8 professional compliance documents covering all NIS2 Article 21 security measures — gap assessment, incident reporting procedures, supply chain policy, BCP template, board reporting, and a 90-day implementation roadmap.
Instant download · Perpetual licence · Free updates for 12 months (Full Toolkit)
NIS2 covers 18 sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. It also extends to digital providers — cloud services, data centres, CDN providers, online marketplaces, search engines, and social networks.
The UK Cyber Resilience Act (CRA) mirrors NIS2's structure for UK-based organisations. If you operate in the UK and any EU/IE market, you face both obligations simultaneously.
What happens without it: Fines up to €10M or 2% of global turnover. Management body members personally liable. Regulatory investigations. Reputational damage. Loss of contracts with regulated clients.
Built by Michael Adedeji CISM CISA — not a generic template house. Every document cites the specific NIS2 article it addresses. Every template is immediately usable by a compliance manager without additional research.
Structured gap assessment covering all 10 NIS2 Article 21(a-j) security measures mapped to UK CRA equivalents. Current status, gap description, risk rating, owner, and target date for every requirement. Start here.
Complete 3-stage notification procedure: 24h early warning, 72h incident notification, 1-month final report. Template notifications for UK (NCSC/ICO), Ireland (CSIRT Ireland), Singapore (CSA). Major incident classification aligned with NIS2 RTS thresholds.
NIS2 Article 21(d) compliant policy covering supplier categorisation, 15-question security assessment questionnaire, contractual security requirements, ongoing monitoring, approved supplier register, and second-tier supplier oversight.
Quarterly board report meeting NIS2 Article 20 management body oversight requirements. RAG dashboard, incident summary, NIS2 compliance status, supply chain risk, vulnerability management, regulatory updates, and decisions required.
Maps all 10 NIS2 Article 21 measures to ISO 27001:2022 Annex A controls. Shows exactly where existing ISO evidence can be reused and identifies the 8 specific gaps that ISO-certified organisations still need to close.
NIS2 Article 21(c) compliant BCP/DR template. Business Impact Analysis, recovery procedures, crisis communication plan (internal, customer, regulator templates), annual testing schedule, and RACI matrix.
NIS2 Article 21(e) compliant procedure. CVSS-based severity classification, remediation SLAs by severity, scanning frequency, third-party vulnerability tracking, patch testing procedure, monthly dashboard template.
Week-by-week plan from gap assessment to compliance-ready. Month 1: foundation & governance. Month 2: policies & procedures. Month 3: controls, testing & board sign-off. Every week has specific tasks, owners, and measurable success criteria.
Choose the level of coverage that fits where you are in your NIS2 journey.
For organisations beginning their NIS2 journey who need the core foundation documents.
Instant download. Perpetual licence.
For organisations that need full NIS2 compliance documentation coverage.
Instant download. Perpetual licence.
For organisations with a compliance deadline, complex environments, or who want expert guidance.
UK organisations preparing for the Cyber Resilience Act
NIS2 applies to medium and large organisations (50+ employees or €10M+ turnover) providing services in the 18 covered sectors. Small organisations may also be in scope if they provide critical infrastructure services. If you're in the UK and provide services to EU customers or partners, the UK CRA will apply similar obligations domestically. If in doubt, Document 1 (Gap Assessment) includes a scope determination checklist.
Significant overlap exists — ISO 27001 covers approximately 60–70% of NIS2 requirements. Document 5 (ISO 27001 Mapping Guide) identifies the 8 specific gaps that ISO-certified organisations still need to close. The primary gaps are: external incident reporting timelines, major incident classification criteria, management body training requirements, second-tier supply chain oversight, and sector-specific risk methodology.
Essential entities: up to €10M or 2% of total global annual turnover (whichever is higher). Important entities: up to €7M or 1.4% of total global annual turnover. Crucially, NIS2 Article 20 makes management bodies personally liable for compliance failures — individual executives can be held responsible and temporarily barred from management roles.
NIS2 directly applies in EU member states. UK-based organisations providing services in EU/IE markets may face NIS2 obligations through their EU operations or contracts. The UK Cyber Resilience Act (CRA) is being developed to create equivalent domestic obligations for UK-based organisations in critical sectors. This toolkit covers both frameworks.
With this toolkit and a dedicated programme owner, most organisations can reach a defensible compliance posture in 90 days. The 90-Day Implementation Roadmap (Document 8) breaks this down week by week. Complex organisations with significant supply chain or legacy systems may take 6 months.
NIS2 enforcement is active. Fines are real. Management body liability is personal. Every month without a compliance programme is a month of regulatory exposure.
Questions? Email info@pyralink.co.uk or call +44 (0) 191 300 2979