NIS2 Directive (EU 2022/2555)

Placeholder. Network and Information Security Directive 2 (NIS2) superseded NIS1 in October 2024. Imposes obligations on essential and important entities across critical sectors including digital infrastructure, ICT services, manufacturing, food, postal/courier. Key requirements: governance accountability (Art. 20), risk-management measures (Art. 21), incident reporting cascade with 24h early warning and 72h notification (Art. 23), vulnerability disclosure coordination. Currently referenced in synthesis worked examples but not yet curated as distinct controls — pending Phase 2 expansion.

Composition

39 controls currently indexed; participates in 29 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Authentication architecture and multi-factor authentication
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Board-level IT/IT Strategy Committee with documented charter
• Business continuity and ICT recovery readiness
• Cloud Security Posture Management — continuous configuration assessment
• Comprehensive asset inventory with classification and ownership
• Cross-jurisdiction breach notification timelines
• Cryptographic controls, key management, and post-quantum readiness
• Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data-at-rest protection — encryption, access, processor controls
• Data-in-transit protection and physical media handling
• Event-to-incident categorisation and assessment
• GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-regulator incident notification with coordinated submission timelines
• Privileged access management and access rights lifecycle
• Ransomware-resilient backup architecture
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Secure configuration baselines and hardening discipline
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• VAPT cycle — vulnerability assessment and penetration testing programme
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls
• Zero Trust Architecture — never trust, always verify