NISDESK
Sample: NIS2 Information Security Policy
This is an example of a document NISDESK generates. Your version is tailored to your company, sector and country.
SAMPLE / EXAMPLE ONLY.This document uses a fictional company (“Muster GmbH”) and fictional data. It is not a real NISDESK customer and must not be used as an actual policy for any organisation.
Company: Muster GmbH
Sector: Energy
Country: Germany
Document owner: Chief Information Security Officer (CISO)
Scope: All production and corporate IT systems, including OT/SCADA environments, operated within the European Union
Generated: 8 July 2026
Information Security Policy
Legal basis: NIS2 Art. 21(2)(a) — policies on risk analysis and information system security
Purpose and Scope
This policy has been established pursuant to Article 21(2)(a) of the NIS2 Directive (EU) 2022/2555 to protect the confidentiality, integrity and availability of the information systems of Muster GmbH (Energy sector, Germany). Scope: All production and corporate IT systems, including OT/SCADA environments, operated within the European Union.
Risk Assessment Approach
Muster GmbH assesses threats and vulnerabilities affecting its information systems at regular intervals. Identified risks are prioritised on the basis of impact and likelihood and assigned to a mitigation plan. The Chief Information Security Officer (CISO) owns this process.
Classification of Information Assets
Critical information assets held by Muster GmbH (customer data, system inventory, source code, credentials) are inventoried and classified according to their sensitivity level. Access is restricted on a need-to-know basis.
Policy Review and Approval
This policy is reviewed by the Chief Information Security Officer (CISO) at least annually, or following a significant organisational or technical change or a security incident, and is submitted to the management body for approval (NIS2 Art. 20 — management oversight).
This document is a draft; expert and legal review is recommended before it enters into force.
Basic unlocks core policy templates. Pro unlocks all policy templates — including Incident Response, Business Continuity and Supplier Risk Management — plus audit-ready PDF export, AI gap explanations, and the full 72-hour incident reporting workflow. Compare plans →
This sample is generated by the same deterministic template engine used for real NISDESK accounts — no data shown here comes from an actual customer. Every generated policy, including your own, is a draft: NISDESK recommends expert and legal review before any policy enters into force. NISDESK is a decision-support tool, not a law firm, and its output is not legal advice.