--- title: NIS2 Requirement-to-Document Mapping description: Build a defensible NIS2 audit structure with requirement-to-document mapping. How to link each compliance requirement to its supporting documentation. canonical: https://www.aegister.com/en/cms/insights/nis2-requirement-document-mapping-audit-structure/ url: /en/cms/insights/nis2-requirement-document-mapping-audit-structure/ lang: en --- ![](/static/images/header-contact.webp) # NIS2 Requirement-to-Document Mapping: Building a Defensible Audit Structure --- ![NIS2 Requirement-to-Document Mapping: Building a Defensible Audit Structure](/static/images/cms/compliance-documentation-audit-nis2.webp) ## NIS2 Requirement-to-Document Mapping: Building a Defensible Audit Structure February 16, 2026 [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) [governance](/en/cms/keyword/governance/) +5 **Applies to:** NIS2 entities organizing documentary programs for baseline audit readiness. Requirement-to-document mapping is the control that prevents fragmentation in NIS2 documentation. In Aegister's method, each requirement point is explicitly linked to a primary document, supporting artifacts, responsible roles, and review frequency. This creates traceability from regulatory obligation to concrete evidence, essential for both internal governance and inspection readiness. ## Key Takeaways - Mapping must be done at requirement-point level, not just policy title. - Each mapped requirement must specify a primary document and supporting evidence. - Overlaps are natural, but ownership and precedence rules must be explicit. - Appendix B and Appendix C items need dedicated matrix tags. ## Scope of This Article This article covers: - A practical NIS2 requirement-to-document mapping method. - How to structure mapping tables for audit and remediation use. - How to handle overlaps, gaps, and governance-sensitive requirements. This article does not cover: - Client-identifying evidence or internal records. - Full proprietary templates or internal worksheets. ## Official Baseline References | Source | Why it matters for mapping | | --- | --- | | [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) | Defines legal scope for governance, risk measures, and incident obligations. | | [ACN Determination on baseline obligations](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) | Establishes measure/point structure and technical annexes for matrix derivation. | | [ACN Reading Guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) | Clarifies evidence logic and Appendix B / Appendix C interpretation for documentary controls. | | [ACN NIS baseline page](https://www.acn.gov.it/portale/nis/modalita-specifiche-base) | Provides implementation context and baseline timeline. | For important entities, the baseline logic covers **37 measures** and **87 requirement points** in first application ([ACN Reading Guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)). ## Why Mapping Fails in Practice - Policies exist, but requirement points are not explicitly assigned. - Evidence is listed, but not linked to individual obligations. - Multiple documents cover the same requirement with no ownership rule. - Governance approval checkpoints are added too late. ## Mapping Model (4 Levels) | Level | Mapping object | Required field examples | | --- | --- | --- | | L1 | Requirement point | Measure code, point code, category, regulatory anchor | | L2 | Primary document | Document ID, owner, status, review frequency | | L3 | Supporting evidence | Procedure/plan/register references, evidence maturity level | | L4 | Governance controls | Approval tag, risk-linkage tag, dependency tag | ## Recommended Mapping Table Structure | Field | Mandatory | Why it matters | | --- | --- | --- | | Requirement code (e.g. `ID.RA-05:p1`) | Yes | Atomic traceability | | Primary document | Yes | Single accountability point | | Supporting evidence/documents | Yes | Implementation proof chain | | Control owner | Yes | Execution responsibility | | Review frequency | Yes | Lifecycle governance | | Status (`draft`, `approved`, `needs_update`) | Yes | Operational planning | | Appendix B tag (if applicable) | Conditional | Risk-linkage control | | Appendix C tag (if applicable) | Conditional | Approval-sensitive control | ## Mapping Workflow 1. Build inventory of applicable requirements from baseline framework. 2. Assign a primary document for each requirement point. 3. Add supporting evidence references for each point. 4. Mark overlap dependencies and precedence rules. 5. Tag Appendix B and Appendix C sensitive items. 6. Validate ownership, review frequency, and document status. 7. Freeze matrix version as audit baseline. ## Managing Overlaps Without Losing Control When a requirement is covered by multiple documents: - Define one **accountable primary document**. - Mark others as **supporting** or **complementary**. - Record cross-reference direction explicitly. - Verify consistency of definitions, roles, and escalation logic. ## Gap Detection Rules from Mapping A requirement should be flagged as a gap when at least one condition applies: - No primary document assigned. - Primary document exists, but no traceable evidence. - Appendix B item without explicit risk linkage where expected. - Appendix C item without governance approval path in documentary architecture. - Missing owner or review frequency. ## Deliverables from a Well-Built Matrix - Master requirement-to-document matrix. - Evidence dependency map. - List of governance-sensitive controls (Appendix B/C tagged items). - Remediation backlog ordered by criticality and dependency. ## Quality Check Before Publishing - Requirement codes complete and consistent. - Every requirement has an accountable primary document. - Supporting evidence traceable at least at locator level. - Cross-references between documents consistent and non-contradictory. - EN/IT structure aligned for bilingual compliance operations. ## FAQ ### Is mapping the same as writing policies? No. Mapping is the governance/traceability layer that guides writing, review, and remediation. ### Can we map before all documents are final? Yes. Early mapping is recommended because it surfaces ownership gaps and dependencies before approval cycles. ### What if a requirement spans multiple processes? Define one accountable primary document and mark other references as supporting dependencies. ### If there is interpretive ambiguity, which source prevails? Official baseline sources prevail: [ACN Determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN Reading Guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base). ## Conclusion Requirement-to-document mapping is the foundation of a defensible NIS2 documentary program. It creates explicit accountability, reduces overlap risk, and provides the structure needed to move from document production to evidence-backed compliance execution. ## Related reading - [Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview](/en/cms/insights/compliance-documentation-audit-nis2-method-overview/) - [NIS2 Evidence Matrix and Board-Approval Readiness: Practical Audit Method](/en/cms/insights/nis2-evidence-matrix-board-approval-readiness-audit/) - [NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness](/en/cms/insights/nis2-documentation-audit-checklist-baseline-readiness/) - [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/) - [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/) ## Official Sources - [Legislative Decree 138/2024 (Gazzetta Ufficiale)](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) - [ACN - Determination on baseline obligations](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) - [ACN - Reading Guide for baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) - [ACN - NIS baseline modalities/specifications](https://www.acn.gov.it/portale/nis/modalita-specifiche-base) Share this post ## Related News [![NIS2 Compliance Documentation Audit: Interview and Evidence Collection Workflow](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/nis2-audit-interview-evidence-collection-workflow/) [NIS2 Compliance Documentation Audit: Interview and Evidence Collection Workflow](/en/cms/insights/nis2-audit-interview-evidence-collection-workflow/) [Structured interview and evidence collection workflow for NIS2 documentation audits, with a 6-domain model, evidence maturity scale, and gap-to-remediation mapping.](/en/cms/insights/nis2-audit-interview-evidence-collection-workflow/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +7 [![NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/nis2-documentation-audit-checklist-baseline-readiness/) [NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness](/en/cms/insights/nis2-documentation-audit-checklist-baseline-readiness/) [Five-block operational checklist for NIS2 documentary audit covering requirement mapping, evidence maturity, cross-document consistency, and governance approval readiness.](/en/cms/insights/nis2-documentation-audit-checklist-baseline-readiness/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +8 [![NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/nis2-executive-board-reporting-audit-governance/) [NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions](/en/cms/insights/nis2-executive-board-reporting-audit-governance/) [Practical executive reporting model for NIS2 audit outcomes with minimum KPI set, traffic-light escalation, and evidence-based closure visibility for board governance.](/en/cms/insights/nis2-executive-board-reporting-audit-governance/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +8 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)