NIS2 Templates: 72 Documents for Full Compliance

· Category: NIS2· As of: 2026-05-17· Reading time: ~9 min
Practitioner note: This is not legal advice. For binding statements on specific obligations, consult a qualified attorney or compliance officer.

The NIS2 Directive (Directive (EU) 2022/2555) requires essential and important entities not to maintain a single compliance document but an entire documentation system. Article 21 (cybersecurity risk-management measures), Article 22 (coordinated security risk assessments of critical supply chains), Article 23 (reporting obligations) and Section 30 BSIG (10 minimum measure areas in the German transposition) translate into 50 to 80 individual documents in practice. This article lists all 72 templates contained in the NIS2 Kit and maps them to the 10 mandatory areas.

TL;DR

  • 72 NIS2 templates fully cover Articles 21, 22, 23 NIS2 Directive and Section 30 BSIG
  • 10 measure areas under Section 30(2) BSIG: ISMS, risk, incident response, BCM, supply chain, secure procurement, effectiveness review, cyber hygiene, cryptography, access control/MFA
  • Minimum set for supervisory requests: 5 documents within 30 days of registration obligation
  • Update annually plus event-driven for material changes (ISO 27001 clause 9.3)
  • Fine exposure: up to EUR 10 million or 2% of global annual turnover (essential entities)

1. Legal basis: which templates are mandatory under Articles 21, 22, 23 NIS2 Directive?

The NIS2 Directive does not list specific documents; it defines measure areas to be substantiated through documented processes, concepts and evidence. Three articles form the basis of any template collection:

Article 21 NIS2 Directive: cybersecurity risk-management measures

Article 21(2) sets out 10 minimum measure areas (points a to j), implemented verbatim in Section 30(2) BSIG. Each area requires its own templates: risk-analysis methodology, incident-handling concepts, business continuity, supply-chain security, secure procurement, effectiveness assessment, cyber hygiene and training, cryptography, personnel security, and access control with multi-factor authentication. Details: Section 30 BSIG: all 10 obligations in one table.

Article 22 NIS2 Directive: coordinated risk assessments of critical supply chains

The Cooperation Group under Article 14 of the NIS2 Directive conducts EU-wide coordinated risk assessments of critical supply chains (e.g. 5G, cloud hyperscalers). Entities must be able to respond — requiring supplier inventories, criticality classifications, audit templates and escalation paths. Deep dive: NIS2 supply-chain security.

Article 23 NIS2 Directive: reporting obligations

Article 23 establishes a three-stage reporting chain: early warning within 24 hours, incident notification within 72 hours, final report within one month. This requires predefined reporting channels, templates for each stage, contact lists and communication building blocks. Details: NIS2 reporting channels and incident documentation.

2. The 10 template categories at a glance

The 72 templates fall into 10 functional categories aligned with Section 30(2) BSIG:

  1. ISMS core documents: policy, scope, roles matrix, Statement of Applicability
  2. Risk management: methodology, protection-needs analysis, threat analysis, risk register, action plan
  3. Incident response: IRP, escalation, crisis team, 24h/72h/1M reporting templates, forensics guide
  4. BCM and disaster recovery: BIA, BCM plan, DR plan, RTO/RPO matrix, tabletop scenarios
  5. Supply-chain security: supplier inventory, audit templates, DPA security annex, exit strategies
  6. Secure procurement: procurement policy, security requirements catalog, SBOM templates
  7. Effectiveness review: audit plan, effectiveness checklists, KPI dashboard, management review
  8. Cyber hygiene and training: awareness concept, phishing-test templates, training records
  9. Cryptography and access control: crypto concept, MFA rollout, privileged access management
  10. Asset management and logging: asset inventory, classification scheme, logging concept, SIEM use cases

3. The 72 documents in detail

The table below maps every template to a category and the corresponding legal basis.

Category Template (selection) Reference Count
ISMS core ISMS policy, scope, roles & responsibilities matrix, Statement of Applicability, document control, management-review minutes Art. 21(2), ISO 27001 cl. 4–10 8
Risk management Risk-management methodology (BSI 200-3 / ISO 27005), protection-needs analysis, threat analysis, risk register, risk matrix, action plan Art. 21(2)(a), Sec. 30(2) no. 1 BSIG 9
Incident response Incident response plan, escalation matrix, crisis-team charter, 24h early-warning template, 72h notification, 1M final report, forensics checklist, lessons-learned template Art. 21(2)(b), Art. 23, Sec. 32 BSIG 10
BCM and DR Business impact analysis, BCM plan, disaster-recovery plan, RTO/RPO matrix, backup concept (3-2-1 + immutable), tabletop scenarios, crisis communications Art. 21(2)(c), Sec. 30(2) no. 3 BSIG 9
Supply-chain security Supplier inventory, criticality classification, audit template (initial + annual), DPA security annex, SLA modules, exit strategy, ENISA risk profile Art. 21(2)(d), Art. 22, Sec. 30(2) no. 4 BSIG 8
Secure procurement Procurement policy, security requirements catalog, SBOM requirements template, secure SDLC guideline, penetration-testing concept Art. 21(2)(e), Sec. 30(2) no. 5 BSIG 5
Effectiveness review Internal audit program, effectiveness checklists per area, KPI dashboard, annual effectiveness report, external audit RFP, management-review template Art. 21(2)(f), Sec. 30(2) no. 6 BSIG 6
Cyber hygiene and training Awareness concept, phishing-test templates (Q1–Q4), training records, management training under Sec. 38(3) BSIG, acceptable-use policy, clean-desk policy Art. 21(2)(g), Sec. 30(2) no. 7 BSIG, Sec. 38 BSIG 7
Cryptography Cryptography concept, key-management procedure, TLS configuration standard, key-rotation plan Art. 21(2)(h), Sec. 30(2) no. 8 BSIG 4
Access control and MFA Access-control concept, MFA rollout plan, privileged-access management, joiner/mover/leaver process, entitlement-review template Art. 21(2)(i)+(j), Sec. 30(2) no. 9+10 BSIG 5
Asset management and logging Asset inventory (HW/SW/data/cloud), classification scheme, logging concept, SIEM use cases, retention periods, log-review procedure Art. 21(2)(a)+(f), cross-cutting 6
Governance and supervision BSI registration template, annual self-declaration, standard responses to supervisory requests, board/management reporting Sec. 33, 34, 38 BSIG 5
Total 72

4. Section 30 BSIG: the 10 minimum measures — quick reference

The 72 templates map to the 10 measure areas of Section 30(2) BSIG. The areas in shorthand:

  1. Risk analysis and information-system security concepts
  2. Handling of security incidents (incident response)
  3. Business continuity (BCM, backup management, crisis management)
  4. Supply-chain security including security aspects of supplier relationships
  5. Security in procurement, development and maintenance of information systems
  6. Policies for assessing the effectiveness of risk-management measures
  7. Basic cyber hygiene practices and training
  8. Cryptography and encryption policies
  9. Personnel security, access control and asset management
  10. Use of multi-factor authentication, secure voice/video/text communications and secure emergency communications

Detailed comparison, sector examples and concrete measure lists: NIS2 Section 30 BSIG: all 10 obligations in one table.

5. Which templates for essential, important and KRITIS entities?

The content requirements under Section 30 BSIG are identical across categories. The differences relate to supervisory regime, thresholds and depth of evidence:

Category Supervision Fine ceiling Additional templates
KRITIS / Essential Proactive (BSI audit, on-site inspections, orders under Sec. 31 BSIG) up to EUR 10 million or 2% of group turnover Evidence audit per Sec. 31 BSIG, KRITIS registration, annual self-declaration, sector-specific resilience plans
Important Reactive (event-driven only, e.g. after incident) up to EUR 7 million or 1.4% of group turnover Self-declaration, incident notifications under Art. 23, audit only on substantiated grounds

To determine your own NIS2 classification (sector + thresholds): NIS2 for small enterprises 50–100 employees and NIS2 implementation in Germany.

6. Prioritization: which templates when?

Days 1–30: mandatory set for BSI registration

Days 31–60: quick wins under Section 30 BSIG

See NIS2 Top-7 Quick Wins: MFA rollout, backup concept, patch management, phishing training, supplier inventory, IRP tabletop, asset classification.

Days 61–90: full audit readiness

Days 91–180: ISO 27001 or equivalent

Those pursuing certification add clause 6.1.3 (risk treatment plan), 9.2 (internal audits) and 10 (continuous improvement). Pathway: NIS2 to ISO 27001 certification.

7. Update and version control

NIS2 templates are not one-off documents. Supervisory audits check not just existence but currency and lived application:

Frequently Asked Questions

How many templates does NIS2 strictly require?
The NIS2 Directive does not specify a fixed document count. Article 21, Article 23 and Section 30 BSIG translate into 10 measure areas, typically covered by 50–80 individual documents in practice. The NIS2 Kit covers 72 mandatory and recommended templates.
Are ISO 27001 documents sufficient for NIS2?
ISO 27001 covers roughly 70% of Section 30 BSIG requirements. Gaps typically remain in: 24-hour early warning under Article 23, supplier audits, management training under Section 38 BSIG, and risk-management methodology (BSI 200-3 vs. ISO 27005). NIS2-specific supplementary templates are required.
Which templates must the management board sign personally?
At minimum: ISMS policy, risk-management policy, approval of the action plan under Section 38 BSIG, the annual compliance report, and the training record under Section 38(3) BSIG. These establish the personal liability discharge.
Must templates be translated into German?
The BSI as supervisory authority operates in German. English templates are permitted but must be submitted in German translation upon audit request. Group subsidiaries often maintain ISMS documents bilingually.
How often must NIS2 templates be updated?
At least annually (ISMS review per ISO 27001 clause 9.3). Event-driven for: IT landscape changes, new threats, supervisory guidance, key-role personnel changes, or post-incident reviews. Versioning and approval workflow are mandatory.
How do template requirements differ between important and essential entities?
Section 30 BSIG content requirements are identical. The difference is the supervisory regime: essential entities are subject to proactive supervision (on-site audits, audit orders), important entities only reactively. Templates should be audit-grade for both categories given comparable fine exposure (EUR 10 million vs. EUR 7 million).
Which templates are mandatory within the first 30 days?
Documents that must be presentable on supervisory request: asset inventory, risk register, ISMS policy, incident-response plan, reporting-channel template for the 24-hour early warning. These five form the minimum set for BSI registration.

Sources

Related Reading

Tools & self-assessments

NIS2 Readiness Check Assess your NIS2 readiness in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Am I in scope? Check thresholds and sector criteria. NIS2 Mandatory Measures Audit 10 mandatory measures from Section 30 BSIG with maturity rating.