Appearance
NIS2
This guide explains how Modulos operationalizes the NIS2 Directive (EU) 2022/2555 through both organization-level and AI-system-level framework objects.
Key facts
Type
EU cybersecurity directive
Primary scope
Essential and important entities in listed sectors
Core obligations
Governance, risk measures, incident reporting
Transposition deadline
Member States were required to transpose by 17 October 2024
Modulos objects
OFF-15 (org) and MFF-15 (app)
Practical framing
In Modulos, NIS2 execution is split deliberately: organization governance duties are scoped in OFF-15, while AI-system implementation duties live in MFF-15.
How NIS2 is modeled in Modulos
| Framework | Project type | Focus | Requirement count |
|---|---|---|---|
OFF-15 (NIS2 (org)) | Organization | Scope, management body accountability, Article 21 governance decomposition, reporting governance, authority interactions | 30 (ORF-284 to ORF-332) |
MFF-15 (NIS2 (app)) | AI system | Technical and operational implementation at AI-system level | 20 (MRF-255 to MRF-274) |
Coverage domains in this guide
- Scope and applicability: entity classification, legal-act equivalence checks, implementing-act governance.
- Cybersecurity measures: risk analysis, secure lifecycle, supply chain, crypto, access, resilience.
- Incident reporting and communications: staged notification workflows and authority/client communication duties.
- Supervisory cooperation: supervision-readiness and authority response governance for essential and important entities.
- Operational execution in Modulos: requirements, controls, evidence, and review workflow.
Relationship with DORA
DORA remains a separate framework in Modulos (OFF-16 and MFF-16). For financial entities, NIS2 and DORA can coexist: NIS2 establishes broad cybersecurity obligations while DORA provides lex-specialis financial-sector resilience obligations.
Explore NIS2 in depth
Scope and applicability
Entity scope, classification logic, legal-act equivalence, and implementing-act applicability
Cybersecurity measures
Article 20 and 21 governance plus AI-system implementation obligations
Incident reporting and communications
24-hour early warning, 72-hour notification, final reporting, and related duties
Operationalizing in Modulos
A practical implementation sequence for OFF-15 and MFF-15
Disclaimer
This page is for general informational purposes and does not constitute legal advice.