Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

NIS2 Quickstart

This is the operational companion to /frameworks/nis2. NIS2 is structurally simpler than DORA (one core article — Article 21 — covers most of the technical obligations), but the management-body accountability under Article 20 and the supply-chain reach are real bite-points.

Who this is for

  • Essential entities under NIS2 Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space)
  • Important entities under NIS2 Annex II (postal/courier, waste management, manufacture/production/distribution of chemicals, food, manufacture of certain products, digital providers, research)
  • Compliance leads, CISOs, IT directors of medium/large entities (>50 staff or >€10M turnover)
If you’re not sure NIS2 applies, check your country’s national transposition — NIS2 was transposed into national law by member states with their own scope clarifications. Germany: BSI-Gesetz (NIS2UmsuCG); Netherlands: Cyberbeveiligingswet; etc.

Before you start

Have readyWhy
Confirmation of essential vs important entity classificationDrives the audit/inspection regime — essential entities get proactive supervision; important entities are reactive
Existing list of suppliers (especially ICT/security suppliers)You’ll seed the supply-chain register
Existing incident-management runbook (if any)Reference for the 24h/72h/1mo Article 23 setup
Management-body member identified for accountabilityArticle 20 is a personal-liability article — name them now

Phase 1 — Week 1: Foundation

Complete Onboarding first. Then:
  1. Settings → Frameworks — confirm NIS2 is active
  2. Frameworks → NIS2 — review the Article 21 control library (typically 35–50 controls covering the 10 measures)
  3. If you operate in multiple member states, also activate the relevant national transposition layer (e.g. German NIS2UmsuCG mappings via Custom Frameworks)
  4. People → Invite team: CISO, head of IT, head of compliance, and the management-body member who will be the named accountability owner

Phase 2 — Week 2–3: Article 21 Risk-Management Measures

Article 21(2) lists ten measures every entity must implement. They map roughly to ISO 27001 control families but with NIS2-specific phrasing. Walk through each in Matproof:
Measure (Art. 21(2))What to do in Matproof
(a) Risk analysis + InfoSec policiesPublish the auto-generated Information Security Policy + populate the risk register with your top risks
(b) Incident handlingConfigure the Incidents module with your national CSIRT as the reporting authority
(c) Business continuity (BCP, DR, crisis management)Publish the auto-generated BCP and DRP; schedule the first test
(d) Supply-chain securityBuild the supplier register in Vendor Risk; for ICT/security suppliers, run the questionnaire and assess sub-processors
(e) Security in network/info-system acquisition, development, maintenance + vulnerability managementConnect GitHub and Aikido; ensure CVE management runs via Device Agent Tier 3A
(f) Policies/procedures to assess effectivenessSchedule Audit Programs — at least one annual internal audit
(g) Cyber hygiene + trainingRoll out security awareness training to every employee/contractor; track acknowledgements
(h) Cryptography policies + proceduresPublish the auto-generated Cryptography Policy; confirm encryption-at-rest and TLS evidence flows from cloud integrations
(i) Human resources security, access control, asset managementConnect HR (Deel if relevant) and IdP (Entra ID, Google Workspace); the People module produces access-review evidence
(j) MFA, secure communication, secure emergency communicationConfirm MFA enforcement evidence from your IdP integration; document emergency channels in the BCP
Each measure becomes one or more controls in the framework view. Assign each control to a specific owner.

Phase 3 — Week 3–4: Article 23 Incident Reporting

NIS2 Article 23 has its own reporting timeline — different from DORA’s:
ReportDueWhat
Early warning24 hours after awareness”Significant” incident detected
Notification72 hours after awarenessInitial assessment, including IOCs
Final report1 month after notificationFull root-cause + lessons learned
A significant incident is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons.
  1. Incidents → Settings — set your CSIRT as the reporting authority. For Germany: BSI’s CERT-Bund. Netherlands: NCSC-NL. France: CERT-FR. Etc.
  2. Test the flow: create a synthetic significant incident, step through classification, generate the early-warning report. Verify the report format matches your CSIRT’s expectations
  3. Brief on-call: the 24-hour clock starts on awareness, not classification. This is stricter than DORA. On-call needs to escalate fast, not investigate first.

Phase 4 — Week 4–6: Management-Body Accountability (Article 20)

Article 20 is the article that makes NIS2 different from its predecessor: management-body members are personally accountable for the entity’s compliance, including potential personal sanctions. Concrete steps:
  1. Identify the accountable member — typically the CEO, CIO, or designated board member. Document the name and role in Settings → Organization → Compliance Roles
  2. Publish the InfoSec policy with their sign-off — the policy approval is recorded in the audit trail with their name and timestamp
  3. Brief them annually — provide a NIS2 cyber-risk briefing to the management body at least once per year. Matproof’s framework dashboard supports this — export the dashboard PDF for the briefing pack
  4. Document training they’ve received — Article 20 explicitly says management-body members must follow training to gain knowledge to assess cybersecurity risks. Track this in People → Training

Phase 5 — Week 6–8: Supply-Chain Security (Article 21(2)(d))

NIS2 requires assessment of “the overall quality and resilience practices of products and services” of every supplier and service provider. In Matproof:
  1. Vendor Risk → Vendors → Import your full supplier list
  2. Classify each vendor by criticality (Critical / Important / Standard)
  3. For Critical and Important vendors, run the NIS2 supplier security questionnaire (Questionnaire AI)
  4. For ICT/security suppliers, additionally:
    • Verify their own NIS2 / ISO 27001 / SOC 2 status (request certificates)
    • Document any sub-processor disclosures
    • Schedule annual reassessments
  5. Findings raised on supplier non-responses or red flags surface in the unified Findings view

Audit-readiness checklist

Use this when preparing for an audit by your national competent authority (BSI, NCSC, ANSSI, CSIRT, etc.):
  • Art. 20: Accountable management-body member named, briefed, trained
  • Art. 21(2)(a): Information Security Policy published; risk register populated
  • Art. 21(2)(b): Incident Management Policy published; incident-handling team named
  • Art. 21(2)(c): BCP, DRP, crisis-management plan published; tested in last 12 months
  • Art. 21(2)(d): Supply-chain register complete; ICT suppliers reassessed in last 12 months
  • Art. 21(2)(e): Vulnerability-management process documented; CVE evidence current
  • Art. 21(2)(f): Internal audit completed in last 12 months
  • Art. 21(2)(g): Awareness training rolled out; acknowledgement rate > 95%
  • Art. 21(2)(h): Cryptography policy published; encryption evidence current
  • Art. 21(2)(i): Access controls in place; access reviews completed quarterly
  • Art. 21(2)(j): MFA enforced; emergency comms channels documented
  • Art. 23: Incident reporting flow tested via tabletop; on-call team briefed on 24h/72h/1mo timeline

Common gotchas

  • Important vs essential entity classification — important entities have a lighter audit regime but the same Article 21 obligations. Don’t read “important = less work” — read it as “less surveillance, same compliance.”
  • National transpositions vary. Germany’s NIS2UmsuCG, Netherlands’ Cyberbeveiligingswet, France’s transposition all add national specifics. Check your country’s transposition; build a Custom Framework for the delta if needed.
  • Article 20 is personal. Management-body sanctions are explicitly contemplated in NIS2. Don’t have someone “agree” to sign off the policy without actually walking them through it.
  • 24-hour early warning is much faster than people expect. It needs an on-call rota that can classify and notify, not investigate.
  • “Significant incident” is broadly defined. When in doubt, notify — better to over-report than to face an Article 32 fine for late notification.

NIS2 framework

Conceptual overview — what NIS2 requires

DORA Quickstart

For financial entities; pairs with NIS2 for many DACH banks

Vendor Risk

Supply-chain register module

Incidents

Incident-reporting flow