In force since 17 Oct 2024·Day 601·

Reference · Article 21Last revised 10 Jun 2026

The 21 measures, explained simply.

Article 21 of Directive (EU) 2022/2555 lists ten categories of cybersecurity risk-management measures. We have unpacked them into 21 concrete checkpoints, grouped by what your team actually has to deliver.

§ 01

Governance

NIS2 makes cybersecurity a board-level duty. Article 20 requires management bodies to approve the cyber risk-management measures, oversee their implementation, and follow training that lets them identify and manage cyber risk. The same article makes directors personally liable for breaches — a deliberate shift from earlier NIS practice. In substance, four artefacts are needed: a security policy approved at board level, written roles and accountability, training that is logged, and an independent review the board can read. Without them, the rest of Article 21 sits on sand. Implementing Regulation 2024/2690 treats governance as the precondition for every other control category.

  1. M.01

    Information security policies — approved at board level

    A written policy approved by the board sets risk appetite, scope and review cadence — without it, every other control becomes ad hoc. ISO 27001 Annex A.5.1 is the practical reference.

  2. M.02

    Roles, responsibilities & accountability formally documented

    Each control has a named owner; segregation of duties is documented for high-risk operations. Supervisors will ask “who signed off” when an incident is reviewed.

  3. M.03

    Director training on cybersecurity risk

    Article 20(2) makes management training mandatory and trackable. Generic awareness modules are not enough — training must let directors understand the risks specific to their entity.

  4. M.04

    Annual independent review of the security programme

    An external or independent internal audit reviewing the maturity of the programme each year. Findings are reported to the board with a remediation plan and timeline.

§ 02

Risk management

Article 21(2)(a) requires policies on risk analysis and information system security. Point (c) adds business continuity, backup management and crisis management. Practically, this is the bridge between governance intent and technical execution: a documented risk methodology, a live register kept current with new threats and asset changes, an inventory that knows what you actually run, and continuity plans whose restore procedures have been tested — not just written. NIS2 supervisors expect evidence of testing, not just plan documents. Tabletop exercises, restore drills and signed-off review minutes form the audit trail that turns a paper register into a defensible programme.

  1. M.05

    Risk analysis methodology and live risk register

    A documented method (qualitative or quantitative) and a register reviewed at minimum quarterly. Static risk registers are a typical supervisor red flag.

  2. M.06

    Asset inventory: information systems and data

    You cannot protect what you do not know you operate. The inventory must cover hardware, software, cloud services, data flows and dependencies — refreshed automatically where possible.

  3. M.07

    Business continuity & crisis management plans

    Plans cover loss of site, loss of supplier and loss of access. They define RTO/RPO per service, communication protocols and the chain of command during a crisis.

  4. M.08

    Backups: tested restore procedures

    Backups that have never been restored are theoretical. NIS2 expects evidence of regular restore tests, ideally including ransomware-resilient configurations (immutable, offline or air-gapped).

§ 03

Technical measures

Article 21(2) lists the technical baseline: cryptography (h), multi-factor authentication (j), incident handling (b), security in the acquisition, development and maintenance of systems (e), human-resources security and access control (i). Implementing Regulation 2024/2690 turns those points into concrete controls — MFA on remote and admin access, segmentation between trust zones, vulnerability management with a patching cadence, EDR on endpoints, and a secure SDLC for in-house and supplier code. Nothing here is new in substance: the set maps to ISO 27001 Annex A and the NIST Cybersecurity Framework. NIS2 turns “best practice” into a legal floor and gives supervisors a right of inspection.

  1. M.09

    Multi-factor authentication on all critical access

    Article 21(2)(j) explicitly requires MFA. Critical access includes admin accounts, remote access, externally-facing applications and access to sensitive data — phishing-resistant factors are increasingly expected.

  2. M.10

    Cryptography and encryption policy

    A policy specifying algorithms, key lifecycle and where encryption is required (data at rest, in transit, in backups). ENISA guidance points to post-quantum readiness as a forward-looking criterion.

  3. M.11

    Network segmentation and zero-trust principles

    Flat networks let an initial compromise become a sector-wide outage. Segmentation isolates critical systems; zero-trust replaces implicit trust with continuous verification of identity and device posture.

  4. M.12

    Vulnerability management and patching cadence

    A documented patching SLA by severity (critical / high / medium), a process for emergency out-of-band patches and exception tracking for unpatchable systems with compensating controls.

  5. M.13

    Endpoint detection and response

    EDR or XDR on workstations and servers — beyond legacy antivirus. Telemetry must be retained long enough for forensic investigation (typically 6–12 months) and feed into the SOC or MSSP.

  6. M.14

    Secure software development lifecycle

    Threat modelling at design, dependency scanning in CI, secret detection, code review and runtime application testing. Applies equally to internal teams and outsourced developers.

§ 04

Supply chain

Article 21(2)(d) makes third-party security a direct obligation: organisations must address the risks that come from suppliers and service providers. The Cooperation Group’s coordinated risk assessments (the 5G toolbox template) signal the direction of travel — sectoral assessments of critical providers, with mitigations that may include vendor restrictions. In practice, three layers: pre-contract security assessments, contractual clauses that survive into operations (notification, audit, sub-processor controls), and continuous monitoring of third-party exposure (breaches, sanctions, geopolitical risk). Kaseya, SolarWinds and MOVEit are the unstated reference: a single critical supplier can take a sector down, and supervisors will want to see your map.

  1. M.15

    Supplier security assessments

    Risk-tier your suppliers (which ones can take you down?) and require security assessments proportional to that tier — questionnaires, certifications (ISO 27001, SOC 2) or on-site audits for the most critical.

  2. M.16

    Contractual security clauses for critical vendors

    Right-to-audit, incident notification timelines (matching your own NIS2 obligations), data localisation where required, sub-processor disclosure and exit/transition assistance. The clauses must survive renewals and acquisitions.

  3. M.17

    Continuous monitoring of third-party exposure

    External attack-surface monitoring, sanctions screening, breach intelligence and re-assessment when supplier ownership changes. A static annual questionnaire does not satisfy “continuous” under NIS2.

§ 05

Incident handling

Article 23 sets a three-step reporting cadence: a 24-hour early warning, a 72-hour incident notification with an initial severity assessment, and a final report within one month. The trigger is a “significant” incident — one that has caused or is capable of causing severe operational disruption, financial loss, or impact on third parties. Behind those deadlines sit the operational artefacts: detection and classification playbooks, an escalation chain that reaches the CSIRT or competent authority, a severity matrix the on-call team can apply at 03:00, and a post-incident review process. Several regulators have begun publishing typical penalties for missed deadlines — getting the 24/72/30 cadence right is the cheapest line item in the programme.

  1. M.18

    Detection, classification and escalation playbooks

    Documented runbooks for the most likely scenarios (ransomware, data exfiltration, DDoS, supply-chain compromise, insider). Each runbook lists triage steps, classification criteria and the escalation chain.

  2. M.19

    24h early warning to CSIRT

    Within 24 hours of becoming aware of a significant incident, an early warning to the CSIRT or competent authority — even with limited information. The clock starts at awareness, not at full understanding.

  3. M.20

    72h incident notification with severity assessment

    A formal notification within 72 hours including initial severity, indicators of compromise and any cross-border impact. Updates are provided as the assessment evolves.

  4. M.21

    Final report within one month

    A detailed report within one month covering the root cause, the actual impact, mitigations applied and lessons learned. The report becomes the basis for any supervisor follow-up.

Boardroom mid-discussion — the moment a board agrees to commission the assessmentAction · Run the checklist

§ Action

Ready to put numbers on this?

Take the 21-point assessment. Score in two minutes. Walk away with a prioritised action plan ready to share with your board.

Run the checklist