NIS2 readiness cannot remain a policy exercise. Directive obligations require documented measures, named responsibilities, and governance records that can be shown to supervisory authorities.
EAB extends its AI governance infrastructure into NIS2 — so cybersecurity obligations become part of the same record as EU AI Act compliance, not a separate system.
“Most organisations that are subject to NIS2 are also using AI systems. Managing cybersecurity governance and AI governance in separate tools means auditors see two partial records — and neither one tells the complete story.”
The NIS2 Readiness module addresses the governance gap between cybersecurity obligations and the evidence record that NIS2 supervisory authorities expect. Article 21 requires documented cybersecurity risk management measures — ten categories, each requiring implementation evidence and named responsibility.
EAB structures NIS2 obligations as governed records — each measure with an owner, an implementation state, and an evidence record. Article 23 incident reporting requirements are documented with structured timelines and response records. Supply chain security obligations are addressed through the vendor governance layer.
For organisations that use AI systems covered by the EU AI Act, the NIS2 module operates within the same governance infrastructure — so the AI system record, the cybersecurity measure record, and the incident record are one coherent governance artefact, not three separate documents.
Each capability is connected to the shared system inventory, evidence layer, and audit trail.
Article 21 requires appropriate and proportionate cybersecurity risk management measures. EAB documents each measure in a structured record — with the security objective it addresses, the implementation state, and the responsible owner.
All ten Article 21 measure categories — from policies on information security to access control, encryption, and business continuity — are tracked as separate governance objects with individual evidence and ownership records.
AI systems subject to the EU AI Act often also require NIS2-compliant cybersecurity measures. This module connects the NIS2 governance record to the AI Act system record — so cybersecurity evidence supports both compliance frameworks simultaneously.
Article 23 requires significant incident notification within defined timeframes. EAB documents incident events with a structured timeline, notification records, response measures, and resolution status — all within the governance audit trail.
Supply chain security obligations under NIS2 are addressed through vendor governance records — documenting security requirements for each supplier, evidence of compliance, and the procurement context. Connected to the GDPR vendor governance layer where applicable.
NIS2 supervisory authorities may request evidence of cybersecurity risk management. EAB exports a structured NIS2 governance record — measure documentation, evidence, incident history, and responsibility attribution — ready for submission.
The NIS2 Readiness module uses the same AI system inventory as the EU AI Act module. Cybersecurity measures are linked to the systems they protect — systems that are already registered and governed in EAB.
Evidence uploaded for NIS2 cybersecurity measures is available in the same evidence layer as EU AI Act evidence. Where the same security measure supports both EU AI Act Art. 15 and NIS2 Art. 21 obligations, it is documented once and referenced in both obligation records.
At audit time, a supervisory authority reviewing NIS2 compliance sees the cybersecurity record alongside the AI governance record — one coherent governance infrastructure, not two parallel systems that need reconciliation.
Available as an add-on for Professional and Enterprise. Shares one system inventory, one evidence layer, and one audit trail with the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
