Operationalizing in Modulos

NIS2 implementation is most effective when organization-level governance (OFF-15) and AI-system execution (MFF-15) are run as one operating model.

Recommended project structure

Most teams use:

• one organization project for OFF-15 governance requirements
• one or more AI-system projects for MFF-15 execution and evidence

Where in Modulos

• Project → Settings → Frameworks: add OFF-15 and MFF-15 to relevant projects
• Project → Requirements: track requirement fulfillment and ownership
• Project → Controls: execute mapped controls and collect review outcomes
• Project → Evidence: store authority notices, reports, and supporting artifacts

A sequence that works

1. Determine NIS2 scope and entity classification (ORF-284, ORF-285, ORF-295, ORF-296).
2. Establish management accountability and Article 21 measure governance (ORF-286, ORF-287, ORF-288, ORF-322 to ORF-331).
3. Activate AI-system technical measures (MRF-255 to MRF-264).
4. Implement staged incident reporting workflows (ORF-289 to ORF-293; MRF-265 to MRF-268).
5. Add special-case obligations where relevant (ORF-301, ORF-302, ORF-332; MRF-271, MRF-274).
6. Run periodic reviews and corrective actions (ORF-297, MRF-270).

Evidence package baseline

A defensible NIS2 package usually includes:

• scope and classification decisions with approvals
• governance policy and management-body oversight records
• incident classification matrix and reporting runbook (including early-warning content checks)
• executed 24-hour and 72-hour reporting evidence (or tested simulations)
• implementing-act applicability assessment and update log

Related pages

NIS2 overview

Framework structure and coverage model

Scope and applicability

Entity scope and implementing-act governance

Incident reporting and communications

Staged reporting duties and evidence workflow

Disclaimer

This page is for general informational purposes and does not constitute legal advice.