NIS2 Compliance Policy — Template

This NIS2 Compliance Policy ('Policy') sets out how [companyName] complies with Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (the 'NIS2 Directive') and the applicable national transposition law of [supervisoryAuthority]. It applies to all business units, all ICT systems and networks operated or used by [companyName], and all employees, contractors, suppliers and third parties accessing those systems. [companyName] is classified as a [entityClassification] entity in the [sectorClassification] sector under the scope provisions of the NIS2 Directive (Annexes I and II). This Policy is approved by [approverName] and is effective as of 2026-04-26; it shall be reviewed on or before [reviewDate].

In this Policy, the following terms have the meanings set out in Article 6 of the NIS2 Directive: 'network and information system', 'security of network and information systems', 'incident', 'significant incident', 'cyber threat', 'risk', 'essential entity' (Annex I), 'important entity' (Annex II), 'CSIRT' (Computer Security Incident Response Team), 'competent authority' and 'single point of contact'. 'Management body' has the meaning given in Article 20 and refers to the highest internal governance body of [companyName]. Capitalised terms not defined in this Policy bear the meaning given in the NIS2 Directive or the applicable national transposition law.

[companyName] aligns its cybersecurity programme with the following obligations of the NIS2 Directive: Article 20 (governance and management-body responsibility), Article 21 (cybersecurity risk-management measures), Article 22 (Union-level coordinated security risk assessments of supply chains), Article 23 (incident reporting). National-level requirements derived from these articles, as transposed in the law of [supervisoryAuthority]'s jurisdiction, are mapped to internal controls in the NIS2 control matrix maintained by the Compliance Officer. Where appropriate, controls are also mapped to recognised international standards (ISO/IEC 27001, ISO/IEC 27002, NIST CSF) to support audit and assurance activities.

Overall accountability for cybersecurity rests with the management body of [companyName] in accordance with Article 20(1) of the NIS2 Directive. Operational governance is structured as follows: NIS2 Compliance Officer ([complianceOfficer]) — owns this Policy, the control matrix and all interactions with the supervisory authority; Chief Information Security Officer ([cisoName]) — owns implementation of cybersecurity risk-management measures under Article 21; Incident Manager ([incidentCommander]) — coordinates response and notification under Article 23; Data Protection Officer ([dpoName]) — coordinates with the Compliance Officer on incidents involving personal data, in line with Article 33 GDPR. Members of the management body undertake initial and recurring cybersecurity training in accordance with Article 20(2) of the NIS2 Directive.

[companyName] adopts a risk-based approach to cybersecurity, taking account of the state of the art, the cost of implementation, and the size, exposure, and risk profile of [companyName]. The management body approves the risk methodology, the risk-acceptance criteria and the residual-risk register. Risks are identified, analysed, evaluated, treated and monitored through a documented cycle reviewed at least annually and following any significant change to operations, threat landscape, or regulatory environment. Risk treatment options are mitigation, transfer, acceptance and avoidance, with mitigation as the default for risks rated High or Critical. The risk register and treatment plan are made available to the supervisory authority [supervisoryAuthority] on request.

[companyName] implements the technical, operational and organisational measures listed in Article 21(2) of the NIS2 Directive: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, including backup management and disaster recovery, and crisis management; (d) supply chain security; (e) security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure; (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; (g) basic cyber hygiene practices and cybersecurity training; (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; (i) human resources security, access control policies and asset management; (j) the use of multi-factor authentication or continuous authentication, secured voice/video/text communications, and secured emergency communications systems within [companyName] where appropriate. Each measure has a designated owner, an implementation status and an effectiveness review at least annually.

Significant incidents within the meaning of Article 23(3) of the NIS2 Directive are managed in accordance with [companyName]'s Incident Response Plan. An incident is significant where it has caused or is capable of causing severe operational disruption of services or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The Incident Manager [incidentCommander] coordinates detection, triage, containment, eradication, recovery and post-incident review. Incidents involving personal data trigger parallel handling under the GDPR breach procedure. All incidents are recorded in the incident register and reviewed at least quarterly to identify systemic issues and improvement actions.

Where a significant incident is confirmed, [companyName] notifies the competent authority [supervisoryAuthority] and, where applicable, the recipients of its services as follows: (a) an early warning within twenty-four (24) hours of becoming aware of the significant incident, indicating whether it is suspected of being caused by unlawful or malicious acts and whether it could have a cross-border impact; (b) an incident notification within seventy-two (72) hours, updating the early warning with an initial assessment of the incident, including its severity, impact and indicators of compromise; (c) intermediate reports on relevant status updates upon request of the competent authority; (d) a final report no later than one (1) month after submission of the incident notification, including a detailed description of the incident, its severity and impact, the type of threat or root cause, the mitigation measures applied and ongoing, and any cross-border impact. Notifications are issued through the channel designated by [supervisoryAuthority] and are signed off by the Incident Manager and the Compliance Officer.

All staff receive cybersecurity awareness training upon induction and at least annually thereafter, covering: phishing recognition, password and authentication hygiene, secure handling of personal and confidential data, safe use of remote-access and collaboration tools, recognition and reporting of suspected incidents. Role-based training is delivered to: privileged users (administrators, developers, operators), the management body and senior leadership (in accordance with Article 20(2) of the NIS2 Directive), and members of the incident response and crisis management teams. Training completion is tracked centrally; non-completion within the prescribed window triggers escalation to line management and, where necessary, restriction of access privileges.

Internal audit reviews implementation of this Policy and the underlying control matrix at least annually, on a risk-prioritised basis. External audit, certification or independent assurance is obtained where required by the supervisory authority [supervisoryAuthority] or where commercially appropriate. Findings are reported to the management body, tracked through to closure, and used to update the Policy, the control matrix and the risk register. Key cybersecurity indicators (mean time to detect, mean time to respond, percentage of staff trained, percentage of patches applied within SLA, percentage of vendors assessed) are reported to the management body at least quarterly.

This Policy is approved by [approverName] on behalf of the management body of [companyName] in accordance with Article 20 of the NIS2 Directive. The Compliance Officer [complianceOfficer] owns the Policy and is responsible for: distribution, version control, recording approvals, scheduling reviews, and maintaining evidence of compliance for inspection by the supervisory authority [supervisoryAuthority]. Material amendments to this Policy require re-approval by the management body. Non-material editorial changes may be made by the Compliance Officer and notified at the next management review.