> ## Documentation Index
> Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
> Use this file to discover all available pages before exploring further.

# NIS2 Quickstart

> Practical 60-day plan to get from sign-up to NIS2-ready in Matproof — covering Article 21 risk-management measures, Article 23 incident reporting, and management-body accountability.

# NIS2 Quickstart

This is the operational companion to [/frameworks/nis2](/frameworks/nis2). NIS2 is structurally simpler than DORA (one core article — Article 21 — covers most of the technical obligations), but the management-body accountability under Article 20 and the supply-chain reach are real bite-points.

## Who this is for

* **Essential entities** under NIS2 Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space)
* **Important entities** under NIS2 Annex II (postal/courier, waste management, manufacture/production/distribution of chemicals, food, manufacture of certain products, digital providers, research)
* Compliance leads, CISOs, IT directors of medium/large entities (>50 staff or >€10M turnover)

If you're not sure NIS2 applies, check your country's national transposition — NIS2 was transposed into national law by member states with their own scope clarifications. Germany: BSI-Gesetz (NIS2UmsuCG); Netherlands: Cyberbeveiligingswet; etc.

## Before you start

| Have ready                                                     | Why                                                                                                                |
| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Confirmation of essential vs important entity classification   | Drives the audit/inspection regime — essential entities get proactive supervision; important entities are reactive |
| Existing list of suppliers (especially ICT/security suppliers) | You'll seed the supply-chain register                                                                              |
| Existing incident-management runbook (if any)                  | Reference for the 24h/72h/1mo Article 23 setup                                                                     |
| Management-body member identified for accountability           | Article 20 is a personal-liability article — name them now                                                         |

## Phase 1 — Week 1: Foundation

Complete [Onboarding](/onboarding) first. Then:

1. **Settings → Frameworks** — confirm NIS2 is active
2. **Frameworks → NIS2** — review the Article 21 control library (typically 35–50 controls covering the 10 measures)
3. If you operate in multiple member states, also activate the relevant national transposition layer (e.g. German NIS2UmsuCG mappings via [Custom Frameworks](/features/custom-frameworks))
4. **People → Invite team:** CISO, head of IT, head of compliance, and the management-body member who will be the named accountability owner

## Phase 2 — Week 2–3: Article 21 Risk-Management Measures

Article 21(2) lists **ten measures** every entity must implement. They map roughly to ISO 27001 control families but with NIS2-specific phrasing. Walk through each in Matproof:

| Measure (Art. 21(2))                                                                                     | What to do in Matproof                                                                                                                                                                                                      |
| -------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **(a)** Risk analysis + InfoSec policies                                                                 | Publish the auto-generated **Information Security Policy** + populate the [risk register](/features/risk-management) with your top risks                                                                                    |
| **(b)** Incident handling                                                                                | Configure the [Incidents module](/features/incidents) with your national CSIRT as the reporting authority                                                                                                                   |
| **(c)** Business continuity (BCP, DR, crisis management)                                                 | Publish the auto-generated BCP and DRP; schedule the first test                                                                                                                                                             |
| **(d)** Supply-chain security                                                                            | Build the supplier register in [Vendor Risk](/features/vendor-risk); for ICT/security suppliers, run the questionnaire and assess sub-processors                                                                            |
| **(e)** Security in network/info-system acquisition, development, maintenance + vulnerability management | Connect [GitHub](/integrations/github) and [Aikido](/integrations/aikido); ensure CVE management runs via [Device Agent Tier 3A](/features/device-agent)                                                                    |
| **(f)** Policies/procedures to assess effectiveness                                                      | Schedule [Audit Programs](/features/audit-programs) — at least one annual internal audit                                                                                                                                    |
| **(g)** Cyber hygiene + training                                                                         | Roll out [security awareness training](/features/people) to every employee/contractor; track acknowledgements                                                                                                               |
| **(h)** Cryptography policies + procedures                                                               | Publish the auto-generated Cryptography Policy; confirm encryption-at-rest and TLS evidence flows from cloud integrations                                                                                                   |
| **(i)** Human resources security, access control, asset management                                       | Connect HR ([Deel](/integrations/deel) if relevant) and IdP ([Entra ID](/integrations/azure-ad), [Google Workspace](/integrations/google-workspace)); the [People](/features/people) module produces access-review evidence |
| **(j)** MFA, secure communication, secure emergency communication                                        | Confirm MFA enforcement evidence from your IdP integration; document emergency channels in the BCP                                                                                                                          |

Each measure becomes one or more controls in the framework view. Assign each control to a specific owner.

## Phase 3 — Week 3–4: Article 23 Incident Reporting

NIS2 Article 23 has its own reporting timeline — different from DORA's:

| Report            | Due                        | What                               |
| ----------------- | -------------------------- | ---------------------------------- |
| **Early warning** | 24 hours after awareness   | "Significant" incident detected    |
| **Notification**  | 72 hours after awareness   | Initial assessment, including IOCs |
| **Final report**  | 1 month after notification | Full root-cause + lessons learned  |

A **significant incident** is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons.

1. **Incidents → Settings** — set your CSIRT as the reporting authority. For Germany: BSI's CERT-Bund. Netherlands: NCSC-NL. France: CERT-FR. Etc.
2. **Test the flow:** create a synthetic significant incident, step through classification, generate the early-warning report. Verify the report format matches your CSIRT's expectations
3. **Brief on-call:** the 24-hour clock starts on **awareness**, not classification. This is stricter than DORA. On-call needs to escalate fast, not investigate first.

## Phase 4 — Week 4–6: Management-Body Accountability (Article 20)

Article 20 is the article that makes NIS2 different from its predecessor: management-body members are personally accountable for the entity's compliance, including potential personal sanctions.

Concrete steps:

1. **Identify the accountable member** — typically the CEO, CIO, or designated board member. Document the name and role in **Settings → Organization → Compliance Roles**
2. **Publish the InfoSec policy with their sign-off** — the policy approval is recorded in the audit trail with their name and timestamp
3. **Brief them annually** — provide a NIS2 cyber-risk briefing to the management body at least once per year. Matproof's framework dashboard supports this — export the dashboard PDF for the briefing pack
4. **Document training they've received** — Article 20 explicitly says management-body members must follow training to gain knowledge to assess cybersecurity risks. Track this in [People → Training](/features/people)

## Phase 5 — Week 6–8: Supply-Chain Security (Article 21(2)(d))

NIS2 requires assessment of "the overall quality and resilience practices of products and services" of every supplier and service provider.

In Matproof:

1. **Vendor Risk → Vendors → Import** your full supplier list
2. Classify each vendor by criticality (Critical / Important / Standard)
3. For Critical and Important vendors, run the **NIS2 supplier security questionnaire** ([Questionnaire AI](/features/questionnaire-ai))
4. For ICT/security suppliers, additionally:
   * Verify their own NIS2 / ISO 27001 / SOC 2 status (request certificates)
   * Document any sub-processor disclosures
   * Schedule annual reassessments
5. **Findings** raised on supplier non-responses or red flags surface in the unified [Findings](/features/findings) view

## Audit-readiness checklist

Use this when preparing for an audit by your national competent authority (BSI, NCSC, ANSSI, CSIRT, etc.):

* [ ] **Art. 20:** Accountable management-body member named, briefed, trained
* [ ] **Art. 21(2)(a):** Information Security Policy published; risk register populated
* [ ] **Art. 21(2)(b):** Incident Management Policy published; incident-handling team named
* [ ] **Art. 21(2)(c):** BCP, DRP, crisis-management plan published; tested in last 12 months
* [ ] **Art. 21(2)(d):** Supply-chain register complete; ICT suppliers reassessed in last 12 months
* [ ] **Art. 21(2)(e):** Vulnerability-management process documented; CVE evidence current
* [ ] **Art. 21(2)(f):** Internal audit completed in last 12 months
* [ ] **Art. 21(2)(g):** Awareness training rolled out; acknowledgement rate > 95%
* [ ] **Art. 21(2)(h):** Cryptography policy published; encryption evidence current
* [ ] **Art. 21(2)(i):** Access controls in place; access reviews completed quarterly
* [ ] **Art. 21(2)(j):** MFA enforced; emergency comms channels documented
* [ ] **Art. 23:** Incident reporting flow tested via tabletop; on-call team briefed on 24h/72h/1mo timeline

## Common gotchas

* **Important vs essential entity classification** — important entities have a lighter audit regime but the same Article 21 obligations. Don't read "important = less work" — read it as "less surveillance, same compliance."
* **National transpositions vary.** Germany's NIS2UmsuCG, Netherlands' Cyberbeveiligingswet, France's transposition all add national specifics. Check your country's transposition; build a [Custom Framework](/features/custom-frameworks) for the delta if needed.
* **Article 20 is personal.** Management-body sanctions are explicitly contemplated in NIS2. Don't have someone "agree" to sign off the policy without actually walking them through it.
* **24-hour early warning** is much faster than people expect. It needs an on-call rota that can classify and notify, not investigate.
* **"Significant incident"** is broadly defined. When in doubt, notify — better to over-report than to face an Article 32 fine for late notification.

<CardGroup cols={2}>
  <Card title="NIS2 framework" href="/frameworks/nis2">
    Conceptual overview — what NIS2 requires
  </Card>

  <Card title="DORA Quickstart" href="/quickstarts/dora">
    For financial entities; pairs with NIS2 for many DACH banks
  </Card>

  <Card title="Vendor Risk" href="/features/vendor-risk">
    Supply-chain register module
  </Card>

  <Card title="Incidents" href="/features/incidents">
    Incident-reporting flow
  </Card>
</CardGroup>
