ProcessForge
Request demo
EngineIntegrationsCustomersResources Request demo
Practice

NIS2 checklist for mid-sized companies: the evidence you need

June 14, 2026 · aiio

NIS2 requires six inspectable pieces of evidence for your security-relevant processes: documented processes, a visible risk-to-measure link, clear responsibilities, currency, traceable incident and reporting paths, and referenceability back to the source. The bottleneck is almost never the knowledge — it’s the inspectable form, and that’s exactly what you can produce from what you already have, in days instead of quarters.

NIS2 mainly affects mid-sized and larger companies in critical or important sectors — and most of them don’t fail on knowledge, they fail on evidence. The processes run, responsibilities are settled in people’s heads, the measures work. What’s missing is the inspectable form: documented, referenced, current. That’s what this checklist is for — as orientation, not a substitute for legal advice.

What evidence does NIS2 require for processes?

  1. Documented processes — the security-relevant workflows written down, not just in the heads of the people responsible. Including who does what, and when, if something goes wrong.
  2. Risk-to-measure link — for every identified risk, the concrete measure that addresses it. The connection has to be visible, not just asserted.
  3. Clear responsibilities — who owns which control, which process, which decision. Names or roles, not “IT”.
  4. Currency — a state that reflects what holds today, not one frozen when the document was last touched.
  5. Incident and reporting paths — a traceable flow for detecting, handling and reporting security incidents, including who is responsible.
  6. Referenceability — every piece of evidence should point back to its source. “It’s in the wiki” isn’t enough; “it’s here, as of this date” is.

Where Forge comes in

The honest difficulty is rarely the first write-up — it’s translating the real as-is state into exactly this form, under time pressure. ProcessForge pulls the real workflow from what you already have — docs, tickets, system exports, conversations — and builds the artifact the evidence requires:

  • Input: your existing sources, uncleaned
  • Engine: reconciles the real workflow against the required points and shows gaps
  • Artifact out: process docs, risk-to-measure links and responsibilities, referenced back to the source

From the living context, not yesterday’s docs.

And the real leverage shows up next time: when a process changes, the same engine pulls the updated version from whatever state holds then. A quarter-long project becomes a single run — in days instead of quarters.

To try it: Bring your upcoming NIS2 occasion into the demo call — we’ll build the first piece of evidence live from a real source.

Request a demo

Show us your occasion.

We’ll build the first artifact from it live in a call — business email & last name are enough.

What's on your plate right now?
AuditAI & AutomationChange & OnboardingTransformationnot sure yet

Business email & last name are enough. We’ll reply with a named contact. Product updates only if you opt in above.

Thanks — we’ve got your request. A named contact will be in touch shortly.