Appearance
Cybersecurity measures
NIS2 cybersecurity measure obligations are implemented in Modulos as a two-layer model:
- governance and accountability at organization level (
OFF-15) - execution evidence at AI-system level (
MFF-15)
Organization-level governance requirements (OFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
ORF-286 | Management body approval and oversight | Art. 20(1) |
ORF-287 | Management body cybersecurity training | Art. 20(2) |
ORF-288 | Proportionate cybersecurity risk-management governance | Art. 21(1)-(3) |
ORF-322 | Risk analysis and information-system security policy governance | Art. 21(2)(a) |
ORF-323 | Incident handling governance | Art. 21(2)(b) |
ORF-324 | Continuity, backup, disaster recovery and crisis governance | Art. 21(2)(c) |
ORF-325 | Supply-chain security governance | Art. 21(2)(d), 21(3) |
ORF-326 | Secure acquisition, development and maintenance governance | Art. 21(2)(e) |
ORF-327 | Cybersecurity measure effectiveness governance | Art. 21(2)(f) |
ORF-328 | Cyber hygiene and cybersecurity training governance | Art. 21(2)(g) |
ORF-329 | Cryptography and encryption policy governance | Art. 21(2)(h) |
ORF-330 | HR security, access-control and asset-management governance | Art. 21(2)(i) |
ORF-331 | MFA, continuous authentication and secured communications governance | Art. 21(2)(j) |
ORF-297 | Corrective action obligation for cybersecurity measure non-compliance | Art. 21(4) |
ORF-299 | Certified ICT use obligation governance | Art. 24(1)-(3) |
AI-system implementation requirements (MFF-15)
| Requirement | Topic | Directive reference |
|---|---|---|
MRF-255 | AI system risk analysis and security policies | Art. 21(2)(a) |
MRF-256 | AI system incident handling | Art. 21(2)(b) |
MRF-257 | AI system continuity, backup, disaster recovery and crisis operations | Art. 21(2)(c) |
MRF-258 | AI system supply chain security | Art. 21(2)(d), 21(3) |
MRF-259 | Secure lifecycle and vulnerability handling | Art. 21(2)(e) |
MRF-260 | Cybersecurity measure effectiveness testing | Art. 21(2)(f) |
MRF-261 | Operational cyber hygiene and role-based training | Art. 21(2)(g) |
MRF-262 | Cryptography and encryption controls | Art. 21(2)(h) |
MRF-263 | HR security, access control and asset management | Art. 21(2)(i) |
MRF-264 | MFA, continuous authentication and secured communications | Art. 21(2)(j) |
MRF-270 | AI system corrective action workflow for cybersecurity non-compliance | Art. 21(4) |
MRF-273 | Certified ICT and qualified trust service implementation | Art. 24(1)-(2) |
Control reuse strategy
NIS2 controls are designed to reuse existing control baselines where possible (notably ISO/IEC 27001 mappings) while preserving NIS2-specific evidence flows for prescriptive timing and governance obligations.
Related pages
Incident reporting and communications
Reporting timelines and communication workflows
Operationalizing in Modulos
Practical sequence to execute these requirements in projects
Disclaimer
This page is for general informational purposes and does not constitute legal advice.