registers, policy approvals and acknowledgements, audit trails, retention automation, and SSO (Microsoft Entra, Okta, Google) preconfigured for fast onboarding.
