Overview
Draft and validate cybersecurity policies and procedures aligned with all 11 mandatory measures defined in NIS2 Directive (EU) 2022/2555, Article 21(2)(a-k). The skill covers the full policy lifecycle: gap assessment against the 11 measures, drafting policies from NIS2-specific templates, validating cross-references between related measures, and checking each document against a required section structure. It produces individual policy documents or a consolidated policy pack aligned with NIS2, ISO 27001, and enterprise governance best practices.
Organizations subject to NIS2 must demonstrate documented policies and procedures for each of the 11 measures. Missing a single measure creates an audit finding. This skill automates coverage tracking, ensures every policy references the correct NIS2 article and related measures, and enforces the structural requirements that auditors expect: document control, roles and responsibilities, policy statements, review cycles, and cross-references.
What It Covers
- All 11 Art. 21(2) measures (a-k) – risk analysis, incident handling, business continuity, supply chain security, network/system security, effectiveness assessment, cyber hygiene and training, cryptography, access control, multi-factor authentication, and secured communications
- Policy coverage assessment – scans existing workspace documents to determine which measures have policies, procedures, and implementation evidence, reporting full, partial, or no coverage per measure
- Cross-reference validation – checks that each policy properly references related measures (e.g., incident handling references business continuity, supply chain references access control)
- Policy structure enforcement – validates each document against the 10 required sections: document control, purpose/scope, NIS2 reference, definitions, roles/responsibilities, policy statements, procedures, compliance/enforcement, review cycle, and related documents
- ISO 27001 dual compliance – when the organization has ISO 27001, maps NIS2 measures to Annex A controls in each policy for dual compliance
Example Conversation
You: We’re a managed services provider classified as an important entity under NIS2. We have some existing cybersecurity policies but we’re not sure they cover all 11 mandatory measures. Can you assess where we stand and draft what’s missing?
Agent: I’ll start by scanning your workspace to see which of the 11 NIS2 Art. 21(2) measures already have policy coverage. Running
policy_coverage_validator…Results – 4 of 11 measures covered:
Measure Title Policy Procedure Evidence Status (a) Risk analysis and information system security Y Y Y FULL (b) Incident handling Y Y N FULL (c) Business continuity and crisis management N N N NONE (d) Supply chain security N N N NONE (e) Network and information systems security N N N NONE (f) Effectiveness assessment N N N NONE (g) Cyber hygiene and training Y N N PARTIAL (h) Cryptography and encryption N N N NONE (i) Human resources security and access control Y N Y PARTIAL (j) Multi-factor authentication N N N NONE (k) Secured communications N N N NONE You have full coverage for 2 measures, partial for 2, and no coverage at all for 7. I’ll draft the missing policies starting with the measures your existing ones depend on. What is your organization’s legal name and sector classification for the policy headers?
You: Acme Managed Services GmbH, important entity, ICT service management sector. We also have ISO 27001 certification so please map Annex A controls where relevant.
Agent: I’ll draft each policy using the NIS2 template and tailor it to your sector. Starting with measure (c) Business continuity since your incident handling policy (b) needs to reference it. I’ll also add ISO 27001 Annex A cross-mappings throughout.
(Drafts policies for measures c, d, e, f, h, j, and k. Updates the partial policies for g and i with missing procedures.)
All 9 policies drafted. Let me now check cross-references across the full set. Running
measure_cross_reference_checker…Results – 3 missing cross-references found:
- (b) Incident handling: Missing reference to (c) Business continuity – incident escalation should reference BCP activation triggers
- (d) Supply chain security: Missing reference to (i) Access control – third-party access governance should reference your access control policy
- (e) Network and information systems security: Missing reference to (h) Cryptography – system security should reference your encryption standards
I’ll add those cross-references now. Let me also validate the structure of the cryptography policy I just drafted. Running
policy_structure_validatoron measure (h)…Results – 10/10 sections present:
Section Status Document control (version, date, author, approver, review date) PRESENT Purpose and scope PRESENT Applicable NIS2 article reference PRESENT Definitions and acronyms PRESENT Roles and responsibilities PRESENT Policy statements PRESENT Procedures or reference to procedure document PRESENT Compliance and enforcement PRESENT Review cycle PRESENT Related documents PRESENT RESULT: All required sections are present.
All 11 measures now have full policy coverage. Your coverage report is saved at
output/NIS2-Policy-Coverage-Report.mdand individual policies are inoutput/policies/.
Sample Output Excerpt
Below is a representative excerpt from a generated NIS2 cryptography and encryption policy covering Art. 21(2)(h).
Cryptography and Encryption Policy (excerpt)
Document Control
| Field | Value |
|---|---|
| Document ID | NIS2-POL-008 |
| Version | 1.0 |
| Classification | Internal |
| Author | CISO Office |
| Approver | Chief Information Security Officer |
| Effective Date | 2026-04-01 |
| Next Review | 2027-04-01 |
1. Purpose and Scope
This policy establishes requirements for the use of cryptographic controls and encryption to protect the confidentiality, integrity, and authenticity of information processed by Acme Managed Services GmbH. It applies to all information systems, data stores, communication channels, and portable media within the scope of the NIS2 compliance program.
2. NIS2 Reference
NIS2 Directive (EU) 2022/2555, Article 21(2)(h) – Policies and procedures regarding the use of cryptography and, where appropriate, encryption. ISO 27001:2022 Annex A controls: A.8.24 (Use of cryptography), A.8.25 (Secure development lifecycle).
3. Policy Statements
3.1 All data classified as Confidential or above shall be encrypted at rest using AES-256 or equivalent algorithms approved by the organization’s cryptographic standards register.
3.2 All data in transit across untrusted networks shall be protected using TLS 1.2 or higher. TLS 1.0 and 1.1 are prohibited.
3.3 Cryptographic key management shall follow a documented lifecycle: generation, distribution, storage, rotation, revocation, and destruction. Keys shall be stored in hardware security modules (HSMs) or approved key management services.
3.4 Certificate management procedures shall ensure no certificate expires without planned renewal. Certificate inventories shall be maintained and reviewed quarterly.
3.5 The use of cryptographic algorithms shall be reviewed annually against current ENISA and BSI recommendations. Deprecated algorithms shall be phased out within 6 months of deprecation notice.
4. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| CISO | Approves cryptographic standards and policy exceptions |
| Security Engineering | Maintains key management infrastructure and certificate inventory |
| Development Teams | Implements encryption per this policy in all applications |
| Operations | Monitors certificate expiry and key rotation schedules |
5. Review Cycle
This policy shall be reviewed at least annually, or upon significant changes to the threat landscape, regulatory requirements, or cryptographic standards. Review outcomes shall be documented and approved by the CISO.
6. Related Documents
- NIS2-POL-001: Risk Analysis and Information System Security Policy (a)
- NIS2-POL-005: Network and Information Systems Security Policy (e)
- NIS2-POL-010: Multi-Factor Authentication Policy (j)
- Key Management Procedure (NIS2-PROC-008)
Extension Tools
policy_coverage_validator
Scans all markdown, text, and AsciiDoc documents in the workspace to determine which of the 11 NIS2 Art. 21(2) mandatory measures have policy documents, procedure documents, and implementation evidence. For each measure (a-k), the tool checks for keyword patterns specific to that measure’s domain (e.g., “risk analysis”, “incident handling”, “business continuity”) and reports coverage status:
| Status | Meaning |
|---|---|
| FULL | Both a policy and a procedure document detected for this measure |
| PARTIAL | Only a policy, only a procedure, or only evidence detected |
| NONE | No documents matching this measure found in the workspace |
The output includes a per-measure breakdown with policy/procedure/evidence flags and a summary showing full, partial, and no-coverage counts. Run at the start of every engagement to establish the baseline and at the end to confirm all 11 measures are covered.
measure_cross_reference_checker
Reads all policy documents in the workspace and checks that each policy properly references the related NIS2 measures it depends on. The tool uses a predefined cross-reference map based on the logical dependencies between measures:
| From Measure | Expected References | Rationale |
|---|---|---|
| (a) Risk analysis | (f) Effectiveness assessment | Close the risk management loop |
| (b) Incident handling | (a) Risk analysis, (c) Business continuity | Escalation to crisis management |
| (c) Business continuity | (b) Incident handling | BCP activation triggers |
| (d) Supply chain | (e) System security, (i) Access control | Third-party access governance |
| (e) System security | (h) Cryptography, (j) MFA | Technical security controls |
| (f) Effectiveness assessment | (a) Risk analysis | Assessment against risk baseline |
| (g) Training | All other measures | Awareness for every policy area |
| (j) MFA | (i) Access control | Overarching access governance |
Reports each missing cross-reference with specific recommendations for what to add and where.
policy_structure_validator
Checks a policy document against the 10 required sections that NIS2 auditors and enterprise governance frameworks expect. Takes the full text of a policy and the measure letter (a-k) as input and returns a checklist:
| Required Section | What It Looks For |
|---|---|
| Document control | Version, date, author, approver, review date |
| Purpose and scope | Purpose statement and scope definition |
| NIS2 article reference | Reference to NIS2 Art. 21 and the specific measure |
| Definitions and acronyms | Glossary or definitions section |
| Roles and responsibilities | RACI or roles section |
| Policy statements | Normative statements using “shall” or “must” |
| Procedures | Procedure section or reference to separate procedure document |
| Compliance and enforcement | Non-compliance consequences and enforcement mechanisms |
| Review cycle | Annual review or review frequency statement |
| Related documents | Cross-references to related policies and procedures |
Returns PRESENT or ABSENT for each section with a pass/fail result. Run on every drafted or reviewed policy before finalizing – missing sections are the most common audit finding.
Getting Started
Install the NIS2 Policies & Procedures skill from the skill library.
Have this information ready before starting:
- Existing policies and procedures – upload any current cybersecurity policies, acceptable use policies, incident response plans, or security procedures to the workspace so the coverage validator can detect them
- Organization details – legal name, NIS2 entity classification (essential or important), sector, and member state
- Governance context – whether you hold ISO 27001 or other certifications that the agent should map to NIS2 measures for dual compliance
- Stakeholder names – who approves policies (CISO, DPO, management board) for the document control sections
Start with a prompt like:
- “We need NIS2-compliant cybersecurity policies for all 11 mandatory measures. We’re an essential entity in the energy sector.”
- “Check which NIS2 Art. 21 policy documents we’re missing and draft the gaps.”
- “Create a cryptography and encryption policy per NIS2 Art. 21(2)(h).”
The agent runs policy_coverage_validator first to assess your baseline, then drafts missing policies in dependency order (risk analysis first, then measures that reference it), validates cross-references, and checks every policy’s structure before saving. Individual policies go to output/policies/ and the coverage report to output/NIS2-Policy-Coverage-Report.md.