Playbooks for NIS 2 Compliance

What is NIS 2?

The NIS 2 Directive (EU) 2022/2555 is the European Union’s updated cybersecurity legislation aiming to improve the security posture and resilience of critical infrastructure and essential services across Member States. Replacing the original NIS Directive, NIS 2 introduces broader scope, stricter obligations, and stronger enforcement mechanisms.

Entities operating in sectors like energy, transport, finance, healthcare, and digital infrastructure are now classified under two main categories: Essential and Important. Based on this classification, organisations must implement robust risk management, incident response, and reporting procedures, while coordinating closely with their National Authorities.

To comply with NIS 2, organisations must:

1. Determine whether they fall under the Essential or Important Entity category
2. Consult national guidelines to understand how and when to register under the NIS 2 National Registry
3. Set up internal procedures in line with NIS requirements, including:
   • Timely incident notification (within 24 and 72 hours)
   • Risk management and reporting
   • Appointing a responsible person for compliance

Why use playbooks for NIS 2 compliance?

Playbooks help define and document processes in a structured, repeatable, and optimised manner. They can be high-level guides that teams follow manually, or machine-readable and executable documents run by orchestration and automation platforms.

Since NIS 2 compliance is not just a policy challenge but an ongoing operational responsibility, using well-defined playbooks helps organisations:

• Standardise and automate compliance workflows: Encoding NIS 2 compliance procedures into easy-to-read playbooks supports knowledge sharing across teams and simplifies day-to-day execution. These playbooks can guide non-technical teams while remaining actionable for technical operations.
• Improve incident management and reporting: Playbooks can include executable templates for notifying authorities, informing stakeholders, and tracking internal response actions. This ensures:
  
  • Alignment with the 24-hour initial notification and 72-hour reporting deadlines
  • Documentation and evidence of due process to avoid potential non-compliance penalties

By using playbooks, compliance efforts evolve from static documents into a living, updatable, shareable, and executable process that supports continuous readiness and auditability.

Playbooks for NIS 2 compliance in the Cymph Playbook Hub

To support organisations in their NIS 2 readiness journey, our team has published two publicly available playbooks in the Cymph Playbook Hub — a free, open-access preview of all playbooks shared publicly by the Cymph team and our users.

Playbook: “Determine Your NIS 2 Entity Classification”

A high-level guidance playbook that helps organisations assess whether they are an Essential or Important Entity under the NIS 2 Directive. The playbook outlines all the necessary steps with references to the legislation to assist with accurate classification.

Access the Entity Classification Playbook →

Playbook: “NIS 2 – Incident Notification Guide”

This playbook walks teams through the incident notification process under NIS 2, offering guidance on what to report, when, and to whom. It is designed to help organisations, affected by an incident, meet notification timelines and ensure that all necessary details are captured and communicated.

View the Incident Notification Playbook →

Looking ahead: Operationalising NIS 2 with confidence

NIS 2 represents a significant evolution in how cybersecurity is governed across the EU, shifting from high-level policy to enforceable operational obligations. For security teams, this means building reliable, repeatable processes that not only meet compliance requirements but also improve incident readiness and cross-team coordination.

Playbooks offer a practical approach to doing just that. By turning regulatory guidance into clear, executable steps, they help bridge the gap between policy and action.

Whether you're at the beginning of your NIS 2 journey or refining your existing processes, adopting a playbook-driven approach can simplify complexity, reduce ambiguity, and ensure teams are aligned when it matters most.