SaaSFort NIS2 Practical Templates: Article 21 + Incident Readiness

Two templates have been sitting in our dist/templates/ folder long enough — time to put them in the open. Both are the actual artefacts we hand to SaaS vendors preparing for NIS2 supply-chain reviews, refined against real customer audits. Free, MIT-style, opinionated. No 90-page playbook — just the two spreadsheets that close the gap between “we know we should” and “here’s what we did.”

Template 1 — NIS2 Article 21 Self-Audit (Excel)

Download: /nis2-template — file nis2-art21-self-audit-v1.xlsx (10 KB)

What’s inside (60-second tour)

One sheet, ten rows — the Article 21(2) measures (a) through (j), with the columns that auditors actually ask about:

Column	What goes in it	Why it matters
Measure	The Article 21(2) letter and short name	Auditor reference, not your wording
Evidence	The artefact, link, or document ID	Trust-but-verify: a sentence is not evidence
Owner	Named person, not a department	”IT” is not an owner
Last review	Date	Stale evidence reads as unmanaged
Status	Implemented / Partial / Gap	Honest — partials are fine, blanks are not
Next action	Concrete, dated	Closes the loop with the auditor

The template ships with the structure pre-filled and a worked example row for measure (g) “basic cyber hygiene” so you can see the cadence before you populate the rest.

Who it’s for

• SaaS vendors who got asked “do you have a NIS2 readiness document?” by an enterprise customer and need to answer in the same week.
• Managing Directors under §38 BSIG personal-liability scope who need a defensible single page to walk a board through.
• Compliance leads who don’t want to start a fresh spreadsheet from scratch — again.

It is not for: large enterprises with a full GRC stack, or for anyone hoping a template alone solves Article 21 (it doesn’t — it organises the conversation).

Template 2 — NIS2 Incident Readiness Bundle (ZIP)

Download: /nis2-incident-template — file nis2-incident-readiness-bundle-v1.zip (221 KB)

What’s inside (60-second tour)

A four-file bundle that maps directly to the NIS2 24-hour early-warning obligation under Article 23:

1. 24h early-warning notification template — the exact fields BSI’s Meldeportal expects, in the order it expects them.
2. 72h incident notification template — the follow-up, with the new fields you have to add and a checklist of what to not leave blank.
3. 30-day final report template — root cause, mitigation, and the lessons-learned format that satisfies the regulator without exposing material you don’t have to share.
4. Tabletop exercise script — a 45-minute internal drill: scenario, role cards, timer, decisions to force. Run it once before you need it for real.

Each file is plain .docx plus a one-page README that tells you when to use which.

Who it’s for

• Any SaaS vendor in NIS2 scope whose incident response runbook currently lives in a Slack pin.
• Teams who have a runbook but have never timed a 24-hour notification end-to-end (a tabletop reliably shows it takes 8–10 hours of decisions, not 24).
• Founders who want a clean “we ran this drill” line for the next vendor questionnaire.

Not for: regulated industries that already follow a sector-specific incident template (DORA, BaFin). Use ours as a sanity check, not a replacement.

Why two, not ten

Both templates were built because we needed them, not because someone built a content calendar. We stopped at two because more would dilute the point: Article 21 is the what, incident readiness is the what-if. Cover both and you are 80% of the way through the evidence pack an auditor expects. Cover one, and a single follow-up question can derail the review.

You do not have to use ours. If you already have a self-audit that holds up in front of an auditor, keep it. If you don’t, opening a fresh Excel at 5 p.m. on a Friday is the wrong starting point — and that is the version of the problem these templates solve.

How they pair with the scan

These are documentation templates. They sit next to — not instead of — the technical posture proof. The workflow we recommend:

1. Run a free SaaSFort scan on your production domain. You get an A–F grade in 60 seconds and a per-control NIS2 mapping.
2. Open the Article 21 self-audit template. Use the scan output to populate the “Evidence” column for measures (e) “secure system acquisition” and (g) “cyber hygiene” — the two rows that auditors test first because they are testable.
3. Run the incident readiness tabletop once. Date it. Add the date to the Article 21 self-audit under measure (b).
4. Publish the result on your public trust page so the next customer review starts with verification, not introduction.

That is the entire opinionated path: scan, document, drill, publish. Two templates do steps 2 and 3.

FAQ

Are these templates official BSI artefacts? No. They are the working templates SaaSFort uses internally and with customers. The Article 21 row structure follows the directive language verbatim; the incident bundle field names match the BSI Meldeportal. Neither is a substitute for legal review.

Do I have to give my email to download? The download lives behind a one-field email gate so we can ship updates when the directive changes. The artefact itself is free and unwatermarked once downloaded.

Are German-language versions available? Yes. The download pages auto-detect locale, and the bundle includes German-language variants of the incident-notification fields aligned with BSI Meldeportal terminology.

Can I share these with my team or customers? Yes. Use them, fork them, rename the title block. We only ask that you don’t repackage them for resale.

---

Two templates, two downloads, one workflow. Start with the Article 21 self-audit, add the incident readiness bundle, and validate the technical rows with a free scan. The next vendor review will be faster than the last one.