ISMS Copilot
NIS2 with AI

How to create NIS2 cybersecurity policies using AI

Overview

You'll learn how to use AI to create comprehensive cybersecurity policies for each of the ten measure areas required by NIS2 Article 21(2). This guide walks through every policy type, provides specific ISMS Copilot prompts to generate each one, explains what auditors and supervisory authorities expect, and shows how to structure your policy documentation for audit readiness.

Who this is for

This guide is for:

  • CISOs and compliance officers responsible for developing NIS2-compliant policy documentation

  • Security consultants drafting policy sets for clients across NIS2-regulated sectors

  • GRC teams managing policy creation alongside existing ISO 27001, DORA, or GDPR documentation

  • IT managers who need practical, implementable policies rather than generic templates

  • Management body members who must approve these policies under Article 20

Before you begin

You will need:

  • An ISMS Copilot account (free trial available)

  • Your NIS2 gap analysis results identifying which policies are missing or insufficient -- see How to Get Started with NIS2 Implementation Using AI

  • Your completed risk assessment and risk treatment plans -- see How to Conduct NIS2 Risk Assessment Using AI

  • Understanding of your organization's size, sector, and operational context

  • Existing policies (if any) to upload for gap analysis and alignment

NIS2 Article 21(2) lists ten specific measure areas that your cybersecurity risk management measures must include "at least." This means these ten areas are the minimum -- national transposition laws may add additional requirements. Your policy set must cover all ten to satisfy supervisory authorities.

Understanding NIS2 policy requirements

What Article 21(2) requires

Article 21(2) mandates that the risk management measures referred to in paragraph 1 shall include at least the following:

Article 21(2) reference

Measure area

Policy documents needed

(a)

Policies on risk analysis and information system security

Information Security Policy, Risk Assessment Policy

(b)

Incident handling

Incident Response Policy, Incident Classification Procedure

(c)

Business continuity, backup management, disaster recovery, crisis management

Business Continuity Policy, Disaster Recovery Plan, Backup Policy, Crisis Management Plan

(d)

Supply chain security

Supply Chain Security Policy, Supplier Assessment Procedure

(e)

Security in network and information system acquisition, development, and maintenance; vulnerability handling and disclosure

Secure Development Policy, Vulnerability Management Policy

(f)

Policies and procedures to assess the effectiveness of risk management measures

Security Testing and Assessment Policy, Internal Audit Procedure

(g)

Basic cyber hygiene practices and cybersecurity training

Cyber Hygiene and Awareness Policy, Training Program

(h)

Policies and procedures regarding cryptography and encryption

Cryptography and Encryption Policy

(i)

Human resources security, access control policies, and asset management

HR Security Policy, Access Control Policy, Asset Management Policy

(j)

MFA or continuous authentication, secured voice/video/text, secured emergency communications

Authentication Policy, Secure Communications Policy

Policy versus procedure: Supervisory authorities distinguish between policies (high-level statements of intent and requirements) and procedures (detailed step-by-step operational instructions). You need both. Policies set the rules; procedures describe how to follow them. ISMS Copilot generates both when you specify the document type.

Policy quality standards for NIS2

Each policy document should include:

  • Purpose and scope: What the policy covers and who it applies to

  • NIS2 reference: Which Article 21(2) measure area(s) the policy addresses

  • Definitions: Key terms used throughout the document

  • Policy statements: Clear, enforceable requirements

  • Roles and responsibilities: Who is accountable for what

  • Implementation requirements: Specific controls and measures

  • Monitoring and review: How effectiveness is assessed

  • Non-compliance consequences: Enforcement provisions

  • Approval and version control: Document management with management body sign-off

Step 1: Generate the overarching Information Security Policy

Article 21(2)(a) -- Risk analysis and information system security

The overarching Information Security Policy is the foundation document that establishes your organization's commitment to cybersecurity and provides the framework for all other policies. This addresses the first measure area and ties together all subsequent policies.

  1. Generate the core policy:

    "Create a comprehensive Information Security Policy aligned with NIS2 Article 21(2)(a) for a [sector] organization classified as an [essential/important] entity with [employee count] employees. The policy should cover: policy purpose and NIS2 regulatory context, scope of network and information systems covered, management body commitment and oversight obligations per Article 20, risk management framework overview, security principles (confidentiality, integrity, availability), reference to the ten Article 21 measure areas and supporting policies, roles and responsibilities (management body, CISO, risk owners, all employees), compliance requirements and consequences of non-compliance, review cycle and continuous improvement. Include document control section with approval by the management body."

  2. Generate the supporting Risk Assessment Policy:

    "Create a Risk Assessment Policy aligned with NIS2 Article 21(2)(a) for our organization. Cover: risk assessment methodology (all-hazards approach per Article 21(1)), risk identification, analysis, and evaluation processes, risk acceptance criteria and approval authority, risk treatment options and documentation requirements, integration with asset management and threat intelligence, review frequency and trigger events for reassessment, and management body approval requirements. Cross-reference our Risk Assessment Methodology document."

Layered approach: Generate the overarching Information Security Policy first, then use it as context for all subsequent policies. Ask ISMS Copilot: "Use our Information Security Policy as the parent document and ensure this [specific] policy is consistent with its principles and structure."

Step 2: Generate the Incident Handling Policy

Article 21(2)(b) -- Incident handling

NIS2 imposes strict incident handling requirements including detection, prevention, response, and recovery, plus the Article 23 reporting timelines. Your policy must address both internal response and external notification obligations.

  1. Generate the Incident Response Policy:

    "Create an Incident Response Policy aligned with NIS2 Article 21(2)(b) and Article 23 reporting requirements for our [sector] organization. Include: incident definition and classification criteria aligned with NIS2 significance thresholds, incident detection and monitoring requirements, incident response phases (preparation, identification, containment, eradication, recovery, lessons learned), NIS2 reporting obligations -- 24-hour early warning to CSIRT, 72-hour incident notification with indicators of compromise, one-month final report with root cause analysis, escalation matrix from operational team to management body, roles and responsibilities (incident manager, response team, CSIRT liaison, legal, communications), evidence preservation and chain of custody, voluntary reporting of near-misses and threats, and post-incident review process."

  2. Generate the Incident Classification Procedure:

    "Create a detailed Incident Classification Procedure for NIS2 compliance. Include: classification criteria for determining whether an incident is 'significant' under NIS2 Article 23(3) -- considering (a) severe operational disruption or financial loss, (b) impact on other natural or legal persons by causing considerable material or non-material damage. Provide a classification matrix with severity levels, impact assessment criteria, and clear decision trees for when to trigger the 24-hour early warning notification. Include examples specific to our [sector] sector."

For a comprehensive deep dive into NIS2 incident reporting workflows, templates, and playbooks, see How to Implement NIS2 Incident Reporting Using AI -- the next guide in this series.

Step 3: Generate Business Continuity and Disaster Recovery Policies

Article 21(2)(c) -- Business continuity, backup management, disaster recovery, crisis management

This measure area requires a comprehensive suite of documents addressing how your organization maintains and restores services during and after disruptions.

  1. Generate the Business Continuity Policy:

    "Create a Business Continuity Policy aligned with NIS2 Article 21(2)(c) for a [sector] [essential/important] entity. Include: business impact analysis methodology and requirements, recovery time objectives (RTO) and recovery point objectives (RPO) for essential/important services, business continuity plan activation criteria and procedures, crisis management governance and escalation, communication protocols during disruptions (internal, external, authorities, media), integration with NIS2 incident reporting (triggering 24h early warning during major disruptions), testing and exercise requirements (minimum annually), supply chain continuity considerations, and management body oversight obligations."

  2. Generate the Disaster Recovery Plan:

    "Create a Disaster Recovery Plan template aligned with NIS2 Article 21(2)(c) for our IT infrastructure. Cover: disaster scenarios specific to our [sector] (ransomware, data center failure, cloud provider outage, natural disaster), recovery strategy by system criticality tier, detailed recovery procedures for critical systems (step-by-step), failover and fallback procedures, data restoration from backups, communication and coordination protocols, recovery testing schedule and documentation requirements, and dependencies on suppliers and third-party services."

  3. Generate the Backup Management Policy:

    "Create a Backup Management Policy aligned with NIS2 Article 21(2)(c). Cover: backup scope (all critical systems, data, and configurations), backup frequency by data classification and RPO requirements, backup methods (full, incremental, differential), offline and air-gapped backup requirements (ransomware resilience), backup encryption and access control, backup storage locations (on-site, off-site, cloud) with geographic considerations, restoration testing schedule and success criteria, backup monitoring and alerting, retention periods, and roles and responsibilities."

  4. Generate the Crisis Management Plan:

    "Create a Crisis Management Plan aligned with NIS2 Article 21(2)(c) for our organization. Cover: crisis definition and activation criteria, crisis management team composition and contact information, decision-making authority during crisis, internal and external communication protocols, coordination with national CSIRT and competent authority, media and public communication guidelines, crisis escalation and de-escalation procedures, post-crisis review and lessons learned process, and integration with NIS2 incident reporting timelines."

Step 4: Generate the Supply Chain Security Policy

Article 21(2)(d) -- Supply chain security

NIS2 places significant emphasis on supply chain security. Your policy must address security-related aspects of relationships with direct suppliers and service providers.

  1. Generate the Supply Chain Security Policy:

    "Create a Supply Chain Security Policy aligned with NIS2 Article 21(2)(d) for our [sector] organization. Include: supplier risk assessment methodology and criteria, security requirements for different supplier risk tiers, pre-contract security due diligence requirements, mandatory security clauses for contracts (audit rights, incident notification, security standards, subcontractor controls), ongoing supplier monitoring and review schedule, vulnerability management across the supply chain, procedures for supplier-related incident response, supplier exit and transition requirements, and coordination with sector-specific supply chain risk assessments. Reference ENISA supply chain security guidance."

For comprehensive guidance on NIS2 supply chain security implementation including questionnaires, vendor assessment frameworks, and contractual requirements, see How to Manage NIS2 Supply Chain Security Using AI in this series.

Step 5: Generate Network Security and Vulnerability Management Policies

Article 21(2)(e) -- Security in acquisition, development, and maintenance; vulnerability handling

This measure area covers the security of your network and information systems throughout their lifecycle, plus vulnerability management and disclosure.

  1. Generate the Secure Development and Acquisition Policy:

    "Create a Secure Development and Acquisition Policy aligned with NIS2 Article 21(2)(e) for our organization. Cover: security requirements in procurement specifications, vendor security assessment before acquisition, secure software development lifecycle (SDLC) requirements, security testing before deployment (code review, SAST, DAST, penetration testing), change management and security impact assessment, patch management and update procedures, secure configuration standards and hardening guidelines, decommissioning and secure disposal procedures, and open-source software security management."

  2. Generate the Vulnerability Management Policy:

    "Create a Vulnerability Management Policy aligned with NIS2 Article 21(2)(e) for our [sector] organization. Cover: vulnerability identification sources (scanning, threat intelligence, vendor advisories, CERT alerts), vulnerability scanning scope and frequency (weekly for critical systems, monthly for others), vulnerability classification and prioritization (CVSS scoring, exploitability, business context), remediation timelines by severity (critical: 24-72 hours, high: 7 days, medium: 30 days, low: 90 days), exceptions and risk acceptance process for delayed patching, coordinated vulnerability disclosure (CVD) policy, vulnerability reporting from employees and external researchers, emergency patching procedures, and OT/ICS-specific vulnerability management considerations for [sector]."

OT/ICS considerations: If your organization operates in energy, water, transport, or manufacturing sectors, your vulnerability management policy must address the unique challenges of patching operational technology systems where availability takes precedence and maintenance windows are restricted. Ask ISMS Copilot to include OT-specific provisions.

Step 6: Generate the Effectiveness Assessment Policy

Article 21(2)(f) -- Policies and procedures to assess effectiveness

NIS2 requires you to regularly assess whether your cybersecurity measures are actually working. This goes beyond just having controls in place -- you must test and verify their effectiveness.

  1. Generate the Security Testing and Assessment Policy:

    "Create a Security Testing and Effectiveness Assessment Policy aligned with NIS2 Article 21(2)(f) for our [essential/important] entity. Cover: types of effectiveness assessments (vulnerability assessments, penetration testing, red team exercises, tabletop exercises, control testing), assessment scope and frequency (annual minimum for comprehensive testing, quarterly for high-risk areas), internal vs external testing requirements, testing methodology and standards (OWASP, PTES, NIST SP 800-115), metrics and KPIs for measuring cybersecurity effectiveness, reporting of assessment results to the management body, corrective action tracking and remediation verification, integration with risk assessment updates, and continuous monitoring requirements."

  2. Generate the Internal Cybersecurity Audit Procedure:

    "Create an Internal Cybersecurity Audit Procedure for NIS2 compliance. Cover: audit scope covering all ten Article 21(2) measure areas, audit planning and scheduling (annual cycle), auditor independence and competency requirements, audit methodology (document review, interviews, technical testing, evidence sampling), audit reporting format with findings categorized by severity, management response and corrective action requirements, follow-up verification of corrective actions, and management body reporting on audit results."

Step 7: Generate the Cyber Hygiene and Training Policy

Article 21(2)(g) -- Basic cyber hygiene practices and cybersecurity training

NIS2 Article 20 specifically requires that management body members follow cybersecurity training and that entities encourage all employees to participate in regular training. Article 21(2)(g) extends this to basic cyber hygiene practices.

  1. Generate the Cyber Hygiene and Awareness Policy:

    "Create a Cyber Hygiene and Awareness Training Policy aligned with NIS2 Article 21(2)(g) and Article 20 training requirements. Cover: mandatory cybersecurity training for management body members (content, frequency, evidence), role-based training for all employees (IT/security, general staff, contractors), new joiner security induction requirements, basic cyber hygiene practices to be adopted organization-wide (password management, phishing awareness, clean desk, device security, secure browsing, removable media), phishing simulation and social engineering testing, training effectiveness measurement and assessment, ongoing awareness activities (newsletters, alerts, security champions), sector-specific security awareness for [sector] operations, training records and evidence documentation, and annual training plan with calendar."

Management body training evidence: Supervisory authorities will specifically check whether management body members have completed cybersecurity training as required by Article 20(2). Generate a board-level training program and maintain sign-off records. This is one of the first things auditors verify during NIS2 inspections.

Step 8: Generate the Cryptography and Encryption Policy

Article 21(2)(h) -- Cryptography and encryption

NIS2 requires policies on the use of cryptography and, where appropriate, encryption to protect the confidentiality and integrity of data.

  1. Generate the Cryptography and Encryption Policy:

    "Create a Cryptography and Encryption Policy aligned with NIS2 Article 21(2)(h) for our [sector] organization. Cover: approved cryptographic algorithms and key lengths (aligned with ENISA and national recommendations), data encryption requirements by classification (data at rest, data in transit, data in use), TLS/SSL configuration standards (minimum TLS 1.2, prefer TLS 1.3), email encryption and digital signatures, full disk encryption requirements for endpoints and mobile devices, database encryption standards, cryptographic key management lifecycle (generation, distribution, storage, rotation, revocation, destruction), hardware security module (HSM) usage where applicable, certificate management and PKI governance, post-quantum cryptography awareness and transition planning, sector-specific cryptography requirements for [sector], and prohibited algorithms and protocols (MD5, SHA-1, DES, SSL 3.0, TLS 1.0/1.1)."

Step 9: Generate HR Security, Access Control, and Asset Management Policies

Article 21(2)(i) -- Human resources security, access control, and asset management

This combined measure area covers three interrelated domains. You should create separate policies for each to maintain clarity and manageability.

  1. Generate the Human Resources Security Policy:

    "Create a Human Resources Security Policy aligned with NIS2 Article 21(2)(i) for our organization. Cover: pre-employment security screening (background checks, reference verification), security terms in employment contracts, security awareness during onboarding, security responsibilities during employment, disciplinary process for security violations, termination and change-of-role procedures (access revocation, asset return, knowledge transfer), contractor and third-party personnel security requirements, and confidentiality and non-disclosure agreements."

  2. Generate the Access Control Policy:

    "Create an Access Control Policy aligned with NIS2 Article 21(2)(i) for our [sector] organization. Cover: access control principles (least privilege, need-to-know, separation of duties), user access provisioning and de-provisioning procedures, access review and recertification schedule (quarterly for privileged access, semi-annually for standard), privileged access management (PAM) requirements, remote access security requirements, third-party and contractor access controls, access logging and monitoring requirements, service account management, role-based access control (RBAC) implementation, and emergency access procedures."

  3. Generate the Asset Management Policy:

    "Create an Asset Management Policy aligned with NIS2 Article 21(2)(i) for our organization. Cover: asset inventory requirements (hardware, software, information, services, people), asset classification criteria and handling rules, asset ownership and custodianship assignments, asset lifecycle management (acquisition, deployment, maintenance, disposal), acceptable use of assets, BYOD (bring your own device) policy, removable media controls, and secure disposal and destruction procedures."

Step 10: Generate the Authentication and Secure Communications Policy

Article 21(2)(j) -- MFA, continuous authentication, and secured communications

NIS2 specifically calls out multi-factor authentication, continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems.

  1. Generate the Authentication Policy:

    "Create an Authentication Policy aligned with NIS2 Article 21(2)(j) for our [essential/important] entity. Cover: multi-factor authentication (MFA) requirements -- mandatory for all remote access, privileged accounts, critical systems, and cloud services, approved MFA methods (hardware tokens, authenticator apps, FIDO2) with phishing-resistant methods preferred, continuous authentication and adaptive access considerations, password policy (minimum length, complexity, rotation, prohibition of reuse), single sign-on (SSO) implementation guidance, service-to-service authentication (API keys, certificates, service accounts), biometric authentication governance, authentication for OT/ICS environments where applicable, and authentication logging and anomaly detection."

  2. Generate the Secure Communications Policy:

    "Create a Secure Communications Policy aligned with NIS2 Article 21(2)(j) for our organization. Cover: secured voice communication requirements (encrypted VoIP, secure mobile communications), secured video conferencing standards (approved platforms, encryption requirements), secured text and messaging (approved enterprise messaging platforms, prohibition of consumer messaging for sensitive data), email security (TLS enforcement, S/MIME or PGP for sensitive communications), secured emergency communication systems (out-of-band communication channels for incident response, crisis communication tools that work when primary systems are compromised), and data loss prevention controls for communication channels."

Emergency communications: NIS2 specifically requires secured emergency communication systems. This means you need a communication channel that remains operational even when your primary network or information systems are compromised. Document your out-of-band communication plan and test it regularly.

Step 11: Review, align, and approve your policy set

Ensuring consistency across all policies

With all ten measure areas covered, review the complete policy set for consistency, cross-references, and completeness.

  1. Run a consistency check:

    "Review the following NIS2 policy documents for consistency. Check: (1) terminology is used consistently across all policies, (2) roles and responsibilities do not conflict, (3) cross-references between policies are correct, (4) all ten Article 21(2) measure areas are fully covered, (5) all policies reference the overarching Information Security Policy, (6) review cycles and approval processes are consistent, (7) no gaps exist between policies where a requirement could fall through the cracks."

  2. Create a policy framework index:

    "Create an NIS2 Cybersecurity Policy Framework Index that maps: each Article 21(2) measure area to the policy document(s) that address it, the document owner, approval authority (management body vs CISO), review frequency, current version, last review date, and next review date. Format as a table suitable for audit evidence."

  3. Prepare the management body approval package:

    "Create a management body approval package for our NIS2 cybersecurity policy set. Include: executive summary of all policies created, how they collectively address Article 21(2) requirements, a one-page summary of each policy's key provisions, the management body's specific approval and oversight obligations under Article 20, proposed review and update schedule, and a board resolution template for formal policy adoption."

Management body sign-off: Under Article 20, the management body must approve the cybersecurity risk management measures. This includes the policy set. Schedule a dedicated board session to review and formally approve the policy framework. Record the approval in board minutes and retain as audit evidence. The management body can delegate day-to-day oversight but cannot delegate accountability.

Maintaining and updating your policies

Policy lifecycle management

NIS2 policies are living documents that must be updated when:

  • Risk assessment results change

  • Incidents reveal policy gaps

  • New threats emerge that require updated controls

  • Organizational changes affect scope or responsibilities

  • National transposition laws are updated

  • Technology changes require updated technical controls

  • Effectiveness assessments identify improvement areas

"Create a Policy Review and Update Procedure for our NIS2 policy set. Include: scheduled review cycle (annual minimum for all policies), trigger events for unscheduled reviews, review process (content review, stakeholder consultation, management body approval), version control and change tracking procedures, communication of policy updates to affected personnel, and archive requirements for superseded versions."

Next steps

With your complete NIS2 policy set created and approved, you now have the documentation foundation for compliance.

Continue with the next guides in this series:

  • Incident reporting: See How to Implement NIS2 Incident Reporting Using AI to build the operational workflows, templates, and playbooks that operationalize your Incident Response Policy

  • Supply chain security: See How to Manage NIS2 Supply Chain Security Using AI to implement the supplier assessments and questionnaires described in your Supply Chain Security Policy

If you have not yet completed risk assessment, see How to Conduct NIS2 Risk Assessment Using AI -- your policies should be grounded in your risk assessment results. For initial setup and scoping, start with How to Get Started with NIS2 Implementation Using AI.

For ready-to-use policy generation prompts, explore the NIS2 Directive Prompt Library. For a comprehensive overview of all NIS2 requirements, see the NIS2 Compliance Guide for In-Scope Companies.

Getting help

For additional support with NIS2 policy creation:

  • Ask ISMS Copilot: Use your NIS2 workspace for ongoing policy questions, customization, and updates

  • Upload existing policies: Get AI-powered gap analysis to identify what needs to be created, updated, or strengthened

  • Sector customization: Ask for sector-specific provisions to add to generic policy templates (particularly important for energy, health, transport, and digital infrastructure sectors)

  • National transposition alignment: Ask about additional requirements your member state may have imposed beyond the Directive's baseline

Ready to generate your NIS2 policy set? Open your NIS2 workspace at chat.ismscopilot.com and start with the overarching Information Security Policy. Then work through each measure area systematically. With ISMS Copilot, you can generate a complete, audit-ready policy set in days rather than months.

Was this helpful?