SaaSFort Two templates have been sitting in our dist/templates/ folder long enough — time to put them in the open. Both are the actual artefacts we hand to SaaS vendors preparing for NIS2 supply-chain reviews, refined against real customer audits. Free, MIT-style, opinionated. No 90-page playbook — just the two spreadsheets that close the gap between “we know we should” and “here’s what we did.”
Template 1 — NIS2 Article 21 Self-Audit (Excel)
Download: /nis2-template — file nis2-art21-self-audit-v1.xlsx (10 KB)
What’s inside (60-second tour)
One sheet, ten rows — the Article 21(2) measures (a) through (j), with the columns that auditors actually ask about:
| Column | What goes in it | Why it matters |
|---|---|---|
| Measure | The Article 21(2) letter and short name | Auditor reference, not your wording |
| Evidence | The artefact, link, or document ID | Trust-but-verify: a sentence is not evidence |
| Owner | Named person, not a department | ”IT” is not an owner |
| Last review | Date | Stale evidence reads as unmanaged |
| Status | Implemented / Partial / Gap | Honest — partials are fine, blanks are not |
| Next action | Concrete, dated | Closes the loop with the auditor |
The template ships with the structure pre-filled and a worked example row for measure (g) “basic cyber hygiene” so you can see the cadence before you populate the rest.
Who it’s for
- SaaS vendors who got asked “do you have a NIS2 readiness document?” by an enterprise customer and need to answer in the same week.
- Managing Directors under §38 BSIG personal-liability scope who need a defensible single page to walk a board through.
- Compliance leads who don’t want to start a fresh spreadsheet from scratch — again.
It is not for: large enterprises with a full GRC stack, or for anyone hoping a template alone solves Article 21 (it doesn’t — it organises the conversation).
Template 2 — NIS2 Incident Readiness Bundle (ZIP)
Download: /nis2-incident-template — file nis2-incident-readiness-bundle-v1.zip (221 KB)
What’s inside (60-second tour)
A four-file bundle that maps directly to the NIS2 24-hour early-warning obligation under Article 23:
- 24h early-warning notification template — the exact fields BSI’s Meldeportal expects, in the order it expects them.
- 72h incident notification template — the follow-up, with the new fields you have to add and a checklist of what to not leave blank.
- 30-day final report template — root cause, mitigation, and the lessons-learned format that satisfies the regulator without exposing material you don’t have to share.
- Tabletop exercise script — a 45-minute internal drill: scenario, role cards, timer, decisions to force. Run it once before you need it for real.
Each file is plain .docx plus a one-page README that tells you when to use which.
Who it’s for
- Any SaaS vendor in NIS2 scope whose incident response runbook currently lives in a Slack pin.
- Teams who have a runbook but have never timed a 24-hour notification end-to-end (a tabletop reliably shows it takes 8–10 hours of decisions, not 24).
- Founders who want a clean “we ran this drill” line for the next vendor questionnaire.
Not for: regulated industries that already follow a sector-specific incident template (DORA, BaFin). Use ours as a sanity check, not a replacement.
Why two, not ten
Both templates were built because we needed them, not because someone built a content calendar. We stopped at two because more would dilute the point: Article 21 is the what, incident readiness is the what-if. Cover both and you are 80% of the way through the evidence pack an auditor expects. Cover one, and a single follow-up question can derail the review.
You do not have to use ours. If you already have a self-audit that holds up in front of an auditor, keep it. If you don’t, opening a fresh Excel at 5 p.m. on a Friday is the wrong starting point — and that is the version of the problem these templates solve.
How they pair with the scan
These are documentation templates. They sit next to — not instead of — the technical posture proof. The workflow we recommend:
- Run a free SaaSFort scan on your production domain. You get an A–F grade in 60 seconds and a per-control NIS2 mapping.
- Open the Article 21 self-audit template. Use the scan output to populate the “Evidence” column for measures (e) “secure system acquisition” and (g) “cyber hygiene” — the two rows that auditors test first because they are testable.
- Run the incident readiness tabletop once. Date it. Add the date to the Article 21 self-audit under measure (b).
- Publish the result on your public trust page so the next customer review starts with verification, not introduction.
That is the entire opinionated path: scan, document, drill, publish. Two templates do steps 2 and 3.
FAQ
Are these templates official BSI artefacts? No. They are the working templates SaaSFort uses internally and with customers. The Article 21 row structure follows the directive language verbatim; the incident bundle field names match the BSI Meldeportal. Neither is a substitute for legal review.
Do I have to give my email to download? The download lives behind a one-field email gate so we can ship updates when the directive changes. The artefact itself is free and unwatermarked once downloaded.
Are German-language versions available? Yes. The download pages auto-detect locale, and the bundle includes German-language variants of the incident-notification fields aligned with BSI Meldeportal terminology.
Can I share these with my team or customers? Yes. Use them, fork them, rename the title block. We only ask that you don’t repackage them for resale.
Two templates, two downloads, one workflow. Start with the Article 21 self-audit, add the incident readiness bundle, and validate the technical rows with a free scan. The next vendor review will be faster than the last one.
Von der Theorie zur Praxis
Scannen Sie Ihre Domain kostenlos. Erste Ergebnisse in unter 10 Sekunden — ohne Registrierung.