NIS2 Risk Register Template

Free NIS2 risk register template based on NIST SP 800-30. Browser-based, no download required. Covers threat sources, threat events, likelihood, impact, and risk level.

Generate Your Risk Register →
What is a risk register?

The central document of your cybersecurity governance

A risk register is a structured record of the cybersecurity risks identified for a specific system or organisation. It captures each risk in a consistent format so that risks can be compared, prioritised, and tracked over time. Under NIS2, maintaining a risk register is how you demonstrate that your security measures are appropriate and proportionate to the risks you face.

A NIS2-compliant risk register should be based on a structured methodology. NIST SP 800-30 Revision 1 defines the fields every risk entry must capture — from the originating threat source through to the recommended treatment action.

Register fields

What every risk register entry contains

Open Risk Register generates a complete risk register with all NIST SP 800-30 mandatory fields. Every entry is fully populated by the assessment workflow.

Threat Source

Who or what could initiate a harmful event. Categorised as adversarial, accidental, structural, or environmental per NIST SP 800-30 Appendix D.

Threat Event

The specific scenario the threat source could execute against your system, drawn from the NIST SP 800-30 Appendix E catalogue.

Vulnerability

A predisposing condition or control weakness that increases the probability of a threat event succeeding in your environment.

Likelihood

An overall score (Very Low to Very High) representing how probable the threat event is, given source capability and your vulnerability exposure.

Impact

An overall score (Very Low to Very High) representing the harm that would result if the threat event occurred — operational, financial, and reputational.

Risk Level

Automatically calculated from likelihood and impact using a 5×5 risk matrix, producing a prioritised risk level for each threat event.

Risk Response

The chosen treatment: Accept, Mitigate, Transfer, or Avoid. Annotated with specific controls or actions planned.

Residual Risk

The remaining risk after controls are applied, documented to show it is acceptable relative to your organisation's risk tolerance.

Assessment Scope

Each register entry is linked to the system scope defined at setup, ensuring traceability from every risk to the system it applies to.

Automatic generation

Generated automatically from your assessment

You do not fill in the risk register manually. Open Risk Register builds it automatically as you complete each step of the guided NIST SP 800-30 workflow.

No blank templates

There is no spreadsheet to download. The tool captures your inputs step-by-step and compiles a complete, structured register at the Results step.

Consistent scoring

Likelihood and impact scores use the same qualitative scale throughout. Risk levels are calculated automatically from a 5×5 matrix, eliminating formula errors.

Export-ready output

Export your complete risk register as an encrypted backup for safer storage and sharing, or as JSON for archiving and analysis. You can also print a formatted PDF report for management review — directly from the Results step.

Export options

Take your risk register anywhere

Your completed risk register can be exported in multiple formats from the Results step.

  • Encrypted backup export — A passphrase-protected backup of your full assessment for safer storage and controlled sharing.
  • JSON export — A machine-readable backup of your full assessment including all inputs, scores, and the complete risk register. Archive it, share it with your IT security team, or use it to recreate the assessment.
  • PDF report — Print a formatted report directly from your browser including the assessment scope, risk register table, and risk response summary — ready for management sign-off or regulatory inspection.
  • Browser persistence — Assessments automatically persist in localStorage between browser sessions so you can return and update your register as your risk landscape changes.
Important note

What this template does not replace

This risk register template is a documentation aid, not a compliance guarantee.
  • Qualitative scores only. Risk levels are qualitative (Very Low to Very High). The template does not produce quantitative financial risk estimates.
  • No legal advice. The output does not constitute legal, regulatory, or professional security advice. Consult a qualified cybersecurity professional for NIS2 compliance questions.
  • Browser storage. The register is stored in localStorage. Clear your browser data and it is gone. Export encrypted backups regularly (and JSON when needed).
  • No certification. Completing a risk register does not certify NIS2 compliance. Compliance also requires incident reporting, board-level governance, and national competent authority supervision.

Generate your NIS2 risk register now

Free, browser-based, no download required.

Start the Assessment →