Appearance
Cybersecurity measures
NIS2 cybersecurity measure obligations are implemented in Modulos as a two-layer model:
- governance and accountability at organization level (
OFF-15) - execution evidence at AI-service level (
MFF-15)
Organization-level governance requirements (OFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
ORF-336 | Management body approval and oversight | Art. 20(1) |
ORF-337 | Management body cybersecurity training | Art. 20(2) |
ORF-338 | Risk analysis and security policy governance | Art. 21(2)(a) |
ORF-339 | Incident handling governance | Art. 21(2)(b) |
ORF-340 | Continuity, backup, disaster recovery, and crisis governance | Art. 21(2)(c) |
ORF-341 | Supply chain security governance | Art. 21(2)(d), 21(3) |
ORF-342 | Secure acquisition, development, and maintenance governance | Art. 21(2)(e) |
ORF-343 | Cybersecurity measure effectiveness governance | Art. 21(2)(f) |
ORF-344 | Cyber hygiene and cybersecurity training governance | Art. 21(2)(g) |
ORF-345 | Cryptography and encryption governance | Art. 21(2)(h) |
ORF-346 | HR security, access control, and asset governance | Art. 21(2)(i) |
ORF-347 | MFA and secured communications governance | Art. 21(2)(j) |
ORF-348 | Cybersecurity non-compliance corrective action | Art. 21(4) |
ORF-349 | Implementing-act applicability governance | Arts. 21(5), 23(11); Reg. 2024/2690 |
AI-service implementation requirements (MFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
MRF-275 | AI-service risk analysis and security policies | Art. 21(2)(a) |
MRF-276 | AI-service incident handling | Art. 21(2)(b) |
MRF-277 | AI-service continuity, backup, and crisis operations | Art. 21(2)(c) |
MRF-278 | AI-service supply chain security | Art. 21(2)(d), 21(3) |
MRF-279 | Secure acquisition, development, and maintenance | Art. 21(2)(e) |
MRF-280 | Cybersecurity measure effectiveness testing | Art. 21(2)(f) |
MRF-281 | Operational cyber hygiene and role-based training | Art. 21(2)(g) |
MRF-282 | Cryptography and encryption controls | Art. 21(2)(h) |
MRF-283 | HR security, access control, and asset management | Art. 21(2)(i) |
MRF-284 | MFA and secured communications | Art. 21(2)(j) |
MRF-285 | Cybersecurity non-compliance corrective action workflow | Art. 21(4) |
MRF-291 | Implementing-regulation significant-incident criteria execution | Arts. 21(5), 23(11); Reg. 2024/2690 |
MRF-291 and MRF-292 continue on the incident-reporting page because they sit at the boundary between Article 21 operationalization and the Article 23 reporting workflow.
Control reuse strategy
NIS2 controls are designed to reuse existing control baselines where possible, especially ISO/IEC 27001 and ISO/IEC 27701 controls that are genuinely semantically aligned.
The current design intentionally avoids control sprawl:
- reuse ISO controls where the duty, object, and evidence model match
- add NIS2-specific controls only where the legal workflow is genuinely NIS2-specific
- thread
2024/2690obligations into the existing Article 21 measure families instead of creating a second swarm of controls
Covered-entity overlay
For entity types covered by Commission Implementing Regulation (EU) 2024/2690, the additional technical and methodological requirements are reflected inside the existing Article 21 measure families.
That means the overlay is handled through:
ORF-349for organization-level applicability governanceMRF-291for AI-service significant-incident criteria execution- additional covered-entity notes in the relevant Article 21 requirements and controls
This keeps the framework lean while preserving traceability for an exacting reviewer.
Related pages
Scope and applicability
Manual applicability handling and NIS2 Scope tags
Incident reporting and communications
Reporting timelines and communication workflows
Operationalizing in Modulos
Practical sequence to execute these requirements in projects
Disclaimer
This page is for general informational purposes and does not constitute legal advice.