ISMS Copilot
ISMS Copilot

NIS 2 evidence collection with ISMS Copilot

Evidence your Article 21 risk-management measures and Article 23 incident records for the competent authority.

Start Free TrialSee it in action

Evidencing the Art. 21 measures for a competent authority

NIS 2 supervision is not certification — a competent authority can request evidence that your Article 21 risk-management measures are implemented and that Article 23 incident notifications were made on time. Article 21 lists the minimum measures: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in acquisition and development, policies to assess the effectiveness of measures, and more. ISMS Copilot maps each Article 21 measure to the evidence that demonstrates it exists and operates, and builds the Article 23 incident-record set: the early warning, the incident notification, and the final report, with the timing the directive requires. The output is an authority-facing evidence file organized measure by measure, so a supervisory request does not turn into a scramble.

NIS 2 framework details →

Supervisory evidence workflow

Map each Article 21 measure to the evidence that demonstrates implementation and operation

Build the Article 23 incident-record set — early warning, notification, and final report

Document board-level accountability under the NIS 2 management-body obligations

Assemble supply-chain security assessment evidence

Organize the evidence file measure by measure for a supervisory request

Cross-map to ISO 27001 controls where the entity already runs an ISMS

Why teams use it for NIS 2 evidence

  • Answer a competent authority's request without an internal fire drill
  • Demonstrate every Article 21 measure with a named, located artefact
  • Keep Article 23 incident records on the directive's reporting timeline
  • Reuse ISO 27001 evidence where the controls already overlap

Frequently Asked Questions

Is NIS 2 evidence collected for a certificate?

No. NIS 2 has no certification scheme. Evidence is collected so you can demonstrate compliance to a competent authority on request, or during a supervisory action or post-incident review. The structure differs from ISO 27001 because there is no auditor sampling against a Statement of Applicability.

What Article 23 records matter most?

The notification chain: the early warning, the incident notification, and the final report, each within the timing NIS 2 sets. ISMS Copilot builds a record template for each step so the timeline is documented as the incident progresses, not reconstructed afterward.

Can ISO 27001 evidence be reused for NIS 2?

Substantially, yes. Several Article 21 measures overlap with ISO 27001 Annex A controls. ISMS Copilot cross-maps them so an entity already running an ISMS reuses existing evidence rather than building a parallel set.

Build your NIS 2 evidence file

Evidence the Article 21 measures and Article 23 records before a competent authority asks.

Get Started Free