Incident-notification obligations are already live in first application. Baseline security-measure adoption remains due by October 2026. For most organizations, the immediate task is to close the mandatory Appendix C document package and complete board-level approvals in time.
Key takeaways
- Appendix C identifies 11 documents that require approval by governing and management bodies.
- The incident-notification obligation is already live; documentary governance cannot remain in draft-only status.
- The baseline-measure implementation milestone remains October 2026, so approval and evidence cycles should be completed before that date.
- A template-driven approach accelerates consistency, but accountability remains with the organization.
Live timeline status (first application)
| Milestone | Official timing | Status on 2026-02-22 | Operational meaning |
|---|---|---|---|
| Significant-incident notification obligations | 9 months (January 2026) | Live | Notification process must be operational now |
| Baseline security-measure adoption | 18 months (October 2026) | Upcoming | Document package and controls must be completed by deadline |
Appendix C matrix: mandatory documents requiring board-level approval
| Mandatory document | Requirement reference | Board approval required |
|---|---|---|
| Cybersecurity organization | GV.RR-02 point 1 | Yes |
| Cybersecurity policies | GV.PO-01 point 1 | Yes |
| Risk assessment of information and network systems | ID.RA-05 point 3 | Yes |
| Risk treatment plan | ID.RA-06 point 3 | Yes |
| Vulnerability management plan | ID.RA-08 point 4 | Yes |
| Improvement plan | ID.IM-01 point 1 | Yes |
| Business continuity plan | ID.IM-04 point 1 | Yes |
| Disaster recovery plan | ID.IM-04 point 1 | Yes |
| Crisis management plan | ID.IM-04 point 1 | Yes |
| Training plan | PR.AT-01 point 1 | Yes |
| Incident management plan | RS.MA-01 point 2 | Yes |
How to structure the mandatory package without exposing sensitive implementation details
1. Keep approval governance explicit
Each document should include owner, approver, approval date, review cadence, and version history.
2. Keep scope and boundaries explicit
State which systems, services, and organizational units are covered and which are out of scope with rationale.
3. Keep evidence hooks embedded
For each policy/plan, define required records and where evidence is stored (registers, logs, reports, minutes).
4. Keep operational dependencies mapped
Link each document to procedures, inventories, and responsible teams so approval is not detached from execution reality.
Minimum content blocks to standardize across all 11 documents
- Purpose and legal/reference basis.
- Scope and applicability conditions.
- Roles and responsibilities (including substitutes where relevant).
- Required controls or operational steps.
- Evidence and record-keeping requirements.
- Exceptions and risk-based rationale fields.
- Review/approval/update cycle.
30-day board-ready activation checklist
- Build one consolidated register of the 11 mandatory documents and assign owners.
- Align template versions and remove contradictory definitions across documents.
- Add approval blocks and review cadence to all mandatory documents.
- Run legal/compliance quality review before board submission.
- Schedule board/management approval sessions and track decisions in minutes.
- Link approved documents to execution procedures and evidence registers.
FAQ
Are all Appendix C documents required to be approved by governing bodies?
Yes. Appendix C explicitly lists the documents and references the specific requirements requiring approval.
Is the incident-notification obligation still a future milestone?
No. In ACN first application, the 9-month milestone is January 2026, and the obligation is already live.
How can organizations accelerate this phase without lowering quality?
A standardized template library with controlled data collection, versioning, and approval workflow usually reduces rework and governance friction while preserving accountability.
Conclusion and next steps
The most effective sequence is: lock the Appendix C mandatory package, complete board approvals, and connect each approved document to operational evidence flows before October 2026. Aegister’s template-driven compliance workflows are designed to support this transition with structured collection, controlled drafting, and governance-ready outputs.
Related reading
- NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations
- NIS2 operational templates for GRC teams: what to prepare and why it matters
- NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof
- Aegister NIS2 Compliance Service
- Aegister Virtual CISO Service