NIS 2 Directive Compliance
The NIS 2 Directive (EU 2022/2555) is the EU's updated cybersecurity legislation, significantly expanding the scope and requirements of the original NIS Directive. It mandates comprehensive risk management, incident reporting within 24 hours, supply chain security, and management accountability for essential and important entities across 18 sectors.
Who Needs NIS 2 Directive?
Essential and important entities operating in the EU across energy, transport, health, digital infrastructure, ICT services, and more.
Key Benefits
- Ensure legal compliance with EU cybersecurity requirements
- Avoid substantial fines (up to EUR 10 million or 2% of global turnover)
- Strengthen supply chain and third-party risk management
- Improve incident response and business continuity capabilities
Key Requirements
- 1Comprehensive cyber risk management measures
- 2Incident handling and reporting within 24 hours
- 3Business continuity and crisis management
- 4Supply chain security and vendor assessment
- 5Network and information systems security
- 6Vulnerability disclosure and patch management
- 7Encryption and access control policies
- 8Multi-factor authentication implementation
Required Policy Templates
10 policies required for NIS 2 Directive compliance, organized by category.
Security
Cybersecurity Risk Management Policy
Establishes a systematic approach to identifying, analyzing, and treating cybersecurity risks in accordance with NIS 2 Directive Article 21.
Incident Handling & Reporting Policy
Defines procedures for detecting, managing, and reporting significant cybersecurity incidents, including the mandatory 24-hour early warning to the CSIRT under NIS 2 Article 23.
Supply Chain Security Policy
Addresses security requirements for direct suppliers and service providers, aligned with NIS 2 Article 21(2)(d).
Access Control & Authentication Policy
Establishes access control policies and asset management requirements for network and information systems, aligned with NIS 2 Article 21(2)(i).
Multi-Factor Authentication Policy
Defines requirements for multi-factor authentication and continuous authentication solutions, aligned with NIS 2 Article 21(2)(j).
Operational
Business Continuity & Crisis Management Policy
Ensures continuity of essential or important services during and after cybersecurity incidents, aligned with NIS 2 Article 21(2)(c).
Crisis Management & Governance Policy
Establishes governance structures and management body responsibilities for cybersecurity oversight, aligned with NIS 2 Article 20.
Technical
Network & Information Systems Security Policy
Establishes security controls for network and information systems acquisition, development, and maintenance, aligned with NIS 2 Article 21(2)(e).
Vulnerability Disclosure & Patch Management Policy
Establishes procedures for vulnerability disclosure and coordinated handling of vulnerabilities, aligned with NIS 2 Article 21(2)(e) and Article 12.
Cryptography & Encryption Policy
Defines policies and procedures for the use of cryptography and encryption to protect network and information systems, aligned with NIS 2 Article 21(2)(h).
Generate NIS 2 Directive Documentation
Answer questions about your infrastructure and PoliWriter generates all 10 NIS 2 Directive policies customized to your organization. Audit-ready in hours, not months.
Get Started FreeNo credit card required. 3 documents free.
Other Compliance Frameworks
SOC 2 Type II
Service Organization Control 2 - Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Requires an observation period of 3-12 months demonstrating controls operate effectively over time.
20 templatesGDPR
General Data Protection Regulation - EU data protection and privacy regulation.
10 templatesHIPAA
Health Insurance Portability and Accountability Act - US healthcare data protection.
10 templatesISO 27001
International standard for information security management systems (ISMS).
10 templatesPCI DSS v4.0
Payment Card Industry Data Security Standard — security controls for organizations that store, process, or transmit payment cardholder data.
12 templatesCCPA/CPRA
California Consumer Privacy Act / California Privacy Rights Act — grants California consumers rights over their personal information collected by businesses.
8 templatesNIST CSF 2.0
NIST Cybersecurity Framework — voluntary guidance for managing cybersecurity risk across five core functions: Identify, Protect, Detect, Respond, and Recover.
10 templatesSOC 2 Type I
SOC 2 Type I — Point-in-time assessment of your security controls design. Ideal for first-time certification before progressing to Type II.
20 templatesISO 42001
ISO/IEC 42001 — International standard for Artificial Intelligence Management Systems (AIMS), covering responsible AI development, deployment, and governance.
8 templatesNIST SP 800-53
NIST SP 800-53 — Comprehensive catalog of security and privacy controls for federal information systems, widely adopted by private sector organizations.
10 templates