Skip to content
NISDESK

NISDESK

Sample: NIS2 Information Security Policy

This is an example of a document NISDESK generates. Your version is tailored to your company, sector and country.

SAMPLE / EXAMPLE ONLY.This document uses a fictional company (“Muster GmbH”) and fictional data. It is not a real NISDESK customer and must not be used as an actual policy for any organisation.

Company: Muster GmbH

Sector: Energy

Country: Germany

Document owner: Chief Information Security Officer (CISO)

Scope: All production and corporate IT systems, including OT/SCADA environments, operated within the European Union

Generated: 8 July 2026

Information Security Policy

Legal basis: NIS2 Art. 21(2)(a) — policies on risk analysis and information system security

Purpose and Scope

This policy has been established pursuant to Article 21(2)(a) of the NIS2 Directive (EU) 2022/2555 to protect the confidentiality, integrity and availability of the information systems of Muster GmbH (Energy sector, Germany). Scope: All production and corporate IT systems, including OT/SCADA environments, operated within the European Union.

Risk Assessment Approach

Muster GmbH assesses threats and vulnerabilities affecting its information systems at regular intervals. Identified risks are prioritised on the basis of impact and likelihood and assigned to a mitigation plan. The Chief Information Security Officer (CISO) owns this process.

Classification of Information Assets

Critical information assets held by Muster GmbH (customer data, system inventory, source code, credentials) are inventoried and classified according to their sensitivity level. Access is restricted on a need-to-know basis.

Policy Review and Approval

This policy is reviewed by the Chief Information Security Officer (CISO) at least annually, or following a significant organisational or technical change or a security incident, and is submitted to the management body for approval (NIS2 Art. 20 — management oversight).

This document is a draft; expert and legal review is recommended before it enters into force.

Basic unlocks core policy templates. Pro unlocks all policy templates — including Incident Response, Business Continuity and Supplier Risk Management — plus audit-ready PDF export, AI gap explanations, and the full 72-hour incident reporting workflow. Compare plans →

This sample is generated by the same deterministic template engine used for real NISDESK accounts — no data shown here comes from an actual customer. Every generated policy, including your own, is a draft: NISDESK recommends expert and legal review before any policy enters into force. NISDESK is a decision-support tool, not a law firm, and its output is not legal advice.