No tracking. No cookie wall.·100 % EU-hosted on Hetzner
Free template — no email gate

Free NIS2 gap analysis template (Article 21) — XLSX

A self-assessment workbook pre-structured from the text of Directive (EU) 2022/2555: one row per Art. 21(2) cybersecurity risk-management measure (a)–(j), a tracker for every Art. 23 reporting deadline, and verdict dropdowns so the result is countable. Download it, fill it in, keep it — the links are direct files.

No form, no sign-up. Requirement wording follows the directive as published on EUR-Lex.

What's inside

Three sheets, ten measures, one clock.

Sheet 1 — Gap register

One row per Art. 21(2) risk-management measure, (a) through (j) — risk analysis policies, incident handling, business continuity, supply chain security, secure acquisition and development, effectiveness assessment, cyber hygiene and training, cryptography, HR security and access control, multi-factor authentication. Columns: Ref, Requirement, Current state, Verdict (Compliant / Partial / Gap dropdown), Evidence, Remediation, Owner, Due, Notes.

Sheet 2 — Incident reporting (Art. 23)

A tracker for every reporting duty on a clock: the significance test (Art. 23(3)), the 24-hour early warning, the 72-hour incident notification, the intermediate report on request, the one-month final report, the ongoing-incident progress report, and the duty to notify service recipients. Same tracking columns as the register.

Sheet 3 — About

What the workbook is, the EUR-Lex source it was built from, the license (free to use internally, not for resale), and the generation date — so the file stays honest when it circulates without this page.

How to use it

Four passes, in order.

  1. 01

    Fill the current-state column

    From your real policies, runbooks and contracts — not from intentions. If the evidence cell stays empty, the verdict is probably not Compliant.

  2. 02

    Set a verdict per row

    Compliant, Partial, or Gap — the dropdown keeps the register countable. Art. 21(4) expects corrective measures without undue delay once you find non-compliance.

  3. 03

    Assign remediation, owner, due date

    Every Partial and Gap row gets all three. A register without owners is a wish list.

  4. 04

    Test Art. 23 against a clock

    Could you file an early warning 24 hours from now, with an on-call rota and a CSIRT contact path? The second sheet makes that a row-by-row answer.

Prefer it filled in? The same structure, produced and cited by the gateway — every requirement fetched from the regulation, every verdict traced to evidence, reviewed by a practitioner. Read the sample gap analysis or scope a gap analysis.
Questions before you download

The short answers

Is it really free — no email?
Yes. The download links above are direct file links: no form, no email address, no account. Use and adapt the workbook inside your organisation; the one thing we ask is that you don't resell it or redistribute it as a standalone product.
What law is it based on?
Directive (EU) 2022/2555 (NIS2), Articles 21 and 23, as published on EUR-Lex. The requirement rows quote or closely paraphrase the directive text — the ten Art. 21(2) measure families (a)–(j) and the Art. 23 duties, including the 24-hour early warning, 72-hour notification, and one-month final report.
Can Ansvar fill it in for us?
Yes. The gap-analysis service produces the same register completed for your organisation — every requirement fetched from the regulation through the Ansvar gateway, every verdict cited and reviewed by a practitioner. Read a complete worked sample to see what that looks like before you book anything.
Is this legal advice?
No. Ansvar is not a law firm, and the template is a working format, not legal advice: it gives you the directive's structure and provision references, and every row traces to the article it rests on. What you fill in is your assessment — the format is built so your counsel can check each line and take the legal position.