---
title: "NIS2 Mandatory Documents: Board Approval"
description: "NIS2 mandatory documents master guide: what must be approved by the board, required signatures, and document hierarchy for baseline compliance."
canonical: https://www.aegister.com/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/
url: /en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now

---

![NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now

January 26, 2026

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
[board approval](/en/cms/keyword/board-approval/)
[October 2026](/en/cms/keyword/october-2026/)
+5

Incident-notification obligations are already live in first application. Baseline security-measure adoption remains due by **October 2026**. For most organizations, the immediate task is to close the mandatory Appendix C document package and complete board-level approvals in time.

## Key takeaways

- Appendix C identifies **11 documents** that require approval by governing and management bodies.
- The incident-notification obligation is already live; documentary governance cannot remain in draft-only status.
- The baseline-measure implementation milestone remains **October 2026**, so approval and evidence cycles should be completed before that date.
- A template-driven approach accelerates consistency, but accountability remains with the organization.

## Live timeline status (first application)

| Milestone | Official timing | Status on 2026-02-22 | Operational meaning |
| --- | --- | --- | --- |
| Significant-incident notification obligations | 9 months (January 2026) | Live | Notification process must be operational now |
| Baseline security-measure adoption | 18 months (October 2026) | Upcoming | Document package and controls must be completed by deadline |

## Appendix C matrix: mandatory documents requiring board-level approval

| Mandatory document | Requirement reference | Board approval required |
| --- | --- | --- |
| Cybersecurity organization | GV.RR-02 point 1 | Yes |
| Cybersecurity policies | GV.PO-01 point 1 | Yes |
| Risk assessment of information and network systems | ID.RA-05 point 3 | Yes |
| Risk treatment plan | ID.RA-06 point 3 | Yes |
| Vulnerability management plan | ID.RA-08 point 4 | Yes |
| Improvement plan | ID.IM-01 point 1 | Yes |
| Business continuity plan | ID.IM-04 point 1 | Yes |
| Disaster recovery plan | ID.IM-04 point 1 | Yes |
| Crisis management plan | ID.IM-04 point 1 | Yes |
| Training plan | PR.AT-01 point 1 | Yes |
| Incident management plan | RS.MA-01 point 2 | Yes |

## How to structure the mandatory package without exposing sensitive implementation details

### 1. Keep approval governance explicit

Each document should include owner, approver, approval date, review cadence, and version history.

### 2. Keep scope and boundaries explicit

State which systems, services, and organizational units are covered and which are out of scope with rationale.

### 3. Keep evidence hooks embedded

For each policy/plan, define required records and where evidence is stored (registers, logs, reports, minutes).

### 4. Keep operational dependencies mapped

Link each document to procedures, inventories, and responsible teams so approval is not detached from execution reality.

## Minimum content blocks to standardize across all 11 documents

1. Purpose and legal/reference basis.
2. Scope and applicability conditions.
3. Roles and responsibilities (including substitutes where relevant).
4. Required controls or operational steps.
5. Evidence and record-keeping requirements.
6. Exceptions and risk-based rationale fields.
7. Review/approval/update cycle.

## 30-day board-ready activation checklist

1. Build one consolidated register of the 11 mandatory documents and assign owners.
2. Align template versions and remove contradictory definitions across documents.
3. Add approval blocks and review cadence to all mandatory documents.
4. Run legal/compliance quality review before board submission.
5. Schedule board/management approval sessions and track decisions in minutes.
6. Link approved documents to execution procedures and evidence registers.

## FAQ

### Are all Appendix C documents required to be approved by governing bodies?

Yes. Appendix C explicitly lists the documents and references the specific requirements requiring approval.

### Is the incident-notification obligation still a future milestone?

No. In ACN first application, the 9-month milestone is January 2026, and the obligation is already live.

### How can organizations accelerate this phase without lowering quality?

A standardized template library with controlled data collection, versioning, and approval workflow usually reduces rework and governance friction while preserving accountability.

## Conclusion and next steps

The most effective sequence is: lock the Appendix C mandatory package, complete board approvals, and connect each approved document to operational evidence flows before October 2026. Aegister’s template-driven compliance workflows are designed to support this transition with structured collection, controlled drafting, and governance-ready outputs.

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 operational templates for GRC teams: what to prepare and why it matters](/en/cms/insights/nis2-operational-templates-grc-teams/)
- [NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/)

## Official sources

- [ACN – Guida alla lettura delle specifiche di base](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)
- [ACN – Determinazione obblighi di base 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN – Modalità e specifiche di base](https://www.acn.gov.it/portale/nis/modalita-specifiche-base)
- [Gazzetta Ufficiale – Decreto Legislativo 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

Share this post

## Related News

[![NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)

[NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)

[Cybersecurity policies are mandatory under NIS2 Appendix C (GV.PO-01). This guide covers what an approvable policy package must include, a modular template architecture, policy vs procedure distinction, and a 20-day hardening checklist.](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 vulnerability management plan: practical guide for ID.RA-08 approval](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[NIS2 vulnerability management plan: practical guide for ID.RA-08 approval](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[The vulnerability management plan is mandatory under NIS2 Appendix C (ID.RA-08). This guide covers what an approvable plan must show, a practical structure with SLA matrix and exception handling, common failures, and a 20-day hardening checklist.](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 remediation roadmap (Piano di Adeguamento): practical guide for ID.IM-01 approval](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-remediation-roadmap-id-im-01/)

[NIS2 remediation roadmap (Piano di Adeguamento): practical guide for ID.IM-01 approval](/en/cms/insights/nis2-remediation-roadmap-id-im-01/)

[The remediation roadmap is mandatory under NIS2 Appendix C (ID.IM-01). This guide covers how to consolidate gaps, prioritize actions, align milestones to October 2026, and build a board-approvable plan with closure evidence.](/en/cms/insights/nis2-remediation-roadmap-id-im-01/)

[NIS2](/en/cms/keyword/nis2/)
[remediation roadmap](/en/cms/keyword/remediation-roadmap/)
+7

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)