Network Documentation for NIS2 Compliance

· Maya
← Back to guides

TL;DR: NIS2 Article 21 never names a network diagram. But three of its ten required risk-management measures (risk analysis, asset management, and business continuity) assume you have a current, accurate map of your network and assets. Automated network documentation produces that map and keeps it current on its own.

"With over 800 switches in our network, keeping topology documentation up to date by hand is almost impossible. We needed automation, especially with NIS2 raising the documentation requirements. Scanopy keeps it current for us."

— IT department, Motala Kommun

That's a Swedish municipality describing exactly the problem NIS2 creates for essential entities: the directive raises what you have to document, while the network keeps changing faster than anyone can redraw a diagram.

This is a guide to what NIS2 actually expects around network documentation, which specific Article 21 measures it supports, and where an automated tool fits (and where it doesn't). It's written for the IT lead who has to satisfy an essential-entity obligation, not for compliance consultants.

Does NIS2 require a network diagram?

No. NIS2 Article 21 does not name a network diagram, an asset inventory, or any specific artifact. It's deliberately outcomes-based and technology-neutral: it tells essential and important entities what to achieve, and leaves the how to them, scaled to their size and risk (the proportionality principle in Article 21(1)).

So there's no line to point to that says "keep a diagram." What there is instead is a set of measures that assume you have one.

What NIS2 requires that network documentation supports

Article 21(2) lists ten minimum risk-management measures. Three of them are hard to satisfy without a current, accurate model of your network:

NIS2 measure Article What it needs from you
Risk analysis 21(2)(a) An accurate picture of the systems and assets you're assessing risk to
Asset management 21(2)(i) An inventory of what's on the network, kept current
Business continuity, backup, disaster recovery 21(2)(c) Knowing your infrastructure well enough to restore it
Assessing effectiveness of measures 21(2)(f) A current baseline to evaluate against

None of these say "diagram." All of them break down if your documentation is a drawing from the last audit. You can't analyze risk to assets you haven't inventoried, you can't restore infrastructure you can't describe, and you can't judge whether a control is effective against a baseline that no longer matches reality.

How discovery covers asset management and risk analysis

Asset management under 21(2)(i) is the clearest fit, because it starts from a question automated discovery answers directly: what is actually on the network? You cannot manage or secure devices you don't know exist, and in a network the size of Motala's (800-plus switches), the answer to "is your inventory complete and current" is usually no if it's maintained by hand.

Scanopy discovers this from the network itself. Its daemon finds hosts, services, interfaces, and network devices, identifies vendors and models over SNMP, and maps the topology through LLDP, CDP, and ARP. That's the asset inventory and the network map, built from live data rather than memory.

For risk analysis under 21(2)(a), the same current-state picture is the input. And the Applications view adds the piece most tools miss: it maps service-to-service dependencies, so you can see which systems interconnect and where data can travel between them, not just that a device exists.

Scanopy Applications view: services grouped by application with the dependencies between them drawn as edges, showing which systems interconnect and the routes data can travel across the network.

Here's what the map looks like on a live network. This is an interactive Scanopy map, not a screenshot:

This is a live Scanopy map you can interact with.

Scanopy documents the network's structure, the devices and how they connect and depend on each other. It doesn't classify data or decide which assets are critical; that judgment is part of your risk analysis. It gives the analysis an accurate map to reason about.

What supervisory authorities look for

NIS2 enforcement runs through national competent authorities, and while the exact evidence varies by country, the recurring theme is demonstrability: you have to show that a measure exists and works, not just assert it. For the documentation-adjacent measures that means:

  • A current asset inventory, not a spreadsheet last touched a year ago.
  • A network topology that reflects the environment as it is now.
  • Evidence you can produce this on request, and that it's maintained rather than reconstructed for the occasion.

The maintenance point is where manual documentation fails. Automated discovery rescans on a schedule, so "current" is the default state rather than a pre-audit scramble.

How to turn discovery into evidence

Scanopy exports the topology as an image (PNG, SVG, or PDF), as diagram markup for a wiki (Mermaid or Confluence), or as CSV of the underlying host and service data, and maps embed via iframe, so the current diagram can live in your risk-management documentation or internal wiki. Topology snapshots version the network state over time, which gives you a dated record of what the network looked like and what changed, useful when an authority or an auditor asks you to show that your documentation is actually maintained.

Scanopy physical (L2) view: switches and the hosts connected to them with port speeds and links, an automatically discovered inventory of the network's devices.

What Scanopy does not do for NIS2

Scanopy covers one part of the work. It does not do the rest:

  • Scanopy does not make you NIS2 compliant. Compliance is an organizational program across all ten measures; no single tool delivers it.
  • It does not perform your risk analysis. It supplies the current-state map the analysis reasons about.
  • It does not handle incidents, manage your supply chain, run your backups, or train your staff. Those are other Article 21 measures and other tools.
  • It does not do monitoring or alerting. It runs alongside those, not instead of them.

On self-hosting: the Community and commercial self-hosted editions run entirely on your infrastructure, so the discovery data, which describes your internal network, stays in your environment. For a European essential entity, that keeps data-residency questions simple.

Where Scanopy fits

Scanopy is network documentation software: a lightweight daemon discovers your hosts, services, interfaces, topology, and application dependencies, then builds an interactive map with four views that updates on a schedule and exports for evidence. For an entity under NIS2, its job is narrow and honest. It keeps the asset inventory and network map that the risk-analysis, asset-management, and continuity measures assume you maintain accurate on their own, so producing current documentation stops being manual work. It runs alongside the rest of your risk-management program, not in place of it.

The Community Edition is free and self-hosted. The commercial editions remove the seat and network limits and add support. For the broader category, see the guide to network documentation software.

See what Scanopy builds

Scanopy discovers your hosts, services, topology, and application dependencies and keeps the map current on a schedule. Self-hosted, so your network data stays on your own infrastructure.

Frequently Asked Questions

Does NIS2 require a network diagram?

Not by name. NIS2 Article 21 is outcomes-based and technology-neutral, so it lists what to achieve, not specific artifacts like a diagram. But three of its ten required measures (risk analysis, asset management, and business continuity) can't be done properly without a current, accurate picture of your network and assets. A network map is how most entities meet that expectation.

What does NIS2 Article 21 actually require?

Article 21(2) sets out ten minimum cybersecurity risk-management measures for essential and important entities, including risk analysis and security policies, incident handling, business continuity and backup, supply chain security, secure network maintenance, cyber hygiene, cryptography, and human resources security, access control, and asset management. The measures must be proportionate to the entity's size and risk exposure.

How does network documentation support NIS2 asset management?

Asset management under Article 21(2)(i) starts with knowing what assets you have. You can't manage or secure devices you don't know exist. Automated discovery builds an inventory of hosts, services, and network devices directly from the network and keeps it current, which is the foundation the asset-management measure is built on. It answers the "what do we have and how does it connect" question that everything else depends on.

Does NIS2 apply to municipalities and public administration?

Often, yes. NIS2 covers essential and important entities across sectors including drinking water, wastewater, energy, and digital infrastructure, and it brings much of public administration into scope. A municipality that runs water, energy, or other essential services is typically an essential or important entity. National transposition determines the exact scope, so entities should confirm their status under their country's implementing law.

Does network documentation software make me NIS2 compliant?

No. NIS2 compliance is an organizational program, not a product you install. Network documentation software produces one input that several Article 21 measures assume you maintain: an accurate, current map of your systems and their connections. It supports the risk analysis, asset management, and continuity work. It does not perform risk management, handle incidents, or manage your supply chain.

Can I self-host network documentation for NIS2?

Yes, and for a European essential entity it's often preferable. Self-hosting keeps the discovery data, which describes your internal network, on your own infrastructure rather than with a third party, which simplifies data-residency questions. Scanopy's Community Edition is free and self-hosted; the commercial self-hosted edition removes the seat and network limits. Both run entirely in your environment.

How often should NIS2 network documentation be updated?

NIS2 expects risk-management measures to stay effective as the environment changes, which means documentation has to reflect the network as it is now, not as it was at the last review. Article 21(2)(f) specifically covers assessing whether measures remain effective. Automated discovery rescans on a schedule, so the map stays current without anyone maintaining it by hand.

Maya, Founder

Started as a homelabber, now deep in SNMP MIBs, Layer 3 topology, and service fingerprinting - building the network documentation tool I wished existed.