Policy generator
NIS2 compliance for SMEs
The NIS2 directive mandates documented cybersecurity governance before 17 October 2026. Generate the expected policies — ISSP, continuity, incidents, suppliers — in minutes, in English and French.
What is the NIS2 directive?
NIS2 (Directive (EU) 2022/2555) extends cybersecurity obligations to more than 15,000 entities in France: medium-sized companies, subcontractors and digital service providers in strategic sectors. It requires documented governance — an information security policy (ISSP), risk management, business continuity and disaster recovery, incident notification and supply-chain security. Penalties reach €10M or 2% of global turnover, with personal liability for executives. PolicyForge produces this documentary layer for NIS2 as well as ISO 27001, SOC 2, GDPR and DORA.
How to generate your NIS2 policies
- 1
Check your scope
Essential entity, important entity, or subcontractor of a covered entity: the expected documentation shares the same baseline.
- 2
Answer the wizard
A few questions about your organisation automatically tailor the content.
- 3
Generate the policies
PolicyForge drafts complete, structured documents with an approval block and versioning.
- 4
Export and get sign-off
Export to PDF or DOCX, get management sign-off, keep the version. The audit log tracks changes.
About 5 minutes per policy.
Which policies for NIS2 compliance?
The documents expected by the Article 21 risk-management measures. Click to see a sample PDF:
- Risk management policy (risk analysis)
- Information security policy (ISSP)
- Incident response & notification policy
- Business continuity policy (BCP)
- Backup & recovery policy (DRP)
- Supply chain security policy
- Access control policy
- Vulnerability management policy
- Logging & monitoring policy
- Security awareness training policy
Frequently asked questions
Is my company in scope for NIS2?
Generally, companies with more than 50 employees or €10M turnover in a strategic sector are in scope. But a smaller SME can be indirectly affected: essential and important entities must secure their supply chain, so a subcontractor providing a critical digital service will be assessed against NIS2 criteria.
What is the compliance deadline?
The French transposition sets the deadline at 17 October 2026. Beyond it, covered entities face penalties of up to €10M or 2% of global turnover.
Which documents does NIS2 require?
Article 21 expects documented measures: an information security policy (ISSP), risk analysis and management, incident handling and notification, business continuity (BCP) and disaster recovery (DRP), supply-chain security, access control, vulnerability management and awareness training.
Are NIS2 and ISO 27001 compatible?
Yes. An ISO 27001 programme covers most NIS2 measures. PolicyForge templates stay aligned with both frameworks so you do not document twice.
Are the documents bilingual?
Yes, every policy is available in English and French.
Start your NIS2 compliance
Free account, no credit card. Your first policies in minutes.
Start free