How to Write a NIS2 Compliance Report (2026 Guide)
Report structure, Article 21 measures, technical evidence auditors expect: the complete guide to writing a clear, actionable NIS2 compliance report.

Introduction
The NIS2 directive (Network and Information Security 2) has entered its enforcement phase: tens of thousands of European companies must now demonstrate their security posture, not merely declare it. At the heart of that demonstration sits the NIS2 compliance report.
But practically speaking, how do you write one? What must it contain? What technical evidence should be attached? This guide gives you a proven structure, the pitfalls to avoid, and a method to produce a report your board and your national regulator can both work with.
Reminder: who falls under NIS2?
NIS2 massively widens the scope of its predecessor NIS1. It distinguishes two categories of organizations:
- Essential entities (EE): energy, transport, banking, health, water, digital infrastructure, public administration… typically over 250 employees or €50M in revenue.
- Important entities (IE): postal services, waste management, food, manufacturing, digital providers… typically over 50 employees or €10M in revenue.
What must a NIS2 report contain?
The core of the directive is Article 21, which mandates ten families of cyber risk management measures. Your report must document each of them, with supporting evidence.
| Measure (Article 21) | What the report must demonstrate |
|---|---|
| Risk analysis and information system security | Risk methodology, asset inventory, identified risks |
| Incident handling | Detection, triage and notification procedure (24h / 72h) |
| Business continuity | Backups, disaster recovery, crisis management |
| Supply chain security | Assessment of critical suppliers and subcontractors |
| Security in acquisition and development | Vulnerability management and disclosure processes |
| Effectiveness assessment | Security audits, vulnerability scans, penetration tests |
| Cyber hygiene and training | Awareness programs for staff and executives |
| Cryptography and encryption | Encryption policies for sensitive data |
| HR security and access control | Identity, account and privilege management |
| Multi-factor authentication and secured communications | MFA deployment, communication security |
The 6 steps to write your NIS2 report
Step 1: map your perimeter
You cannot protect what you don't know exists. The first section of your report should present a complete map of your information system: domains, subdomains, public IP addresses, exposed services, cloud assets and Shadow IT.
This is the most underestimated step: most organizations discover 20–30% of exposed assets they didn't know about during their first mapping exercise. We wrote a full guide on the topic: how to map your company's information system.
Step 2: assess your risks
Based on that map, document your risk analysis: threats relevant to your sector, identified vulnerabilities, potential impacts (financial, operational, reputational) and likelihood. Use a recognized methodology (EBIOS Risk Manager, ISO 27005) and state it explicitly in the report.
Step 3: document the measures in place
For each of the ten Article 21 measures, describe:
- The policy or procedure in force.
- The technical controls deployed (MFA, encryption, EDR, backups…).
- The actual coverage level (what percentage of the perimeter is protected?).
- The residual gaps and their justification.
Step 4: provide technical evidence
This is what separates a credible report from a statement of intent. Auditors and regulators expect dated, reproducible evidence:
- Recent vulnerability scan results covering the entire exposed perimeter.
- Penetration test or security audit reports.
- Vulnerability lifecycle logs: detection → triage → remediation → re-test.
- Remediation time indicators (MTTR) per CVSS severity level.
Step 5: formalize the remediation plan
List the identified gaps, prioritized by severity, each with an owner, a deadline, and a budget where relevant. A report that shows weaknesses plus a credible action plan inspires far more confidence than one claiming everything is fine.
Step 6: describe your incident notification process
NIS2 imposes strict deadlines for significant incidents:
- 24 hours: early warning to the national CSIRT.
- 72 hours: detailed notification with an initial assessment.
- 1 month: final incident report.
Your compliance report must describe who detects, who qualifies, who notifies, and with which tools ideally referencing a crisis exercise performed within the year.
A reusable NIS2 report structure
Here is an outline you can reuse directly:
- Executive summary (1–2 pages, non-technical)
- Scope and classification (EE or IE, sectors, subsidiaries)
- Information system map
- Risk analysis (method, results, major risks)
- Status of Article 21 measures (the 10 families, with evidence)
- Technical assessment results (scans, pentests, audits)
- Prioritized remediation plan
- Incident handling and notification process
- Appendices: scan reports, registers, policies
The most common mistakes
- The declarative report: describing policies without any measurable technical evidence.
- The incomplete perimeter: forgetting subsidiaries, cloud assets or Shadow IT a forgotten subdomain is still your responsibility.
- The unreadable report: 200 pages of raw tool output nobody reads. The board must be able to understand and decide.
- The single snapshot: one frozen annual audit, when NIS2 expects a continuous process.
- No follow-up: vulnerabilities found last year still present this year, with no justification.
Automating your NIS2 report with Flawfence
Producing this evidence manually takes weeks of work and it has to be redone continuously. That is exactly the problem Flawfence solves:
- Automatic mapping of your exposed perimeter: subdomains, IPs, services, Shadow IT 100% of the perimeter discovered with zero configuration.
- Continuous vulnerability scanning with AI validation: zero false positives, only genuinely exploitable flaws.
- A NIS2-ready report in 5 minutes: CVSS v4 scoring, prioritization, remediation guidance written in plain language for executives and technical teams alike.
- A sovereign solution, hosted in France.
FAQ: NIS2 compliance report
Is a NIS2 report mandatory?
The directive does not mandate a single report format, but it does require you to demonstrate implementation of the Article 21 measures, notify incidents, and submit to regulator inspections. In practice, a structured compliance report is the standard way to meet these obligations.
How often should it be updated?
At least once a year, and after any major change to the information system or significant incident. Technical evidence (vulnerability scans) should be renewed monthly or continuously.
What are the penalties for non-compliance?
Up to €10M or 2% of worldwide turnover for essential entities (€7M or 1.4% for important entities), plus possible temporary management bans for executives in cases of serious breaches.
What's the difference between a NIS2 report and an ISO 27001 report?
ISO 27001 is a voluntary certification standard centered on a management system (ISMS); NIS2 is a regulatory obligation centered on concrete measures and incident notification. They overlap heavily: if you are ISO 27001 certified, you already have most of the building blocks. See our guide on automating vulnerability scans for ISO 27001.
Conclusion
A good NIS2 report rests on three pillars: an exhaustive perimeter map, recurring technical evidence, and readability that lets executives assume their new responsibilities. By automating mapping and scanning with a solution like Flawfence, you turn a regulatory chore into a genuine security steering tool.
Request your first report today it only takes 5 minutes.
Let’s discuss your external exposure
Request a personalized Flawfence demo and discover your real exposure level.
