Appearance
NIS2
This guide explains how Modulos operationalizes Directive (EU) 2022/2555 through both organization-level and AI-service-level framework objects.
Key facts
Type
EU cybersecurity directive
Primary scope
Essential and important entities in listed sectors
Core obligations
Governance, cybersecurity measures, incident reporting, supervision
Application date
18 October 2024
Modulos objects
OFF-15 (org) and MFF-15 (app)
Requirement model
28 org requirements and 18 app requirements
Applicability handling
Manual applicability notes plus NIS2 Scope tags
Practical framing
In Modulos, NIS2 execution is split deliberately: organization governance duties are scoped in OFF-15, while AI-service implementation duties live in MFF-15.
How NIS2 is modeled in Modulos
| Framework | Project type | Focus | Requirement count |
|---|---|---|---|
OFF-15 (NIS2 (org)) | Organization | Scope and classification, management body accountability, Article 21 governance, Article 23 reporting, special-case duties, supervision | 28 (ORF-333 to ORF-360) |
MFF-15 (NIS2 (app)) | AI application | AI-service operational execution, reporting workflows, and covered-entity overlays | 18 (MRF-275 to MRF-292) |
Structure in practice
The current NIS2 model has four layers:
- Base org scope and governance in
ORF-333toORF-349 - Org reporting, special-case, and supervisory duties in
ORF-350toORF-360 - AI-service operational execution in
MRF-275toMRF-290 - Covered-entity / trust-service overlays in
MRF-291toMRF-292
This keeps the legal duties auditable without turning every sector-specific nuance into a separate control family.
Applicability model
Modulos does not currently use a dedicated NIS2 questionnaire to auto-descope requirements.
Instead:
- each genuinely conditional NIS2 requirement carries an explicit Applicability section
- static NIS2 Scope tags help users filter those requirements manually
- the user or reviewer records why a tagged requirement is in scope or out of scope
This is a deliberate design choice. It improves clarity without pretending that a questionnaire-driven descoping engine already exists for NIS2.
Coverage domains in this guide
- Scope and applicability: entity classification, legal-act equivalence checks, covered-entity overlays, manual scoping, and tags.
- Cybersecurity measures: management body duties, Article 21 measure families, AI-service execution, and
2024/2690threading. - Incident reporting and communications: staged notification workflows, significance logic, trust-service timing, and related communications duties.
- Operational execution in Modulos: requirements, controls, evidence, filtering, and review workflow.
Relationship with DORA
DORA is implemented as a separate framework family in Modulos (OFF-16 and MFF-16). For financial entities, NIS2 and DORA can coexist conceptually: NIS2 establishes broad cybersecurity obligations while DORA provides lex-specialis financial-sector resilience obligations.
Explore NIS2 in depth
Scope and applicability
Entity scope, classification logic, manual applicability handling, and NIS2 Scope tags
Cybersecurity measures
Article 20 and 21 governance plus AI-service implementation obligations
Incident reporting and communications
24-hour early warning, 72-hour notification, final reporting, and related duties
Operationalizing in Modulos
A practical implementation sequence for OFF-15 and MFF-15
Disclaimer
This page is for general informational purposes and does not constitute legal advice.