NIS2 Directive prompt library

Assess whether NIS2 applies to our organization:

Organization details:
- Sector: [energy/transport/banking/health/digital infrastructure/manufacturing/postal/chemicals/food/space/public administration/other]
- Size: [employees, annual revenue/balance sheet]
- EU presence: [EU member state(s) where we operate]
- Services provided: [describe core activities]
- Critical dependencies: [do other essential entities rely on us?]

Determine:
- Whether we qualify as "essential" or "important" entity (size thresholds, criticality)
- Which EU member state(s) have jurisdiction
- Specific NIS2 obligations that apply
- Exemptions (e.g., small/micro enterprises, specific entity types)
- Compliance deadlines (Member States transposing by Oct 2024; enforcement varies)

Provide a scoping statement and identify competent national authorities for registration and supervision.

Conduct a gap analysis of our current cybersecurity posture against NIS2 Article 21 cybersecurity risk management measures:

Current state:
- Risk assessment practices: [describe current approach]
- Incident handling: [current capabilities and procedures]
- Business continuity: [BCP/DR plans and testing]
- Supply chain security: [vendor risk management]
- Security measures: [access control, encryption, MFA, etc.]
- Training and awareness: [current programs]
- Vulnerability management: [patching, scanning]
- Cryptography: [encryption usage]

For each NIS2 requirement (risk analysis, incident handling, business continuity, supply chain, security, hygiene, training, cryptography, human resources, access control, asset management), provide:
- Regulatory requirement summary
- Our current maturity (Compliant/Partial/Non-compliant)
- Specific gaps
- Risk if non-compliant (regulatory sanctions, security exposure)
- Remediation actions
- Effort and timeline

Prioritize critical gaps for essential vs. important entity obligations.

Create a comprehensive cybersecurity policy aligned with NIS2 Article 21:

Organization: [name, sector, essential/important classification]

Policy sections:

1. Governance and risk management
- Management body responsibilities (board-level oversight, approval authority)
- Cybersecurity risk assessment methodology (risk identification, analysis, evaluation)
- Risk treatment and acceptance
- Integration with enterprise risk management

2. Incident handling (Article 21(2)(a))
- Incident detection, response, and recovery
- Significant incident notification to CSIRT/competent authority (24-hour early warning, incident notification, final report)
- Incident classification and materiality thresholds
- Crisis management and communication

3. Business continuity and disaster recovery (Article 21(2)(b))
- Business impact analysis
- Backup strategies and restoration procedures
- Recovery time and point objectives
- Testing and exercising requirements

4. Supply chain security (Article 21(2)(c))
- Supplier cybersecurity requirements
- Security clauses in procurement contracts
- Vulnerability assessments of supply chain
- Coordination with direct suppliers on security measures

5. Security measures (Article 21(2)(d-j))
- Policies on risk analysis and information security
- Incident handling procedures
- Business continuity/disaster recovery
- Supply chain security
- Network/system security (access control, asset management)
- Security awareness training
- Cryptography and encryption
- Human resources security and access control
- Multi-factor authentication and secure communications

Ensure management body approval and accountability per NIS2 Article 20.

Develop a cybersecurity risk assessment methodology meeting NIS2 Article 21(2)(d):

Our environment:
- Critical systems and services: [list key systems]
- Threat landscape: [relevant threats to our sector]
- Dependencies: [supply chain, critical providers]

Risk assessment process:

1. Asset identification and valuation
- Information assets, systems, networks, data
- Business criticality and dependencies
- Asset owners and custodians

2. Threat identification
- Threat actors (cybercriminals, state actors, insiders, hacktivists)
- Attack vectors (phishing, ransomware, supply chain attacks, DDoS, vulnerabilities)
- Sector-specific threats per ENISA reports

3. Vulnerability assessment
- Technical vulnerabilities (unpatched systems, misconfigurations, weak authentication)
- Organizational vulnerabilities (lack of awareness, insufficient procedures)
- Supply chain vulnerabilities

4. Risk analysis and evaluation
- Likelihood assessment (based on threat capability and vulnerabilities)
- Impact assessment (confidentiality, integrity, availability; business impact)
- Risk rating matrix and scoring
- Risk prioritization

5. Risk treatment
- Risk mitigation measures and controls
- Risk acceptance criteria
- Residual risk evaluation
- Treatment plan and timelines

6. Monitoring and review
- Continuous risk monitoring
- Periodic reassessment (at least annually or after major changes)
- Reporting to management body

Create templates for risk register, risk treatment plan, and management body risk reporting.

Create incident response procedures including NIS2-mandated notification timelines (Article 23):

Incident response framework:

1. Detection and initial assessment
- Detection mechanisms (SIEM, IDS/IPS, EDR, user reports)
- Initial triage and classification
- Significance determination (impact on service continuity, number of users, geographic spread, duration, economic impact)

2. Significant incident notification (Article 23)
- Early warning (within 24 hours of becoming aware): Basic information, incident type, impact assessment
- Incident notification (within 72 hours): Initial assessment, severity, indicators of compromise, affected services
- Intermediate reports (if requested by authority): Progress updates during ongoing incidents
- Final report (within 1 month): Detailed description, root cause, impact, response measures, cross-border implications

3. Response and containment
- Incident response team activation
- Containment strategies (isolation, shutdown, traffic filtering)
- Evidence preservation and forensics
- Communication (internal, customers, authorities, public if needed)

4. Recovery and lessons learned
- Recovery and restoration procedures
- Post-incident review
- Lessons learned and improvement actions
- Updating incident playbooks

Notification templates for competent authority and CSIRT including required information fields per implementing acts.

Address Article 23(8): Voluntary reporting to EU-CyCLONe (EU Cyber Crises Liaison Organisation Network) for large-scale incidents.

Define incident classification criteria to determine "significant incidents" requiring notification:

Our services: [describe critical services in scope]
Service levels: [uptime commitments, user base]

Classification criteria (based on NIS2 Article 23 and implementing acts):

1. Service disruption
- Number of users affected: [threshold, e.g., >10% of user base or >X users]
- Duration: [threshold, e.g., >4 hours of service degradation]
- Geographic scope: [multi-site, multi-country impact]

2. Data impact
- Data breach or loss (volume, sensitivity, data subjects affected)
- Integrity compromise (critical data modified or corrupted)

3. Financial/economic impact
- Direct financial loss: [threshold]
- Indirect economic impact (reputation, customer churn)

4. Impact on other entities
- Dependencies: Does incident affect other essential/important entities?
- Supply chain: Does incident propagate to customers or partners?

5. Incident type severity
- Ransomware, destructive malware: Automatically significant
- Advanced persistent threat (APT): Likely significant
- DDoS affecting critical service: Significant if meets disruption thresholds
- Vulnerability exploitation: Depends on impact

Create a decision tree: Does incident meet any significance threshold → Yes → Notify within 24h (early warning).

Include edge cases: Security events vs. incidents, near-misses, false positives.

Develop business continuity and disaster recovery plans per NIS2 Article 21(2)(b):

Critical services: [list services that must continue during disruption]
Risk scenarios: [cyber attacks, ransomware, system failures, supply chain disruption, natural disasters]

BCP/DR framework:

1. Business impact analysis
- Critical business functions and supporting systems
- Maximum tolerable downtime (MTD) for each function
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Dependencies and interdependencies

2. Continuity strategies
- Redundancy and failover (active-active, active-passive)
- Geographic diversity (multi-site, multi-cloud, multi-region)
- Backup systems and data (frequency, retention, encryption, off-site storage)
- Alternative processes (manual workarounds, degraded mode operation)
- Supply chain continuity (alternative suppliers)

3. DR plans for key scenarios
- Ransomware: Isolation, clean recovery, data restoration from offline backups
- Infrastructure failure: Failover to backup site/cloud region
- Supply chain attack: Isolation of affected components, patching, rebuild

4. Testing and exercises (NIS2 requires regular testing)
- Tabletop exercises: [frequency, e.g., annual]
- Technical recovery tests: [frequency, e.g., quarterly for critical systems]
- Full DR simulation: [frequency, e.g., annual]
- Lessons learned and plan updates

5. Governance and awareness
- Management body approval of BCP/DR plans
- Staff training on continuity procedures
- Communication plans (internal, customers, authorities, public)

Create testing schedules, test scenarios, and documentation templates for test results and plan updates.

Implement supply chain security measures per NIS2 Article 21(2)(c):

Our supply chain:
- Critical suppliers: [ICT providers, software vendors, managed service providers, cloud providers]
- Direct suppliers with access to our systems/data
- Sub-suppliers and fourth-party risks

Supply chain security framework:

1. Supplier risk assessment
- Criticality classification (critical/high/medium/low based on access, data, service dependency)
- Security posture evaluation (certifications, audits, questionnaires)
- Geographic and geopolitical risk (supplier location, data location)
- Concentration risk (over-reliance on single supplier)

2. Security requirements in contracts
- Cybersecurity and resilience obligations
- Incident notification requirements (supplier must notify us promptly)
- Audit and inspection rights
- Compliance with NIS2 and related regulations
- Subcontracting restrictions and notifications
- Data protection and location requirements
- Liability and indemnification for security incidents

3. Ongoing supplier monitoring
- Annual security reviews or continuous monitoring
- Vulnerability and patch management coordination
- Incident information sharing
- Performance against SLAs including security metrics

4. Vulnerability management of supply chain
- Software bill of materials (SBOM) for critical software
- Vulnerability scanning and assessment of supplied products
- Coordinated disclosure and patching with suppliers
- Evaluation of supplier security advisories

5. Exit and contingency planning
- Alternative suppliers identified
- Data retrieval and transition procedures
- Escrow arrangements for critical software
- Business continuity if supplier fails or is compromised

Create supplier security assessment templates, contract clauses, and monitoring procedures aligned with NIS2 supply chain requirements.

Implement basic cybersecurity hygiene measures per NIS2 Article 21(2)(e):

Cyber hygiene controls:

1. Access control and authentication
- Multi-factor authentication (MFA) for all user access, especially privileged and remote
- Least privilege and role-based access control (RBAC)
- Regular access reviews and recertification
- Privileged access management (PAM) for administrative accounts
- Password policies aligned with current standards (length, complexity, rotation)

2. Vulnerability and patch management
- Vulnerability scanning (internal, external, applications)
- Patch management process (assessment, testing, deployment within SLA)
- Prioritization based on risk (CVSS scores, exploitability, asset criticality)
- Emergency patching for critical vulnerabilities
- Virtual patching or compensating controls when immediate patching isn't possible

3. Asset management
- Inventory of all hardware and software assets
- Asset lifecycle management (procurement, deployment, decommissioning)
- Configuration management database (CMDB)
- Removal of unauthorized or end-of-life assets

4. Network security
- Network segmentation (separate critical systems, DMZs, user networks)
- Firewall and intrusion prevention systems
- Secure configuration of network devices
- Monitoring and logging of network traffic

5. Endpoint protection
- Endpoint detection and response (EDR) or antivirus/anti-malware
- Host-based firewalls and intrusion detection
- Application whitelisting for high-security environments
- Device encryption and secure boot

6. Cryptography and secure communications
- Encryption of data at rest (databases, file systems, backups)
- Encryption of data in transit (TLS for web, VPN for remote access, email encryption)
- Secure communication channels for sensitive information
- Cryptographic key management

7. Email and web security
- Email filtering (anti-spam, anti-phishing, malware detection)
- Web filtering and content inspection
- Safe browsing practices and tools

Design a cyber hygiene baseline tailored to our systems: [describe infrastructure, applications, user environment].

Implement security monitoring and logging capabilities per NIS2 requirements:

Monitoring strategy:

1. Log collection and centralization
- Log sources: [servers, network devices, applications, security tools, cloud services]
- Centralized logging (SIEM or log management platform)
- Log retention: [duration based on legal/regulatory requirements and investigation needs]

2. Security event detection
- Use cases and correlation rules (failed logins, privilege escalation, malware, data exfiltration, anomalous behavior)
- Threat intelligence integration (indicators of compromise, threat feeds)
- Automated alerting and escalation
- 24/7 monitoring or business-hours coverage (specify)

3. Incident detection and response integration
- Alert triage and investigation procedures
- Integration with incident response workflow
- Playbooks for common scenarios
- Escalation paths (SOC → IR team → management → authorities if significant)

4. Vulnerability and compliance monitoring
- Continuous vulnerability scanning
- Configuration compliance monitoring (CIS benchmarks, hardening standards)
- Security posture dashboards

5. User and entity behavior analytics (UEBA)
- Baseline normal behavior
- Detect anomalies (unusual access, data exfiltration, insider threats)

Tools and technologies: [specify if you have SIEM, EDR, NDR, cloud-native monitoring]

Create monitoring playbook, alert definitions, and escalation matrix.

Define management body cybersecurity responsibilities per NIS2 Article 20:

Our governance structure:
- Management body: [board of directors, executive team]
- Cybersecurity function: [CISO, IT Security team]
- Reporting relationships: [how cybersecurity reaches management]

Management body obligations under NIS2:

1. Approval and oversight
- Approve cybersecurity risk management measures (policies, frameworks)
- Oversee implementation of cybersecurity measures
- Approve cybersecurity budget and resource allocation
- Review and approve incident response plans and BCP/DR

2. Training and expertise
- Undergo cybersecurity training to understand risks and obligations
- Maintain sufficient knowledge to oversee cybersecurity effectively
- Document training completion (evidence for supervisory audits)

3. Accountability
- Management can be held personally liable for non-compliance in some Member States
- Supervisory measures may target individual managers
- Ensure compliance with NIS2 is management body responsibility

Create:
- Terms of reference for cybersecurity oversight (board committee or full board)
- Management cybersecurity dashboard (risk metrics, incidents, compliance status)
- Meeting frequency and agenda (quarterly cybersecurity deep-dive minimum)
- Training program for non-technical board members
- Documentation of management approvals and oversight activities

NIS2 elevates cybersecurity to board-level issue—ensure active engagement, not passive approval.

Establish NIS2 compliance monitoring and documentation:

Compliance monitoring framework:

1. Registration and initial compliance
- Register with competent national authority (if required in Member State)
- Confirm essential or important entity status
- Identify applicable obligations
- Submit required initial notifications or self-declarations

2. Ongoing compliance tracking
- Control effectiveness monitoring (KPIs for each NIS2 requirement)
- Incident register (all incidents, highlighting significant ones reported)
- Training records (management body and staff)
- Testing and exercise records (BCP/DR, incident response)
- Risk assessments and updates
- Audit and inspection findings and remediation

3. Supervisory interaction
- Respond to information requests from competent authority
- Cooperate with audits and on-site inspections
- Submit periodic compliance reports (if required by Member State)
- Notify of significant changes (M&A, service changes, incidents)

4. Documentation repository
- Cybersecurity policies and procedures
- Risk assessments and risk treatment plans
- Incident records and notifications
- BCP/DR plans and test results
- Supplier assessments and contracts
- Management body meeting minutes and approvals
- Training records
- Audit reports (internal, external, supervisory)

Create compliance dashboard, documentation index, and evidence collection procedures for supervisory inspections.

Customize NIS2 compliance for sector-specific requirements:

Our sector: [energy/transport/health/banking/digital infrastructure/manufacturing/other]

Sector-specific considerations:

Energy sector:
- OT/ICS cybersecurity (SCADA, industrial control systems)
- Integration with sector-specific regulations (electricity, gas directives)
- Physical-cyber convergence threats
- Cross-border electricity/gas grid coordination

Transport:
- Aviation cybersecurity regulations (e.g., EASA)
- Maritime and port security
- Rail signaling and control systems
- Integration with safety management systems

Health:
- Medical device cybersecurity
- Patient data protection (GDPR alignment)
- Life-safety systems and emergency services
- Research data and intellectual property

Banking/Financial (overlap with DORA):
- Integration with DORA digital operational resilience requirements
- Payment system security
- Critical financial infrastructure
- Supervision by financial regulators

Digital infrastructure/services:
- High risk profile (attractive targets)
- DNS, TLD registries, cloud services, data centers, CDNs, trust service providers
- Cascade effects on other sectors
- Coordinated vulnerability disclosure programs

Manufacturing:
- Intellectual property protection (trade secrets, designs)
- Supply chain complexity (global suppliers)
- OT cybersecurity in production environments
- Product security (IoT, connected products)

Identify sector-specific guidance from ENISA, national authorities, or sector regulators. Align NIS2 with other sector regulations to create integrated compliance.