Docs

Appearance

Operationalizing NIS2 in Modulos

This page is the practical rollout playbook for NIS2 (Directive (EU) 2022/2555) in Modulos. It assumes the organisation has already decided that NIS2 applies (see Scope and applicability) and walks through the OFF-15 and MFF-15 framework templates, the recommended project structure, the manual scoping pattern, the sequencing, and the evidence package supervisory authorities and auditors typically expect.

Quick decision

  • Stand up the programme for the first time → start with one OFF-15 organisation project for Article 20 management-body accountability and Article 21 cybersecurity-measure governance, and one MFF-15 AI-application project per in-scope service. The two framework templates are designed to operate together.
  • Already have an ISO 27001 ISMS → map Article 21(2) measure-by-measure onto the existing ISMS controls; do not duplicate the substance. Article 20 management-body approval evidence and the Article 23 reporting artefacts are the NIS2-specific evidence to add.
  • Covered by Implementing Regulation (EU) 2024/2690 → layer the overlay through ORF-349 (governance) and MRF-291 (execution).
  • Trust service provider → also stand up MRF-292 for the Article 23(4) 24-hour derogation path.
  • Financial entity also identified as essential or important under national NIS2 transposition → read NIS2 vs DORA before rollout — DORA is considered a sector-specific Union legal act for the purposes of NIS2 Article 4 (DORA Article 1(2)) on the matters DORA covers.

TL;DR

  • Modulos models NIS2 as two framework templates: OFF-15 (organisation, 28 requirements, 81 unique mapped controls) and MFF-15 (AI service, 18 requirements, 71 unique mapped controls). Use one OFF-15 project per organisation and one MFF-15 project per in-scope service.
  • Every requirement cites its precise legal basis — article, paragraph, or Implementing Regulation Annex point, with EUR-Lex links — in a References section, and states which entities each limb binds in an Applicability section.
  • Scope is explicit and manual, not driven by a questionnaire. ORF-333 to ORF-335 carry the Article 2 / 3 / 4 baseline; NIS2 Scope tags on individual requirements label conditional duties. NIS2 Basis tags separate Directive duties (all in-scope entities) from Implementing Regulation 2024/2690 detail (relevant entities only); NIS2 Domain tags name the measure area.
  • Article 20 management-body duties live on ORF-336 (Art 20(1)) and ORF-337 (Art 20(2)).
  • Article 21 measures live on ORF-338ORF-348 (governance) and MRF-275MRF-285 (execution).
  • The Article 23 reporting package (significance determination + recipient notification + staged reports) lives on ORF-350ORF-354 (governance) and MRF-286MRF-290 (execution). Modulos does not provide a dedicated incident-reporting UI surface — the staged reports are stored as evidence linked to the Article 23 requirements.
  • Implementing Regulation 2024/2690 attaches through ORF-349 and MRF-291. The trust-service 24-hour derogation attaches through MRF-292.
  • The supervisory authority's evidence expectation is traceability: from the Article reference to the requirement, to the controls that implement it, to the evidence that supports each control.

Primary source

Directive (EU) 2022/2555 on EUR-Lex · Implementing Regulation (EU) 2024/2690 · ENISA Technical Implementation Guidance (June 2025)

Project structure that works

Most enterprise rollouts use the following structure:

  • One organisation project with the OFF-15 framework template attached. This holds Article 20 management-body duties, Article 21 governance, Article 23 reporting governance, Articles 26–28 jurisdiction and registry duties, Articles 29–30 information-sharing and voluntary-notification duties (where applicable), and the supervisory-cooperation evidence under Articles 32–33.
  • One AI-application project per in-scope service with the MFF-15 framework template attached. Each service project holds the per-service execution evidence: Article 21(2) measures applied to that service, the incident-handling workflow, the AI-BOM and vendor evidence for that service's supply chain, and the trust-service derogation evidence where applicable.
  • One organisation-wide policy project (optional) for cross-cutting policies referenced by both OFF-15 and MFF-15.

How to operationalize NIS2 in Modulos

The Modulos surfaces relevant to NIS2 rollout are:

SurfaceUse
Project dashboard Add FrameworkAttach OFF-15 to the organisation project; attach MFF-15 to each AI-service project
Project → Settings → FrameworksManage attached frameworks — list, freeze, and update
Project → RequirementsTrack the OFF-15 / MFF-15 requirements; status Not fulfilledFulfilled (with optional Out of scope)
Requirement-level NIS2 Scope tagLabel conditional duties that need an explicit scoping decision; reviewers walk through tagged requirements and record the disposition in the requirement's comments and logs
Requirement-level NIS2 Domain and NIS2 Basis tagsNavigate by measure area (the Article 21(2)(a)–(j) categories plus governance, reporting, scope, registration, information-sharing, supervision) and by legal basis (Directive Art 21 for all entities vs Impl. Reg. 2024/2690 for relevant entities only)
Project → ControlsDocument implemented measures (risk-analysis methodology, incident-handling runbook, BC/DR plan, vendor due-diligence policy, secure-SDLC standard, etc.) and map them to one or more requirements; control status changes are routed through review requests
Project → EvidenceStore supporting artefacts (policies, runbooks, training records, supplier reviews, executed 24-hour and 72-hour notifications, authority responses) and link them to controls
Comments and logs on each requirementCapture the rationale for fulfilment attestation, scoping decisions, and corrective-action records

What ships with the templates

The OFF-15 / MFF-15 templates pair two kinds of controls. NIS2-specific overlay controls carry the article-cited guidance for one duty — each overlay's guidance walks through criteria and thresholds, verification steps, results and gaps, evidence and storage, and refutation and updates, against the exact article, paragraph, or Annex point it implements. Shared framework-agnostic controls (leadership, competence, document review, management review, and similar governance substance) are the same control objects reused by the ISO 27001 / ISO 42001 / DORA templates, so evidence recorded once serves every attached framework. The shared controls deliberately carry no NIS2-specific text — the NIS2 substance always sits on the overlay, which keeps cross-framework reuse clean.

NIS2 tag families reference

Three NIS2 tag families classify the OFF-15 / MFF-15 requirements and their controls. NIS2 Scope labels conditional applicability — the eight values and the scoping workflow are documented on the Scope and applicability page. The other two families decode as follows.

NIS2 Domain — the measure area or duty family a requirement belongs to:

ValueCovers
Risk Management & PoliciesArt 21(2)(a) — policies on risk analysis and information-system security
Incident HandlingArt 21(2)(b) — prevention, detection, and response to incidents
Business Continuity & Crisis ManagementArt 21(2)(c) — backup management, disaster recovery, crisis management
Supply Chain SecurityArt 21(2)(d) — security of relationships with direct suppliers and service providers
Secure Acquisition, Development & MaintenanceArt 21(2)(e) — including vulnerability handling and disclosure
Effectiveness AssessmentArt 21(2)(f) — assessing the effectiveness of the risk-management measures
Cyber Hygiene & TrainingArt 21(2)(g) — basic cyber-hygiene practices and cybersecurity training
CryptographyArt 21(2)(h) — policies on cryptography and, where appropriate, encryption
HR Security, Access Control & Asset ManagementArt 21(2)(i)
Authentication & Secure CommunicationsArt 21(2)(j) — MFA or continuous authentication, secured voice / video / text and emergency communications
Governance & AccountabilityArt 20 — management-body approval and oversight
ReportingArt 23 — early warning, incident notification, intermediate and final reports
Scope, Classification & EquivalenceArts 2–4 — scope, essential / important classification, sector-act equivalence
Registration & TerritorialityArts 26–28 — jurisdiction, registry of entities, domain-name registration database
Information-Sharing & Voluntary NotificationArts 29–30
Supervision & EnforcementArts 32–33

NIS2 Basis — the legal basis of each duty or limb:

ValueWhat it marks
Directive Art 21 (all entities)A measure duty grounded in Directive Art 21, binding all in-scope essential and important entities
Impl. Reg. 2024/2690 (relevant entities only)Technical and methodological detail binding only the relevant entities listed in the Implementing Regulation's Article 1
GovernanceArt 20 governance and accountability sub-flavour
Scope/EquivalenceArts 2–4 scope, classification, and equivalence sub-flavour
Directive — Reporting (Art 23)Mandatory incident reporting under Art 23
Directive — Registration (Art 26 jurisdiction)Jurisdiction and EU-representative determination
Directive — Registration (Art 27 registry)Registry-of-entities information submission
Directive — Registration (Art 28 domain-name DB)Domain-name registration-data database duties
Directive — Information-Sharing (Art 29 — not Art 23 reporting)Information-sharing arrangements, incl. the Art 29(4) participation notification — distinct from mandatory reporting
Directive — Voluntary (Art 30 voluntary notification — not Art 23 reporting)Voluntary notification of incidents, near misses, and threats — distinct from mandatory reporting
Directive — Supervision/Enforcement (Arts 32-33)The supervisory and enforcement regime

A requirement that layers a Directive duty with Implementing-Regulation detail carries both NIS2 Basis tags; its Applicability section states which limb binds which cohort.

Scope without a questionnaire

Modulos does not currently use a dedicated NIS2 descoping questionnaire. Use the following manual pattern:

  1. Determine base scope through ORF-333 (Article 2 scope and Article 3 classification), ORF-334 (Article 3(4) entity-listing data submission and two-week change notification), and ORF-335 (Article 4 sector-specific Union legal act equivalence).
  2. Surface conditional duties by walking through the requirements tagged with the relevant NIS2 Scope labels: Article 4 Equivalent Union Act, 2024/2690 Covered Entity, Article 26 Cross-Border Entity, Article 27 Registry Entity, Article 28 Domain or TLD Entity, Article 29 Information-Sharing Participant, Article 30 Voluntary Notifier, Trust Service 24-Hour Derogation.
  3. Read the Applicability section in each tagged requirement. It explains when the duty applies, when it can be treated as out of scope, and what evidence supports each disposition.
  4. Decide in scope / out of scope for the project. Record the decision (rationale, supporting evidence) in the requirement's comments and logs.
  5. Mark the requirement fulfilled if the disposition is supported, or Out of scope if the duty does not apply to the project.

Sequence that works

A pragmatic seven-step rollout sequence:

  1. Scope and classification. Fulfil ORF-333 to ORF-335. Capture the Article 3 essential / important classification with rationale.
  2. Conditional duties review. Walk through the requirements with NIS2 Scope labels. Fulfil ORF-349, ORF-355 to ORF-359, MRF-291, MRF-292 where in scope; mark Out of scope (with rationale) otherwise.
  3. Article 20 management-body accountability. Fulfil ORF-336 (Art 20(1)) and ORF-337 (Art 20(2)). The Article 20(1) approval evidence and Article 20(2) management-body training records are typically the first audit asks.
  4. Article 21 governance. Fulfil ORF-338 to ORF-348.
  5. AI-service technical measures. Fulfil MRF-275 to MRF-285 per in-scope service.
  6. Article 23 reporting package. Fulfil ORF-350 to ORF-354 (governance) and MRF-286 to MRF-290 (execution). Even before a real incident, simulated end-to-end runs with timestamped artefacts are worth storing as evidence.
  7. Supervisory, registry, information-sharing. Fulfil ORF-355 to ORF-360 (cross-border, registry, information sharing, voluntary notification, Articles 32–33 supervisory cooperation).

Readiness + fulfilment attestation

Requirements in Modulos use a two-step pattern, not a review:

  • when all linked controls are in a final state, the requirement becomes ready for review (a signal to the requirement owner);
  • the requirement owner attests fulfilment by marking the requirement Fulfilled, with rationale captured in the requirement's comments and logs.

Review requests in Modulos apply to control status changes (and other reviewable objects like assets) — not to requirements themselves.

Evidence package baseline

A defensible NIS2 evidence package typically includes:

  • Scope — entity-classification decision with rationale and approvals; Article 4 sector-specific Union legal act equivalence memo where applicable.
  • Article 20 — Article 20(1) approval records (decisions, minutes); Article 20(2) management-body training records.
  • Article 21(2) policy set — risk-analysis methodology, information-system-security policy, incident-handling SOP, BC/DR plan, supplier policy + AI-BOM + supplier reviews, secure-development standard + vulnerability-disclosure process, internal-audit / control-testing programme, cyber-hygiene baseline + workforce training, cryptography policy + key-management procedure, HR / access / asset-management controls, MFA rollout + secured-communications baseline.
  • Article 21(3) supply chain — direct-supplier and service-provider list with vulnerability assessment outputs and product-quality / cybersecurity-practice evidence.
  • Article 21(4) corrective action — self-identified gap log with corrective measures, owners, timelines, and closure evidence.
  • Article 21(5) overlay — Implementing Regulation 2024/2690 applicability memo + technical documentation per the entity type, including the Article 2(2) documented reasoning wherever a "where appropriate" / "where applicable" / "to the extent feasible" Annex requirement is treated as not applicable, plus the environmental and physical security measures under Annex point 13 (supporting utilities at 13.1, protection against physical and environmental threats at 13.2, perimeter and physical access control at 13.3).
  • Article 23 reporting package — timestamped 24-hour early warnings, 72-hour notifications, intermediate reports on request, one-month final reports, progress reports for ongoing incidents; authority feedback received.
  • Article 23(1)–(2) recipient communications — copies of notifications sent to recipients where applicable.
  • Articles 26–30 — Article 27 ENISA registry submission record; Article 28 domain-name database participation evidence; Article 29 information-sharing arrangement records; Article 30 voluntary-notification records.
  • Articles 32–33 — supervisory cooperation records.

Cross-framework reuse

Most NIS2-aligned organisations already operate one or more of: ISO/IEC 27001 (ISMS), ISO/IEC 27002 (control catalogue), ISO/IEC 27701 (PIMS), ISO/IEC 42001 (AI management system), DORA (for financial entities), and the EU AI Act (for in-scope AI providers / deployers).

The Modulos design encourages single-source evidence with multi-framework links: a control object can map to a NIS2 Article 21(2) requirement and at the same time to ISO/IEC 27001 Annex A.5.x and DORA Article 6, with one evidence record supporting all three.

NIS2 overview

Framework structure, key dates, OFF-15 / MFF-15 split

Scope and applicability

Article 2 scope, Article 3 classification, Article 26 jurisdiction

Cybersecurity measures (Article 21)

The ten Article 21(2) categories quoted verbatim

Incident reporting (Article 23)

Significance test, staged timelines, trust-service derogation

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction

Source attribution

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 80–152. This operationalize page describes how Modulos maps NIS2 obligations to platform surfaces; the binding obligations themselves are in the EUR-Lex text and the national transposing law. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 is published in OJ L 2024/2690 of 18.10.2024.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The recommendations here describe common practice for NIS2-aligned governance programmes. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.