Are You Prepared for Board-Level NIS 2 Risk? Why Leadership Cannot Afford Blind Spots
If your organisation sits anywhere near the remit of the NIS 2 Directive-energy, digital, health, transport, or support for any in-scope supply chains-your board’s engagement with cyber risk is about to become a source of regulatory focus and public accountability. Gone are the days when cyber risk was an IT “nice to have”; leadership can no longer relegate risk to a post-audit footnote.
The further risk sits from the boardroom, the more quickly it finds its way back through compliance failures.
Personal liability has shifted upstream. Under NIS 2, board members and senior management are individually responsible for maintaining and demonstrating live cyber resilience. This isn’t legal theatre: director sign-off on risk management, incident timelines (24 hours for notification, 72 hours for update, one month for closure), and engagement with sector authorities must be available as hard evidence-not claimed intent. Miss a mandatory update, fail to record a board meeting, or let your entity registration lapse, and you risk severe enforcement that no “I delegated it” can defend.
Incident response, procurement cycles, and partner onboarding all flow through the lens of “demonstrable oversight.” With every deadline met or missed now tracked by regulators, even a single missed timer-like failing to file that 24-hour report-can accelerate reviews and brand your organisation as high-risk.
You must now anchor your cyber oversight in three places:
- Director-led risk review and sign-off cycles, with logs to match (Clause 5.1, Annex A.5.4).
- Assigned, rehearsed incident timers paired to actual response owners (A.5.24–26, A.5.35).
- Instantly retrievable, sector-tuned evidence mapped to procurement and partner demands (8.2, A.5.12/13).
| Board Expectation | Practical Process | ISO 27001 / Annex A Reference |
|---|---|---|
| Director-led cyber oversight | Documented sign-off, review rhythm | Clause 5.1, Annex A.5.4 |
| Precise incident response (24/72/30d) | Timed, owned playbooks, evidence trail | Annex A.5.24–26, A.5.35 |
| Buyer/partner evidence | Up-to-date SoA, audit logs, live mapping | 8.2, A.5.12/5.13 |
No longer can leadership fall back on plausible deniability. Your signature is not just symbolic-it stands as audit-proof and trust currency. Missed a review or an assigned timer? That single omission is a beacon for both regulators and enterprise clients conducting their own due diligence.
Verification isn’t about intent, it’s about the board’s living footsteps in the system.
The board’s role is now an active, ongoing audit trail-not merely an annual rubber stamp. NIS 2 makes it explicit: real accountability travels up.
Essential vs. Important: Pinpointing Your NIS 2 Duty-and the Price of Misclassification
For CISOs, IT leaders, risk and compliance officers, the “essential” or “important” classification is more than semantics. It defines the audit regime, the intensity of regulatory scrutiny, and the risk of unexpected inspection. And with ever-tightening definitions and supply chains pulling new companies into scope, static “industry” labels are increasingly risky choices.
Status is a moving lens, and it will find you via contracts, cross-border data flows, or supply integration.
Essential entities include energy operators, large hospitals, and digital infrastructure players. They must file for scheduled regulatory audits, provide granular system and supply chain logs, and answer sector-level reviews at short notice. “Important entities” may face less frequent audits but are still expected to maintain live, always-ready evidence. Regulators are shifting decisively towards spot checks and post-incident reviews, exposing companies that treat compliance as an annual paperwork cycle.
Snippet for clarity:
Regardless of how you classify, NIS 2 expects every in-scope entity to be audit-ready at all times. Relying on static status invites sudden, steep penalties.
SMEs: Always at the Edge of Scope
SMEs sometimes believe they are shielded unless directly named in Annexes. This belief is now the number-one source of regulatory missteps: if your software or service plugs into any in-scope infrastructure, your obligations may appear overnight. M&A activity, a single big-client contract, or a new partner integration can instantly recast your risk status.
Directors of essential entities face fines up to €10 million or 2% of annual turnover; “important” entities, €7 million or 1.4%. These are not headline numbers-they represent enforceable exposures for both finance and executive teams. Your board could inherit new obligations weeks after closing a new deal-a fact many discover too late.
| Status Trigger | Energy Example | Digital Example | SME Example |
|---|---|---|---|
| Grid/sector asset scale | >250 staff, grid ops | DNS, cloud, TLD | Supplier to essentials |
| Cross-border reach | Grid EU integration | Data spanning nations | Malware/OT consulting for hospital |
| Digital infra support | OT cyber vendors | SaaS backbone | IT for health’s remote-monitoring |
| Supply chain linkage | NIS 2 deals/sourcing | Key stack partnership | SME embedded in transport SaaS |
Readiness is a moving target; status can change with a contract, not a letter from the UK or EU.
A medium SaaS provider working with a critical energy operator can move from “out of scope” to “important entity” overnight, triggering new reporting, registry, and review rules.
The only real audit posture is continuous readiness-any other model will fail at the exact moment deals or incidents make you visible.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What’s Really Changing? Sector Spotlight for Energy, Health, Digital, SMEs and Transport
Sector-specific requirements are no longer boilerplate. Being “compliant” is not about having a generalist policy-it’s evolving into meeting the regulatory “DNA” of your specific industrial or service context.
Auditors no longer ask if you have a policy-they investigate whether your technical logs and controls fit what your sector actually does.
Energy: Mandates for continual scenario drills, IT/OT convergence evidence, and cross-border logs are now routine. A single incident in a neighbouring country can demand evidence from your logs-even if your core infrastructure wasn’t directly attacked.
Health: Hospitals and care providers are judged now as much by their ability to map and monitor every connected device and vendor as by their firewall posture. Gaps in vendor oversight are audit red flags, regardless of the intent or contract.
Digital: For DNS, cloud, SaaS, and Identity as a Service (IDaaS) vendors, audit is about log agility. Transparent, exportable logs, rapid response, and up-to-date SoA cross-references mean the difference between buyer confidence and lost contracts.
SMEs: More often in the crosshairs than they imagine. SME vendors to in-scope operators must maintain incident logs, validated protocols, and breach drill evidence on hand-not just upon request, but for cross-sector audits, to eliminate “weak link” assumptions.
Transport: Logistics, aviation, maritime, and connected freight now require a traceable, real-time asset inventory. Incidents are mapped not only by internal response, but by sector-wide chain-of-custody reviews. One missing ledger or timer, and the inquiry widens to every digital and physical supplier.
| Sector | New Mandate | Required Outcome |
|---|---|---|
| Energy | Cross-border drills/logs | Show readiness and sector resilience |
| Health | Device and vendor mapping | Third-party control; breach minimisation |
| Digital | Export logs, SoA alignment | Turnkey evidence; buy/sell confidence |
| SMEs | Upstream supply chain proof | Win and keep larger deals |
| Transport | Chain-of-custody, asset logs | Regulator trust and continuous operation |
A missing asset log in a regional hospital exposed the entire medical supply chain to an unplanned regulatory review.
Compliance has to move from the ‘audit report’ to the real-time evidence locker-a single gap delays business and triggers cross-sector questions.
Supply Chain Resilience: How to Turn Weak Links into Regulatory Assets
Under NIS 2, your organisation’s ability to map, test, and prove supply chain resilience isn’t just a procurement or IT problem-it is a credential for board-level risk acceptance and contract trust. The board is now on the hook for every untested supplier drill.
In a chain, each weak link now has a visible owner and a timestamped test.
To move beyond annual self-assessments and tick-box exercises, adopt continuous mapping and real incident simulation cycles. Schedule formal reviews and retain up-to-date supply chain risk maps; require drill logs with your procurement teams and integrate findings into live audit registers. Cross-team drills and evidence-sharing with vendors are now an audit expectation, not a “bonus” signal.
| Trigger Event | Response | Control / SoA Reference | Evidence Logged |
|---|---|---|---|
| Onboarding vendor | Map risk, schedule drill | A.5.20: Supplier relationship management | Vendor drill/test doc |
| Security gap found | Log, assign fix, test | A.8.8: Vulnerability management | Incident re-test and review |
| Supply incident | Board review, update | A.5.24: Incident management planning | Board drill/archive report |
Imagine an OT provider in energy failing a live drill. Instead of uncovering this at audit and scrambling for evidence, a real-time supply chain update triggers corrective action, a documented re-drill, and pushes all records into your audit logs-directly referenced in your SoA. Auditors expect to see each adjustment, from board review to incident closure, in one chain.
Your next due diligence isn’t annual-it’s whenever the board requests or a regulator calls. Treat evidence as living currency.
Boards and procurement leaders who adopt “living supply chain” frameworks lower the cost of audit, speed business, and contain incidents when-not if-the spotlight turns.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Incident Response and Reporting: When Every Minute Counts (and Is Audited)
Once a cyber-incident is detected, the timer isn’t metaphorical-the system logs its tick from the first minute. Notification windows (24 hours for initial report, 72 hours for substantive update, and one month for closure) are enforced as hard thresholds. Each phase demands an explicit owner, pre-assigned and rehearsed.
A timer without an owner is not just a compliance problem-it is a regulatory vulnerability waiting to be revealed.
Detection is just step one; evidence of each communication, action, and follow-up is now the metric for resilience. Board and IT teams who “walk” their incident response logs-demonstrating handoffs, escalation, and resolution-add trust. Regulators now probe more deeply when timers are missed or evidence is incomplete.
| Trigger | Required Response | Audit Evidence Recorded |
|---|---|---|
| Incident found | 24h timer, notify team | Incident detection log |
| 72hr mark | Escalation/update filed | Progress log, notification doc |
| Closure (30d) | Lessons learned, closure | Review, training, update log |
Audit trails that fail to explain delays magnify business risk and reputational impact.
In a modern NIS 2 audit, having a documented, time-stamped chain of incident to closure is non-negotiable. Missed notifications or unassigned steps invite sector-level scrutiny and delay recovery. The simple fix: live, assigned incident processes mapped to your real-world team-reviewed and updated after every event.
Are You Audit-Ready? Why Sector Evidence and Real-Time Logs Now Anchor Boardroom KPIs
The NIS 2 era eliminates the comfort of “audit season.” Audits are now triggered by incidents, M&A, procurement disputes, or supplier issues-at the regulator’s discretion. Your Statement of Applicability (SoA), asset logs, incident reports, and staff training flows must all be audit-ready, evidence-backed, and accessible to your board at short notice.
Audit readiness is not a phase-it’s a standing expectation.
Auditors and buyers expect evidence not only to exist but to match your sector’s specific obligations and operational footprint. SoAs and logs that lack sector context or contain stale mappings (e.g., unchanged after an acquisition or incident) are red flags. Companies who are “caught searching” under time pressure are far more likely to face repeat audits and procurement setbacks.
| Sector | Trigger/Event | Evidence Needed | Boardroom Impact |
|---|---|---|---|
| Health | Device recall/failure | Supply chain/asset logs | Regulator, financial |
| Energy | Supplier breach | Drill, closure log | Penalties, contracts |
| Digital/SME | New client contract | Policy, SoA, process logs | Lost deal, trust risk |
Assign risk and evidence owners now, not after an audit trigger-so you can meet KPIs, close contracts, and pass scrutiny on demand.
With a standing audit expectation, your living controls, evidence chain, and sector mapping are the new executive KPIs.
A system supporting live evidence with board-level accessibility shields directors from compliance gaps and earns buyer trust.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Second-Order Risks: How Sectors Fail-and Why the Fastest Correctors Win
Today’s riskiest compliance failure isn’t a direct breach-it’s the unreported business or system change that rewrites your obligations overnight. New clients, contracts, partners, or digital product launches regularly recast your entity’s status or supply chain, dragging “out of scope” teams into the heart of NIS 2 with little notice.
Second-order risk is a speed game: prompt correctors contain damage, late-reactors face cascade audits.
Modern compliance is won not by chasing perfection, but by quickly reflecting every status change, acquisition, or contract pivot in your risk registers, SoAs, and supply links. Organisations exposed by M&A or cloud migrations are those who treat scope as static; those that course-correct with logged, timestamped process updates show resilience under audit scrutiny.
Mini-scenario:
An SME acquires a niche SaaS used by a regulated energy client. The acquiring company fails to update its SoA, risk mapping, or incident playbooks. A cyber incident follows, and the audit reveals that controls and logs did not match the new scope. The real penalty: extended audits, lost client trust, and lasting regulatory drag.
| Trigger | Rapid Action Required | SoA/Control Evidence | Audit Outcome |
|---|---|---|---|
| Acquisition/new entity | Update scope, risk, board sign-off | SoA update log, board review | Audit passes, limited follow-up |
| Missed update/delay | Exposure mounts, incident multiplies | No update log, legacy mapping | Escalated, repeat audits, fines |
With living compliance, every event gives proof of correction; without it, one missed status update can drag your business through months of intense review.
The fastest correctors not only limit fallout-they become growth enablers and trusted partners.
Jumpstart Sector Compliance-ISMS.online as Your NIS 2 Engine for Resilience
NIS 2 isn’t about larger compliance manuals-it’s about fit-for-purpose platforms that adapt, map, and prove your security, privacy, and operational controls in sync with live business cycles. Sector alignment, real-time evidence, and supply chain traceability aren’t bonus features-they are the difference between seamless audits and reputation-damaging regulatory delays.
Evidence earned ahead of demand is evidence that buys you time, contracts, and trust.
ISMS.online delivers practical solutions tailored to real sector needs: from HeadStart content for compliance Kickstarters to sophisticated linked evidence frameworks for CISOs and privacy officers (isms.online). You get:
- Pre-built sector-aligned controls and frameworks, mapped directly to ISO 27001, SOC 2, NIS 2, and privacy mandates.
- Live, export-ready evidence, asset, and process logs ready for board view or regulator request.
- Supply chain management tied to policy packs, risk mapping, and drill cycles-no more fragmented spreadsheets or risk registers.
- Seamless audit support, from self-guided checklists for SMEs to advanced reporting and stakeholder dashboards.
- Instant documentation and board-accessible SoA that matches each update, contract, or process shift.
Boards, CISOs, compliance leads-choose a compliance partner that adapts to sector demands, audit cycles, and business change speed. The advantage in today’s NIS 2 landscape belongs to those prepared to present the right proof at the right time. The resilience era rewards readiness; your compliance journey starts now.
Frequently Asked Questions
Who is legally accountable for NIS 2 compliance in energy, health, digital, transport, and SME sectors-and why is board engagement now mission-critical?
Under NIS 2, board directors and senior executives-rather than IT or compliance officers-are personally accountable for cyber-security governance, risk management, and regulatory deadlines across energy, health, digital infrastructure, transport, and SME suppliers. This shift isn’t a bureaucratic formality: directors must sign off on risk assessments and incident logs, guarantee that SCADA/supply chain evidence, drill records, and registries are up-to-date, and directly oversee incident response windows (24-hour initial, 72-hour update, 30-day closure) (PwC, 2024).
If logs are missing, board reviews skipped, or incidents under-reported, the consequences land not just on the company-but on individuals: multi-million euro or % of revenue fines, disqualification, and regulatory sanctions. NIS 2’s most fundamental change is that regulators now track the flow of critical contracts, services, and supply chains-not just sector labels. As soon as your organisation enters a regulated supply web, directors’ names are on the line for real-world digital resilience.
Regulators now follow your contracts, not your comfort zones-board-level accountability is the new security perimeter.
What does this mean in practise?
Organisations must keep a living chain of board-level signoffs, risk logs, incident timer proofs, sector-aligned Statements of Applicability (SoAs), and supplier drill participation records. Skipping any link exposes the board and company to immediate audit triggers and penalties, especially as digital supply chains change faster than policy review cycles. Active, real-time board engagement is no longer optional-it’s the baseline for avoiding fines and safeguarding both organisational and personal reputations.
What’s the difference between “essential” and “important” NIS 2 entities-and why does it matter for audits, penalties, and status changes?
NIS 2 splits regulated organisations into “essential” and “important” entities. Essential entities include core infrastructure-large energy firms, hospitals, grid operators, and major digital platforms (cloud, DNS, TLD registries). These are subject to proactive, scheduled audits and face the highest penalties: up to €10 million or 2% of annual global turnover (Foot Anstey, 2024).
Important entities-including mid-sized SaaS, specialised digital suppliers, pivotal SMEs-are audited reactively, typically after incidents or supplier entry. However, their audit risk and penalty exposure is still significant: up to €7 million or 1.4% of revenue.
Crucially, status isn’t static: landing a critical contract or integrating with regulated supply chains can instantly upgrade an SME’s scrutiny level. Regulators react to operational impact and data flow, not just size or legacy status. A missed update in status is a common root of audit surprises and unbudgeted penalties.
| Entity Status | Who’s Included | Audit Regime | Maximum Penalty | Status Triggers |
|---|---|---|---|---|
| Essential | Grid, hospital, cloud, DNS, energy majors | Scheduled | €10M / 2% revenue | Major contract, M&A, registry update |
| Important | Mid-cloud, SaaS, B2B tech, supply SMEs | Reactive/event | €7M / 1.4% revenue | New supplier/deal, digital onboarding |
Why it matters: SMEs supplying critical infrastructures are swept into scope by their contracts, not company intent. Immediate audit preparedness, board-level ownership, and live evidence collection become everyday necessities-complacency on status can cost both revenue and reputation overnight.
How do sector-specific NIS 2 mandates shape compliance, and why is generic policy fallback now risky?
NIS 2’s sector demands aren’t checklists-they’re live evidence regimes tailored to industry-specific threat models:
- Energy: Must document cross-border drill participation, maintain real-time SCADA and registry logs, and show living evidence of OT/IT risk management (KPMG, 2024).
- Health: Required to track all devices, patch and vendor logs, legacy risks, and supplier due diligence. Regulators flag outdated or unsupported health tech.
- Digital (cloud, TLD, DNS, data centres): Face procurement audits and must provide exportable SoAs, log agility, and hard ties between contracts and controls.
- SMEs: Entry into regulated supplier roles, onboarding, or handling sensitive data can bring full NIS 2 burden-sometimes overnight (ENISA, 2024).
- Transport: Audited by asset, chain-of-custody, and registry evidence; missing records or outdated logs increase repeat audit risk and fines.
| Sector | Key Evidence | Audit Focus |
|---|---|---|
| Energy | Drills, SCADA logs, registries | OT/IT risk & cross-border |
| Health | Device, patch, vendor, legacy mapping | Data protection, supply |
| Digital | SoA exports, agile logs, procurement | Rapid audit, readiness |
| SMEs | Supplier onboarding, live registry | Supply chain, integration |
| Transport | Chain-of-custody, asset logs | Intermodal, compliance |
Unlike prior years, failure to show current, sector-aligned documentation now means longer audits, instant fines, and eroded regulatory trust. Sector-specific, living evidence is your shield-generic policy is now liability.
What new supply chain requirements does NIS 2 impose, and why is real-time evidence the “pass/fail” metric?
NIS 2’s supply chain risk controls mandate a level of real-time engagement most organisations have never attempted. Boards and compliance officers now must (ENISA, 2023):
- Maintain current registries for all suppliers and service providers.
- Document every supplier’s participation in breach drills, incident follow-ups, and vulnerability remediations-with clear ownership and timestamps (ISACA, 2023).
- Enforce contract clauses granting rights to audit, require breach notifications, log evidence sharing, and demand prompt registry updates.
- Connect procurement and vendor onboarding directly to risk register and evidence workflows.
In a supply chain audit, showing your last breach drill, supplier risk registry, and closure logs-instantly-is now the minimum passing grade.
Any missing link can cascade risk up the chain, exposing your organisation and client boards to penalties. It’s not just external audits: proactive registry maintenance helps secure new contracts, boosts buyer trust, and radically reduces penalty exposure.
What do the new NIS 2 incident reporting deadlines and ownership rules mean for your organisation-and your escalation process?
NIS 2 incident reporting is built on tight, non-negotiable clocks and named owners (Aikido, 2024):
- 24 hours: Initial incident detection logged, with timestamp, owner, and escalation.
- 72 hours: Analytical update to regulators or sector CSIRT, documentation of the escalation chain, and status annotation.
- 30 days: Formal closure, evidence of lessons learned, remedial actions logged.
Failing to meet these deadlines exposes the responsible owner (not “the team”) and board to direct regulatory sanction. Drills, simulations, and supply chain escalation must all be evidenced in real time, with logs, minutes, and contract notifications ready for audit (ENISA, 2024):
| Reporting Stage | Deadline | Audit Evidence | Penalty Risk |
|---|---|---|---|
| Detection | 24 hrs | Owner, log, detection | Audit flag, board escalation |
| Analysis | 72 hrs | Escalation chain, update | Regulator penalty |
| Closure | 30 days | Lessons learned, closure | Repeat audit, director risk |
Your team should ensure incident drills, supply chain notifications, and lessons-learned reviews are a routine part of operational rhythm-not just responses to emergencies.
How do NIS 2 audits and enforcement escalate, and what builds lasting board resilience?
NIS 2 audits no longer run on a yearly schedule; they’re now triggered by incidents, regulatory events, sector reviews, or major business moves (e.g. M&A, new contracts) (Clifford Chance, 2022):
- Auditors demand three-year archives of incidents, risk closures, SoA updates, and evidence logs.
- “Living” registries are required-static, annual attestation is obsolete.
- Boards must be able to show minutes of risk decisions, scope expansions, and mitigation activity-all within days or weeks, not months.
| Trigger | Evidence Needed | Boardroom Risk Scenario |
|---|---|---|
| Incident | 3-year log, closure lessons | Regulatory sanction, repeat |
| M&A/Contract | Updated SoA, registry, supplier | Client penalty/loss |
| Scheduled review | Board minutes, risk logs, actions | Fines, disqualification |
Success is defined by evidence velocity and completeness-organisations that treat NIS 2 as a living process, continuously updating risk and action logs, build reputational trust and resilience with both regulators and clients.
What hidden, second-order risks most often lead to NIS 2 penalties-and how does rapid evidence updating keep you out of trouble?
Most real-world fines don’t come from missing basic controls, but from business changes that quietly expand NIS 2 scope (Compleye, 2024):
- Securing a new contract with an essential entity imports regulatory obligations, often with retrospective enforcement.
- M&A activity, cross-border launches, SaaS access, or onboarding new digital assets can expose untracked systems-and responsible directors-to immediate audit.
- The real asset is traceability: updating registries, risk logs, SoA mappings, and board action within the same week of a change.
| Trigger Event | Update Needed | Evidence Example |
|---|---|---|
| New contract | Registry, SoA update | Signed SoA, supply contract, min |
| M&A | Risk, registry update | Board minutes, asset logs |
| Service launch | Incident/closure log | Closure entry, lessons reviewed |
Business agility is now compliance agility. Rapid updates-embedded in onboarding, product launches, or risk-scoring cycles-directly minimise audit duration and penalty risk, while maximising board confidence.
How does ISMS.online deliver actionable NIS 2 compliance-across board, supply chain, and audit-in less time and with assured evidence?
ISMS.online is purpose-built for integrated, sector-specific NIS 2 compliance-translating legal mandates into operational reality, and reducing board burden with live, audit-ready systems:
- Prebuilt frameworks: Out-of-the-box mappings to energy, health, digital, and transport mandates, ensuring sector alignment and readiness from day one.
- Automated supply chain logs: Evidence requests, drill participation, contract clause enforcement-recorded and traceable without manual chasing.
- Live asset, risk, and incident registries: Always up-to-date, supporting closure logs, lessons learned, and procurement onboarding.
- Board dashboards & audit review: Directors track status, export evidence instantly, and see regulatory gaps before fines or client complaints.
- Proven first-pass audit success: Trusted by authorities and diverse operators, ISMS.online continually delivers clean audit outcomes as regulations intensify (ENISA, 2024).
Building a living evidence base isn’t just compliance-it’s future-proofing your organisation; boards who treat deadlines as starting lines, not finish lines, turn NIS 2 into real-world resilience.
If your next board review feels like firefighting, it’s time to shift to proactive proof-so you move faster than the next regulatory change.
ISO 27001 Bridge Table: Expectation, Operationalization, and NIS 2 Reference
| Expectation | Operationalization | ISO 27001 / Annex A Reference |
|---|---|---|
| Board sign-off on risk/incidents | Board-reviewed, live ownership, evidence chain | 5, A.5.4, A.5.35 |
| Continuous supplier registry | Automated logs, drill proof, real-time updates | A.5.19–21 |
| Living evidence for audit | Asset/incident tracker, exportable SoA | A.8.6, A.8.8, A.8.13, A.8.36 |
| Sector-specific compliance | Exportable controls and audit-ready dashboards | Sector mapping, Annex A |
Regulatory Traceability Table: Trigger, Risk Update, Control Link, Evidence Example
| Trigger | Registry/Risk Update | Control / SoA Link | Evidence Example |
|---|---|---|---|
| New contract | Registry, scope, SoA update | A.5.19, A.5.21 | Signed SoA, supply contract |
| Incident log | Incident/closure record | A.8.13, A.8.8 | Closure, lessons, audit log |
| Supplier drill | Drill registry, risk review | A.5.20, A.5.21 | Drill log, registry export |
