Regulation
Which compliance artefacts do ISO/IEC 27001, NIS2 and the EU AI Act actually require?
Summary
ISO/IEC 27001, NIS2 and the EU AI Act do not primarily require tools. They require verifiable, documented outcomes. These outcomes take the form of governance artefacts such as policies, risk assessments, control evidence, audit trails and management approvals.
Core artefacts across all three frameworks:
Documented policies and governance rules
Structured risk assessments and risk treatment plans
Evidence of implemented controls
Roles, responsibilities and accountability records
Continuous review and update mechanisms
Audit-ready documentation
Why the focus on artefacts is increasing across all regulations?
Modern cybersecurity and AI regulation is outcome-based.
Supervisory authorities and auditors do not assess:
which tool is used
how much effort was invested
They assess:
whether decisions are documented
whether risks are systematically managed
whether governance is operational
Artefacts are the observable proof that management is in control.
What ISO/IEC 27001 requires as auditable artefacts?
ISO/IEC 27001 establishes a management system.
That system becomes visible through documented outputs.
Core ISO 27001 governance artefacts
Information Security Policy
Scope definition of the ISMS
Risk assessment methodology
Risk assessment results
Risk treatment plan
Statement of Applicability (SoA)
Operational and control evidence
Access control rules and reviews
Asset and information classification
Incident records
Supplier and cloud security documentation
Business continuity documentation
Management and continuous improvement evidence
Internal audit programme and results
Management review records
Corrective actions
Performance evaluation metrics
ISO 27001 certification is not based on controls alone, it is based on traceable management decisions.
What NIS2 requires as documented organisational outcomes
NIS2 is not a certification framework, but a supervisory regime.
It requires organisations to demonstrate that cybersecurity is actively managed.
Core NIS2 artefacts
Risk analysis and risk management methodology
Implemented security measures and their rationale
Incident handling procedures and records
Business continuity and crisis management documentation
Supply chain security governance
Management accountability and oversight
NIS2 explicitly requires:
proportionate measures
continuous updates
clear responsibility at management level
This makes documented decision logic essential.
What the EU AI Act requires as governance and technical artefacts
For organisations developing or using AI systems, especially high-risk systems, the AI Act introduces a documentation-driven compliance model.
Core AI Act artefacts
AI governance policy
Risk management system for AI
Data governance documentation
Technical documentation of the system
Human oversight procedures
Post-market monitoring process
Incident and performance logging
For deployers of AI systems:
usage policies
instructions for human oversight
transparency documentation
The AI Act is structurally similar to ISO 27001:
it requires a management system, not a checklist.
The overlap: A unified compliance artefact model
Across ISO 27001, NIS2 and the AI Act, the same artefact categories appear repeatedly.
Governance artefacts
Information Security Policy
Compliance Policy
AI governance rules
Code of conduct
Roles and responsibilities
Risk artefacts
Risk assessment
Risk evaluation
Risk treatment plan
Ongoing risk review
Operational security artefacts
Access control policy
Cloud security policy
Data protection policy
Information classification policy
Resilience artefacts
Business continuity policy
Incident response documentation
This overlap is the structural reason why fragmented compliance does not scale.
Why most organisations struggle: The artefact production bottleneck
In practice, the main constraint is not understanding the requirements.
It is:
creating the required documents
keeping them consistent
updating them continuously
making them audit-ready
Manual approaches lead to:
document silos
inconsistent terminology
outdated versions
person-dependent knowledge
The real compliance bottleneck is artefact production and maintenance.
What “audit-ready” actually means in artefact terms
An artefact is audit-ready when it is:
formally approved
version-controlled
mapped to a requirement
consistently structured
supported by evidence
regularly reviewed
Audit-ready does not mean:
long documents
generic templates
one-time creation
It means: traceable governance.
From framework thinking to output thinking
Most organisations structure compliance around frameworks:
“We are implementing ISO 27001”
“We are preparing for NIS2”
“We need to address the AI Act”
Regulators and auditors think differently.
They ask:
Show the risk assessment
Show the policy
Show the decision
Show the evidence
Show the review
Compliance maturity is the ability to produce these artefacts on demand.
Frequently asked questions
Do all three frameworks require separate documentation sets?
No. They require different perspectives on largely overlapping governance artefacts.
Is certification required for NIS2 or the AI Act?
No. But both require demonstrable, documented control and management.
Are policies alone sufficient?
No. Policies define intent. Risk assessments, control evidence and management reviews prove implementation.
What is the most critical artefact across all frameworks?
The risk assessment, because it:
justifies controls
demonstrates proportionality
links governance to operations
Key takeaway
Compliance is no longer about implementing controls. It is about producing verifiable governance artefacts.
Organisations that can generate, maintain and explain these artefacts:
pass audits faster
reduce management liability
accelerate customer trust
turn compliance into a scalable process