Docs

Appearance

Operationalizing in Modulos

NIS2 implementation is most effective when organization-level governance (OFF-15) and AI-service execution (MFF-15) are run as one operating model.

Most teams use:

  • one organization project for OFF-15 governance requirements
  • one or more AI-application projects for MFF-15 execution and evidence

Where in Modulos

  • Project → Settings → Frameworks: add OFF-15 and MFF-15 to relevant projects
  • Project → Requirements: track requirement fulfillment and ownership
  • Project → Requirements → Filters: use NIS2 Scope tags to isolate conditional duties that need a scoping decision
  • Project → Controls: execute mapped controls and collect review outcomes
  • Project → Evidence: store authority notices, reports, and supporting artifacts

How to handle applicability without a questionnaire

The current NIS2 framework does not rely on a dedicated descoping questionnaire.

Use this operating pattern instead:

  1. Determine base NIS2 scope with ORF-333 to ORF-335.
  2. Filter the requirement set by the NIS2 Scope tags.
  3. Read the Applicability section in each tagged requirement.
  4. Decide whether the duty is in scope or out of scope for the project.
  5. Record the reason and supporting evidence in the requirement review and attached evidence.

This makes the scoping decision explicit and reviewable even though it is not yet automated.

A sequence that works

  1. Determine NIS2 scope and entity classification (ORF-333 to ORF-335).
  2. Review the conditional requirements using the NIS2 Scope tags (ORF-349, ORF-355 to ORF-359, MRF-291, MRF-292).
  3. Establish management accountability and Article 21 measure governance (ORF-336 to ORF-348).
  4. Activate AI-service technical measures (MRF-275 to MRF-285).
  5. Implement staged incident-reporting workflows (ORF-350 to ORF-354; MRF-286 to MRF-290).
  6. Maintain supervisory, authority-facing, and special-case duties where applicable (ORF-358 to ORF-360; MRF-291, MRF-292).

Evidence package baseline

A defensible NIS2 package usually includes:

  • scope and classification decisions with approvals
  • requirement-level scoping notes for any tagged duty treated as out of scope
  • governance policy and management-body oversight records
  • incident classification matrix and reporting runbook
  • executed 24-hour and 72-hour reporting evidence, or tested simulations
  • implementing-act applicability assessment and update log, where relevant
NIS2 overview

Framework structure and coverage model

Scope and applicability

Entity scope, manual applicability handling, and NIS2 Scope tags

Incident reporting and communications

Staged reporting duties and evidence workflow

Disclaimer

This page is for general informational purposes and does not constitute legal advice.