Docs

Appearance

Operationalizing NIS2 in Modulos

This page is the practical rollout playbook for NIS2 (Directive (EU) 2022/2555) in Modulos. It assumes the organisation has already decided that NIS2 applies (see Scope and applicability) and walks through the OFF-15 and MFF-15 framework templates, the recommended project structure, the manual scoping pattern, the sequencing, and the evidence package supervisory authorities and auditors typically expect.

Quick decision

  • Stand up the programme for the first time → start with one OFF-15 organisation project for Article 20 management-body accountability and Article 21 cybersecurity-measure governance, and one MFF-15 AI-application project per in-scope service. The two framework templates are designed to operate together.
  • Already have an ISO 27001 ISMS → map Article 21(2) measure-by-measure onto the existing ISMS controls; do not duplicate the substance. Article 20 management-body approval evidence and the Article 23 reporting artefacts are the NIS2-specific evidence to add.
  • Covered by Implementing Regulation (EU) 2024/2690 → layer the overlay through ORF-349 (governance) and MRF-291 (execution).
  • Trust service provider → also stand up MRF-292 for the Article 23(4) 24-hour derogation path.
  • Financial entity also identified as essential or important under national NIS2 transposition → read NIS2 vs DORA before rollout — DORA is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4 on the matters DORA covers.

TL;DR

  • Modulos models NIS2 as two framework templates: OFF-15 (organisation, 28 requirements) and MFF-15 (AI service, 18 requirements). Use one OFF-15 project per organisation and one MFF-15 project per in-scope service.
  • Scope is explicit and manual, not driven by a questionnaire. ORF-333 to ORF-335 carry the Article 2 / 3 / 4 baseline; NIS2 Scope tags on individual requirements label conditional duties.
  • Article 20 management-body duties live on ORF-336 (Art 20(1)) and ORF-337 (Art 20(2)).
  • Article 21 measures live on ORF-338ORF-348 (governance) and MRF-275MRF-285 (execution).
  • The Article 23 reporting package (significance determination + recipient notification + staged reports) lives on ORF-350ORF-354 (governance) and MRF-286MRF-290 (execution). Modulos does not provide a dedicated incident-reporting UI surface — the staged reports are stored as evidence linked to the Article 23 requirements.
  • Implementing Regulation 2024/2690 attaches through ORF-349 and MRF-291. The trust-service 24-hour derogation attaches through MRF-292.
  • The supervisory authority's evidence expectation is traceability: from the Article reference to the requirement, to the controls that implement it, to the evidence that supports each control.

Primary source

Directive (EU) 2022/2555 on EUR-Lex · Implementing Regulation (EU) 2024/2690 · ENISA Technical Implementation Guidance (June 2025)

Project structure that works

Most enterprise rollouts use the following structure:

  • One organisation project with the OFF-15 framework template attached. This holds Article 20 management-body duties, Article 21 governance, Article 23 reporting governance, Articles 26–30 jurisdiction and registry duties, Articles 29–30 information-sharing and voluntary-notification duties (where applicable), and the supervisory-cooperation evidence under Articles 32–33.
  • One AI-application project per in-scope service with the MFF-15 framework template attached. Each service project holds the per-service execution evidence: Article 21(2) measures applied to that service, the incident-handling workflow, the AI-BOM and vendor evidence for that service's supply chain, and the trust-service derogation evidence where applicable.
  • One organisation-wide policy project (optional) for cross-cutting policies referenced by both OFF-15 and MFF-15.

How to operationalize NIS2 in Modulos

The Modulos surfaces relevant to NIS2 rollout are:

SurfaceUse
Project dashboard Add FrameworkAttach OFF-15 to the organisation project; attach MFF-15 to each AI-service project
Project → Settings → FrameworksManage attached frameworks — list, freeze, and update
Project → RequirementsTrack the OFF-15 / MFF-15 requirements; status Not fulfilledFulfilled (with optional Out of scope)
Requirement-level NIS2 Scope tagLabel conditional duties that need an explicit scoping decision; reviewers walk through tagged requirements and record the disposition in the requirement's comments and logs
Project → ControlsDocument implemented measures (risk-analysis methodology, incident-handling runbook, BC/DR plan, vendor due-diligence policy, secure-SDLC standard, etc.) and map them to one or more requirements; control status changes are routed through review requests
Project → EvidenceStore supporting artefacts (policies, runbooks, training records, supplier reviews, executed 24-hour and 72-hour notifications, authority responses) and link them to controls
Comments and logs on each requirementCapture the rationale for fulfilment attestation, scoping decisions, and corrective-action records

Scope without a questionnaire

Modulos does not currently use a dedicated NIS2 descoping questionnaire. Use the following manual pattern:

  1. Determine base scope through ORF-333 (Article 2 scope and Article 3 classification), ORF-334 (Article 3(4)–(5) entity-listing duty), and ORF-335 (Article 4 sector-specific Union legal act equivalence).
  2. Surface conditional duties by walking through the requirements tagged with the relevant NIS2 Scope labels: Article 4 Equivalent Union Act, 2024/2690 Covered Entity, Article 26 Cross-Border Entity, Article 27 Registry Entity, Article 28 Domain or TLD Entity, Article 29 Information-Sharing Participant, Article 30 Voluntary Notifier, Trust Service 24-Hour Derogation.
  3. Read the Applicability section in each tagged requirement. It explains when the duty applies, when it can be treated as out of scope, and what evidence supports each disposition.
  4. Decide in scope / out of scope for the project. Record the decision (rationale, supporting evidence) in the requirement's comments and logs.
  5. Mark the requirement fulfilled if the disposition is supported, or Out of scope if the duty does not apply to the project.

Sequence that works

A pragmatic seven-step rollout sequence:

  1. Scope and classification. Fulfil ORF-333 to ORF-335. Capture the Article 3 essential / important classification with rationale.
  2. Conditional duties review. Walk through the requirements with NIS2 Scope labels. Fulfil ORF-349, ORF-355 to ORF-359, MRF-291, MRF-292 where in scope; mark Out of scope (with rationale) otherwise.
  3. Article 20 management-body accountability. Fulfil ORF-336 (Art 20(1)) and ORF-337 (Art 20(2)). The Article 20(1) approval evidence and Article 20(2) management-body training records are typically the first audit asks.
  4. Article 21 governance. Fulfil ORF-338 to ORF-348.
  5. AI-service technical measures. Fulfil MRF-275 to MRF-285 per in-scope service.
  6. Article 23 reporting package. Fulfil ORF-350 to ORF-354 (governance) and MRF-286 to MRF-290 (execution). Even before a real incident, simulated end-to-end runs with timestamped artefacts are worth storing as evidence.
  7. Supervisory, registry, information-sharing. Fulfil ORF-355 to ORF-360 (cross-border, registry, information sharing, voluntary notification, Articles 32–33 supervisory cooperation).

Readiness + fulfilment attestation

Requirements in Modulos use a two-step pattern, not a review:

  • when all linked controls are in a final state, the requirement becomes ready for review (a signal to the requirement owner);
  • the requirement owner attests fulfilment by marking the requirement Fulfilled, with rationale captured in the requirement's comments and logs.

Review requests in Modulos apply to control status changes (and other reviewable objects like assets) — not to requirements themselves.

Evidence package baseline

A defensible NIS2 evidence package typically includes:

  • Scope — entity-classification decision with rationale and approvals; Article 4 sector-specific Union legal act equivalence memo where applicable.
  • Article 20 — Article 20(1) approval records (decisions, minutes); Article 20(2) management-body training records.
  • Article 21(2) policy set — risk-analysis methodology, information-system-security policy, incident-handling SOP, BC/DR plan, supplier policy + AI-BOM + supplier reviews, secure-development standard + vulnerability-disclosure process, internal-audit / control-testing programme, cyber-hygiene baseline + workforce training, cryptography policy + key-management procedure, HR / access / asset-management controls, MFA rollout + secured-communications baseline.
  • Article 21(3) supply chain — direct-supplier and service-provider list with vulnerability assessment outputs and product-quality / cybersecurity-practice evidence.
  • Article 21(4) corrective action — self-identified gap log with corrective measures, owners, timelines, and closure evidence.
  • Article 21(5) overlay — Implementing Regulation 2024/2690 applicability memo + technical documentation per the entity type.
  • Article 23 reporting package — timestamped 24-hour early warnings, 72-hour notifications, intermediate reports on request, one-month final reports, progress reports for ongoing incidents; authority feedback received.
  • Article 23(1)–(2) recipient communications — copies of notifications sent to recipients where applicable.
  • Articles 26–30 — Article 27 ENISA registry submission record; Article 28 domain-name database participation evidence; Article 29 information-sharing arrangement records; Article 30 voluntary-notification records.
  • Articles 32–33 — supervisory cooperation records.

Cross-framework reuse

Most NIS2-aligned organisations already operate one or more of: ISO/IEC 27001 (ISMS), ISO/IEC 27002 (control catalogue), ISO/IEC 27701 (PIMS), ISO/IEC 42001 (AI management system), DORA (for financial entities), and the EU AI Act (for in-scope AI providers / deployers).

The Modulos design encourages single-source evidence with multi-framework links: a control object can map to a NIS2 Article 21(2) requirement and at the same time to ISO/IEC 27001 Annex A.5.x and DORA Article 6, with one evidence record supporting all three.

NIS2 overview

Framework structure, dates, key facts, ConceptDiagram

Scope and applicability

Article 2 scope, Article 3 classification, Article 26 jurisdiction

Cybersecurity measures (Article 21)

The ten Article 21(2) categories quoted verbatim

Incident reporting (Article 23)

Significance test, staged timelines, trust-service derogation

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction

Source attribution

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 80–152. This operationalize page describes how Modulos maps NIS2 obligations to platform surfaces; the binding obligations themselves are in the EUR-Lex text and the national transposing law. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 is published in OJ L 2024/2690 of 18.10.2024.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The recommendations here describe common practice for NIS2-aligned governance programmes. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.