Free NIS2 gap analysis template (Article 21) — XLSX
A self-assessment workbook pre-structured from the text of Directive (EU) 2022/2555: one row per Art. 21(2) cybersecurity risk-management measure (a)–(j), a tracker for every Art. 23 reporting deadline, and verdict dropdowns so the result is countable. Download it, fill it in, keep it — the links are direct files.
No form, no sign-up. Requirement wording follows the directive as published on EUR-Lex.
Three sheets, ten measures, one clock.
Sheet 1 — Gap register
One row per Art. 21(2) risk-management measure, (a) through (j) — risk analysis policies, incident handling, business continuity, supply chain security, secure acquisition and development, effectiveness assessment, cyber hygiene and training, cryptography, HR security and access control, multi-factor authentication. Columns: Ref, Requirement, Current state, Verdict (Compliant / Partial / Gap dropdown), Evidence, Remediation, Owner, Due, Notes.
Sheet 2 — Incident reporting (Art. 23)
A tracker for every reporting duty on a clock: the significance test (Art. 23(3)), the 24-hour early warning, the 72-hour incident notification, the intermediate report on request, the one-month final report, the ongoing-incident progress report, and the duty to notify service recipients. Same tracking columns as the register.
Sheet 3 — About
What the workbook is, the EUR-Lex source it was built from, the license (free to use internally, not for resale), and the generation date — so the file stays honest when it circulates without this page.
Four passes, in order.
- 01
Fill the current-state column
From your real policies, runbooks and contracts — not from intentions. If the evidence cell stays empty, the verdict is probably not Compliant.
- 02
Set a verdict per row
Compliant, Partial, or Gap — the dropdown keeps the register countable. Art. 21(4) expects corrective measures without undue delay once you find non-compliance.
- 03
Assign remediation, owner, due date
Every Partial and Gap row gets all three. A register without owners is a wish list.
- 04
Test Art. 23 against a clock
Could you file an early warning 24 hours from now, with an on-call rota and a CSIRT contact path? The second sheet makes that a row-by-row answer.
The short answers
- Is it really free — no email?
- Yes. The download links above are direct file links: no form, no email address, no account. Use and adapt the workbook inside your organisation; the one thing we ask is that you don't resell it or redistribute it as a standalone product.
- What law is it based on?
- Directive (EU) 2022/2555 (NIS2), Articles 21 and 23, as published on EUR-Lex. The requirement rows quote or closely paraphrase the directive text — the ten Art. 21(2) measure families (a)–(j) and the Art. 23 duties, including the 24-hour early warning, 72-hour notification, and one-month final report.
- Can Ansvar fill it in for us?
- Yes. The gap-analysis service produces the same register completed for your organisation — every requirement fetched from the regulation through the Ansvar gateway, every verdict cited and reviewed by a practitioner. Read a complete worked sample to see what that looks like before you book anything.
- Is this legal advice?
- No. Ansvar is not a law firm, and the template is a working format, not legal advice: it gives you the directive's structure and provision references, and every row traces to the article it rests on. What you fill in is your assessment — the format is built so your counsel can check each line and take the legal position.