ArchitectureDiagram.ai logoArchitectureDiagram.ai
Back to blog

NIS2 Architecture Diagrams: How to Document Cybersecurity Controls for EU Compliance

How to create NIS2-compliant architecture diagrams for EU cybersecurity audits. Covers Article 21 measures, network segmentation, supply chain maps, data flow diagrams, and AI prompt templates — with the June 30, 2026 deadline two weeks away.

R
Ryan·Senior AI Engineer
·

NIS2 architecture diagrams are no longer optional for organizations operating in the EU. The Network and Information Security Directive 2 (NIS2) entered into force in January 2023, and with the first compliance audit deadline of June 30, 2026 — now just two weeks away — architecture documentation has become a frontline compliance artifact. Unlike frameworks that treat diagrams as “nice to have,” NIS2's Article 21 mandates ten specific security measures that are nearly impossible to substantiate without visual documentation of your network topology, data flows, supply chain integrations, and access control architecture. This guide explains which diagrams NIS2 auditors will look for, how each maps to Article 21, and how to generate them quickly using AI.

Which NIS2 Article 21 measures require architecture diagrams

Article 21 of NIS2 mandates that essential and important entities implement measures across ten security domains. Architecture diagrams are implicitly required — and practically unavoidable — for at least five of the ten:

  • Measure 1 — Risk analysis and information system security policies: Auditors expect a current-state architecture diagram as the baseline for your risk analysis. You cannot credibly document risks to systems you haven't drawn.
  • Measure 2 — Incident handling: Requires documented detection and response pipelines. A monitoring architecture showing log aggregation, SIEM integration, and alerting paths is required evidence.
  • Measure 3 — Business continuity, including backup management and disaster recovery: Recovery architecture diagrams — showing failover targets, replication topology, and RTO/RPO annotations — are the primary documentation artifact here.
  • Measure 4 — Supply chain security, including security-related aspects of relationships with direct suppliers and service providers: NIS2 goes deeper than ISO 27001 on supply chain — auditors want a visual map of every third-party integration, what data each vendor accesses, and what contractual controls govern each relationship.
  • Measure 5 — Security in network and information systems acquisition, development, and maintenance: CI/CD pipeline diagrams showing security gates (SAST, SCA, IaC scanning) at each promotion stage satisfy this measure.
  • Measure 6 — Policies and procedures to assess effectiveness of cybersecurity risk-management measures: Governance workflow diagrams showing management sign-off and review cadence are expected.
  • Measure 7 — Basic cyber hygiene practices and cybersecurity training: Less diagram-heavy, but asset inventory diagrams are useful evidence that your hygiene baseline is scoped correctly.
  • Measure 8 — Policies and procedures regarding the use of cryptography and, where appropriate, encryption: Data flow diagrams annotated with encryption protocols, key management services, and certificate authorities are the core evidence artifact for this measure.
  • Measure 9 — Human resources security, access control policies, and asset management: Access control architecture diagrams — identity provider topology, MFA enforcement points, privilege tiers, and asset-to-role mapping — directly satisfy this measure.
  • Measure 10 — Use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secured emergency communication systems: Authentication flow diagrams showing MFA enforcement for all privileged access paths are required.

Five architecture diagrams NIS2 auditors will look for

1. Network topology and segmentation diagram (Article 21 measure 9)

Your network topology diagram is the first document a NIS2 auditor will request. It must show every environment tier (production, staging, development), network boundaries, subnet segmentation, DMZ placement, and how traffic flows between zones. Network segmentation is explicitly evaluated — auditors verify that sensitive systems are isolated from internet-facing components, that lateral movement between segments is constrained, and that administrative access travels through dedicated paths (bastion hosts, VPN with MFA, PAM tooling). The diagram should annotate firewall rules at each boundary, not just show that firewalls exist. For cloud deployments, VPC/VNet peering relationships, security group scope, and egress control (NAT gateway, proxy) must all be visible.

2. Data flow and encryption diagram (Article 21 measure 8)

NIS2 measure 8 requires documented cryptography policies covering data in transit and at rest. A data flow diagram that traces sensitive data from ingestion through processing to storage — with each link annotated for encryption protocol (TLS 1.3, TLS 1.2 minimum), cipher suite, and certificate authority — is the primary evidence artifact. Each datastore in the diagram should be labeled with its encryption-at-rest method (AES-256, envelope encryption, KMS key reference) and key rotation schedule. If your organization processes personal data under GDPR alongside NIS2, the diagram should also identify which flows carry personal data and whether pseudonymization or tokenization is applied before the data reaches less-trusted services.

3. Supply chain integration map (Article 21 measure 4)

Supply chain security is where NIS2 diverges most sharply from ISO 27001. NIS2 requires documented security measures for each direct supplier and service provider — auditors want to see not just a vendor list, but a visual map showing what data each vendor can access, through which integration mechanism (API, database link, file transfer, managed access), and what contractual or technical controls govern each relationship. The supply chain map should show your organization at the center with each vendor as a node, annotated with: data classification of shared data, access scope, contractual control type (DPA, security addendum, right-to-audit), and whether the vendor has their own NIS2 or ISO 27001 certification. MSPs and cloud providers with elevated access to your infrastructure deserve their own dedicated integration diagrams showing the exact permissions granted.

4. Business continuity and recovery architecture (Article 21 measure 3)

Measure 3 requires documented backup management and disaster recovery plans. Architecture documentation should show your primary and secondary sites or regions, replication topology (synchronous vs. asynchronous, replication lag targets), backup schedules and retention periods, failover trigger mechanisms (automated vs. manual), and tested RTO/RPO targets per system tier. Annotate the diagram with the last tested recovery date and the test outcome — auditors under NIS2 are interested in whether continuity plans are actually exercised, not just documented. Systems designated as “critical” under your NIS2 scoping should be highlighted distinctly, as they face heightened continuity requirements.

5. Access control and authentication architecture (Article 21 measure 10)

NIS2 explicitly mandates MFA for all privileged access paths. Your authentication architecture diagram should show your identity provider (IdP), federation protocols (SAML 2.0, OIDC), MFA enforcement points (which systems require it, which method: TOTP, hardware key, push notification), privilege tiers, and how service accounts authenticate to internal systems (workload identity, short-lived credentials, Vault agent). NIS2 auditors will check that MFA is enforced at the network perimeter and for all remote access — not just optionally available. Show the full authentication flow: user → IdP → MFA challenge → session issuance → resource access, with annotations for session lifetime and re-authentication triggers.

Prompt templates for NIS2 compliance diagrams

NIS2 network topology and segmentation diagram

"NIS2-compliant network topology for a cloud-hosted essential entity (DNS provider) on AWS eu-west-1. Show three network tiers: DMZ (public subnets: ALB, WAF, DDoS protection via AWS Shield Advanced), application tier (private subnets: ECS Fargate clusters for API, resolver, and management services — no direct internet routing), and data tier (isolated subnets: RDS Aurora PostgreSQL Multi-AZ, ElastiCache, S3 with VPC endpoint only). Administrative access via AWS Client VPN with MFA and certificate-based auth only — no SSH directly to instances. Security groups: each service has its own SG with explicit deny-all default. Show inter-segment firewall rules at each boundary. Annotate each zone with the NIS2 Article 21 measure it satisfies (measure 9 for segmentation, measure 2 for monitoring via VPC Flow Logs → SIEM). Include GuardDuty and Security Hub as monitoring overlays."

NIS2 supply chain integration map

"NIS2 Article 21 measure 4 supply chain map for a cloud services provider. Center node: our organization. Vendor nodes with annotations: AWS (IaaS provider — full infrastructure access, SOC 2 Type II + ISO 27001 certified, DPA signed, right-to-audit clause, data: all production data in eu-west-1 only), Datadog (monitoring SaaS — read access to metrics and logs via OTEL exporter, no PII, DPA signed, SOC 2 Type II), Stripe (payment processor — PCI DSS Level 1, receives billing data only, no infrastructure access, DPA signed), GitHub (source control — read/write to code repositories, no production data access, SAML SSO enforced, SOC 2 Type II), Okta (IdP — manages all human identity, SAML 2.0 federation, SOC 2 Type II + ISO 27001). Show integration mechanism for each (REST API, OTEL, webhook, SAML) and data classification of shared data. Flag any vendor without NIS2 or ISO 27001 certification in red. Label with Article 21 measure 4."

NIS2 data flow and encryption diagram

"NIS2 Article 21 measure 8 data flow diagram for a healthcare information system (essential entity). Ingestion paths: patient portal (browser, TLS 1.3, HSTS), HL7 FHIR API (TLS 1.3, mutual TLS for partner hospitals), file upload from legacy systems (SFTP with certificate auth). Processing: API layer validates and authenticates (OIDC + MFA), routes to internal services over mTLS. Storage: RDS PostgreSQL (AES-256 at rest, AWS KMS CMK alias/prod-health-db, key rotation 90 days), S3 for documents (SSE-KMS, alias/prod-health-docs), ElastiCache (in-transit encryption enabled, no persistent sensitive data). Sensitive fields (name, DOB, diagnosis codes) encrypted at application layer before DB write (field-level encryption, separate KMS key alias/prod-field-key). All data access logged to immutable CloudTrail + audit DynamoDB table. Annotate each flow and datastore with: encryption method, key reference, key rotation period, and NIS2 Article 21 measure 8 compliance note."

NIS2 vs ISO 27001: what architecture documentation ISO 27001 misses

ISO 27001 covers approximately 70% of NIS2 requirements, and many organizations entering NIS2 compliance already hold an ISO 27001 certificate. However, three areas of NIS2 architecture documentation have no direct ISO 27001 equivalent:

  • Supply chain depth and contractual evidence: ISO 27001 Annex A.15 addresses supplier relationships but does not require the same depth of per-supplier documentation as NIS2 Article 21 measure 4. NIS2 auditors specifically look for evidence that you have assessed the cybersecurity posture of each direct supplier — not just that a supplier policy exists. Your supply chain integration map must show individual vendors with their certification status, not just a generic vendor management process.
  • 24-hour early warning reporting architecture: NIS2 mandates that significant incidents be reported to your national CSIRT within 24 hours (early warning), with a full incident report within 72 hours, and a final report within one month. ISO 27001 has no equivalent incident reporting timeline. Your architecture documentation should include a monitoring and alerting flow diagram that explicitly shows how a significant incident triggers the 24-hour reporting workflow — from detection (SIEM alert, anomaly detection) through triage to CSIRT notification. Auditors will look for this as a documented, tested process, not just a policy statement.
  • Management-level governance workflow: NIS2 Article 20 places direct accountability on management bodies — senior executives can be held personally liable for compliance failures. ISO 27001 involves management review but does not create personal liability. Your governance architecture diagrams should show the approval and sign-off workflow for security decisions, including which roles (CISO, board, risk committee) must approve material changes to security architecture, and how that approval is recorded. A governance workflow diagram showing the escalation path from technical team to management sign-off is a NIS2-specific artifact that ISO 27001 does not require.

Who does NIS2 apply to?

NIS2 divides covered organizations into two categories with different fine structures:

  • Essential entities face fines of up to €10 million or 2% of global annual turnover (whichever is higher). This category includes: DNS providers, top-level domain registries, cloud computing providers, data center services, content delivery networks, managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, online search engines, social networking platforms, energy sector (electricity, gas, oil, district heating), transport (air, rail, water, road), banking and financial market infrastructure, healthcare, and drinking water and wastewater operators.
  • Important entities face fines of up to €7 million or 1.4% of global annual turnover. This category includes postal and courier services, waste management, chemical manufacturing, food production, medical device and pharmaceutical manufacturers, and digital providers not classified as essential.

The size threshold for both categories is generally organizations with more than 50 employees or €10 million annual turnover — though certain critical sectors apply regardless of size. If your organization provides services to essential or important entities (as an MSP, software vendor, or cloud provider), you are likely in scope even if you would not otherwise meet the thresholds, because your customers' supply chain obligations flow to you.

Frequently asked questions

What is the NIS2 compliance deadline?

EU member states were required to transpose NIS2 into national law by October 17, 2024. The first compliance audit deadline for most in-scope organizations is June 30, 2026. However, national competent authorities (NCAs) in some member states are already conducting supervisory activities and requesting documentation. If your organization has not yet begun its NIS2 documentation effort, the architecture diagrams in this guide represent the fastest path to demonstrating technical compliance — they are concrete evidence that your security measures exist and are designed as required by Article 21.

Does ISO 27001 satisfy NIS2?

ISO 27001 satisfies approximately 70% of NIS2 requirements and is widely recognized by national competent authorities as evidence of security baseline maturity. However, it does not fully satisfy NIS2. The three main gaps are: (1) supply chain depth — NIS2 requires per-supplier security assessment documentation that ISO 27001 does not mandate; (2) incident reporting timelines — NIS2's 24-hour CSIRT early warning has no ISO 27001 equivalent; and (3) management liability — NIS2 Article 20 places direct personal accountability on senior management, requiring governance documentation that ISO 27001 does not require. Organizations with ISO 27001 should treat it as a strong foundation, then layer NIS2-specific documentation (supply chain maps, 24-hour reporting architecture, management sign-off workflows) on top.

What happens if you can't prove compliance?

NIS2 gives national competent authorities significant supervisory powers, including on-site inspections, document requests, security audits, and the ability to issue binding instructions to remediate deficiencies. For essential entities, NCAs can temporarily suspend certifications or authorizations for non-compliant organizations. Fines reach €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important entities. Critically, NIS2 Article 20 also allows NCAs to hold individual members of management bodies personally liable — including temporarily barring executives from management functions. Architecture documentation that substantiates your Article 21 measures is therefore not just a compliance checkbox; it is evidence that protects your organization and its leadership from enforcement action.

Related guides: zero-trust architecture diagrams, agentic AI security architecture, SOC 2 architecture diagrams, and threat modeling diagrams.

Ready to try it yourself?

Start Creating - Free