If you are a compliance lead, cybersecurity officer, or operational risk manager at a UK critical national infrastructure operator, this playbook was built for you.
As an operator within the energy, utilities, or broader critical national infrastructure (CNI) sector, you face mounting regulatory scrutiny under the NIS2 Directive. Your team must demonstrate compliance with Articles 21, 23, including robust technical and organisational security measures, real-time incident reporting, and audit-ready documentation for oversight bodies such as the National Cyber Security Centre (NCSC), OFGEM, and sector-specific regulators. The complexity of aligning operational technology (OT) environments with evolving cyber resilience mandates, while maintaining compliance with sector standards like IET and IEC 62443, creates significant operational strain. Failure to produce verifiable, up-to-date evidence risks enforcement actions, financial penalties, and reputational damage.
Engaging a Big-4 consultancy to develop a NIS2 compliance framework typically costs between EUR 80,000 and EUR 250,000. Alternatively, dedicating internal resources requires 3 to 5 full-time equivalents over 4 to 6 months, diverting attention from core operational resilience tasks. This playbook delivers the same structured, regulator-aligned methodology for a one-time cost of $395.
What you get
| Phase | Deliverable | File Count | Format | Purpose |
| 1. Readiness Assessment | Domain-Specific NIS2 Gap Assessments (7 domains) | 7 | XLSX, PDF | Evaluate current posture against NIS2 Articles 21, 23 across governance, asset management, supply chain, incident response, business continuity, staff training, and monitoring |
| 2. Risk & Evidence | Evidence Collection Runbook | 1 | PDF, DOCX | Step-by-step guide to gather, label, store, and version-control evidence required for NIS2 audits |
| 3. Audit Preparation | NIS2 Audit Prep Playbook | 1 | PDF, DOCX | Checklist-driven process to compile audit packs, respond to regulator queries, and conduct internal mock audits |
| 4. Governance & Roles | RACI Matrix Template | 1 | XLSX | Define accountability for NIS2 compliance tasks across legal, IT, OT, and executive teams |
| 4. Governance & Roles | Work Breakdown Structure (WBS) Template | 1 | XLSX | Break down NIS2 implementation into time-bound, resource-assigned tasks |
| 5. Cross-Alignment | Cross-Framework Mappings | 53 | XLSX | Detailed mappings between NIS2, ISO/IEC 27001, IEC 62443, NCSC ICS COI Guidance, and OFGEM NIS Inspection Framework |
| 6. Reporting | Board-Level NIS2 Compliance Report Template | 1 | PPTX, DOCX | Executive summary format for reporting compliance status, risk exposure, and mitigation plans to senior leadership |
| 7. Sample Implementation | Sample Chapter: 30-Question NIS2 Article 21 Security Requirement Assessment for OT Environments | 1 | Illustrative assessment module demonstrating how domain-specific evaluations are structured and scored | |
| Total | 64 |
Domain assessments
Each of the seven domain assessments contains 30 targeted questions aligned with NIS2 Articles 21, 23 and sector-specific operational realities. They are designed to identify gaps, prioritise remediation, and generate evidence trails.
- Asset Management and Inventory Control: Assesses completeness and accuracy of OT and IT asset registers, including legacy systems and third-party devices.
- Security Policies and Governance: Evaluates the existence, approval, and enforcement of security policies across technical and operational units.
- Supply Chain Risk Management: Reviews due diligence processes for third-party vendors, contractors, and software providers with access to critical systems.
- Incident Response and Reporting: Validates the presence of documented incident response plans, escalation paths, and 24-hour reporting capability to competent authorities.
- Business Continuity and Resilience: Measures alignment of business continuity plans with NIS2 requirements, including failover testing and recovery time objectives.
- Staff Awareness and Training: Checks frequency, content, and records of cybersecurity training for both technical and non-technical personnel.
- Monitoring, Logging, and Detection: Determines the extent of real-time monitoring, log retention, and anomaly detection in OT and ICS environments.
What this saves you
| Activity | Typical Internal Effort | With This Playbook |
| Developing NIS2 gap assessment tools | 80, 120 hours | Download and deploy (under 2 hours setup) |
| Mapping NIS2 to ISO/IEC 27001 and IEC 62443 | 100, 150 hours | Pre-built crosswalks included (ready to use) |
| Creating evidence collection procedures | 60, 80 hours | Runbook provided with file naming, retention, and access controls |
| Designing RACI and WBS for compliance rollout | 40, 60 hours | Editable templates included |
| Preparing for regulator audit | 120, 200 hours | Audit prep playbook streamlines pack assembly and internal review |
| Reporting to board on compliance status | 20, 30 hours per quarter | Board report template reduces drafting time to under 5 hours |
Who this is for
- Compliance managers at energy network operators required to meet NIS2 obligations under UK law
- Cybersecurity leads in OT environments managing industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks
- Operational risk officers responsible for cross-functional coordination between IT, engineering, and legal teams
- Regulatory affairs specialists preparing for audits by NCSC, OFGEM, or other sectoral authorities
- Internal auditors validating adherence to NIS2 Articles 21, 23 across technical and procedural controls
- Chief Information Security Officers (CISOs) in CNI organisations seeking a structured, repeatable compliance framework
- Consultants supporting CNI clients with NIS2 readiness who require regulator-aligned tools
Cross-framework mappings
The playbook includes detailed alignment between NIS2 Directive requirements and the following standards and guidance documents:
- NIS2 Directive (EU) 2022/2555, Articles 21, 23
- ISO/IEC 27001:2022 Information Security Management
- IEC 62443-2-1:2019 and IEC 62443-3-3:2023 for industrial automation and control systems
- NCSC ICS Cyber Security Operating Instructions (COI) Guidance
- OFGEM NIS Inspection Framework for energy sector operators
What is NOT in this product
- This is not a software tool or SaaS platform. It does not include automated scanning, monitoring, or real-time compliance dashboards.
- No consulting services are included. The buyer is responsible for implementing the templates and assessments within their organisation.
- The playbook does not provide legal advice. Organisations should consult legal counsel to interpret regulatory obligations in their specific context.
- It does not cover non-CNI sectors such as transport, health, or digital service providers outside the energy and critical infrastructure space.
- No integration with GRC platforms is provided. Files are delivered in standard office formats for manual use.
- It does not include staff training delivery or certification programmes.
- The product does not replace internal audit functions but supports their execution.
Lifetime access and satisfaction guarantee
This playbook requires no subscription and does not lock you into a login portal. Once downloaded, all files are yours to use indefinitely across teams and projects. If this playbook does not save your team at least 100 hours of manual compliance work, email us for a full refund. No questions, no friction.
About the seller
We have spent 25 years building practical compliance frameworks for regulated industries. Our library supports 692 distinct regulatory and industry standards, underpinned by 819,000+ cross-framework mappings. Our tools are used by over 40,000 practitioners across 160 countries, including compliance teams in energy, finance, healthcare, and government agencies. This playbook reflects deep expertise in operational technology environments and UK regulatory expectations for critical national infrastructure resilience.
>
