What is a NIS2 self-assessment?
A NIS2 self-assessment is an internal evaluation of your organisation's cybersecurity posture against the requirements of the NIS2 Directive. Unlike a third-party audit, a self-assessment is conducted by your own team — or by an external consultant working on your behalf.
NIS2 Article 21(1) requires entities to take appropriate and proportionate technical, operational, and organisational measures to manage risks. A self-assessment is typically the first step: it establishes your current baseline and identifies where investment or improvement is needed.
Self-assessments are also used to prepare for external audits or supervisory reviews, to report to management and the board, and to demonstrate due diligence to regulators.
What does Open Risk Register cover?
The tool guides you through all 10 NIS2 Article 21(2) security measures, structured using the NIST SP 800-30 risk assessment methodology.
| NIS2 Article 21(2) Measure | Covered in assessment |
|---|---|
| (a) Risk analysis and information system security policies | Yes — core of the workflow |
| (b) Incident handling | Yes — threat event catalogue |
| (c) Business continuity and crisis management | Yes — impact assessment |
| (d) Supply chain security | Yes — threat source identification |
| (e) Security in network and information systems acquisition | Yes — vulnerability assessment |
| (f) Policies and procedures for assessing effectiveness | Yes — risk determination and treatment |
| (g) Basic cyber hygiene and cybersecurity training | Yes — human threat sources |
| (h) Cryptography and encryption | Yes — technical controls assessment |
| (i) Human resources security, access control, asset management | Yes — threat source and vulnerability steps |
| (j) Multi-factor authentication | Yes — access control vulnerability catalogue |
How to run a NIS2 self-assessment
Define scope
Identify the network and information system(s) in scope. This might be a specific service, process, or your entire IT environment.
Identify threat sources
List the types of actors who might threaten your systems: external attackers, insiders, third-party suppliers, natural events.
Identify threat events
For each threat source, identify specific events that could materialise: ransomware, data theft, service disruption, supply chain compromise.
Assess vulnerabilities
Identify weaknesses in your systems, processes, and people that could be exploited by each threat event.
Score likelihood and impact
Use a consistent 5-point scale for likelihood (given existing controls) and impact (on confidentiality, integrity, availability, and operations).
Document and report
Export your risk register and present it to management. The report demonstrates your Article 21 compliance effort to auditors and regulators.
Why a browser-based self-assessment tool is safer
Your risk register is one of the most sensitive documents your organisation produces. It lists your vulnerabilities, your weakest controls, and your highest-impact threats. Uploading this to a cloud-based SaaS tool creates new risks:
Data breach risk: If the vendor suffers a breach, your vulnerability data could be exposed to attackers.
Subpoena and legal discovery: Data held by a third party may be subject to legal orders in jurisdictions outside your control.
Vendor lock-in: Proprietary formats and access controls may prevent you from migrating your data later.
Contractual issues: Sharing sensitive risk data with a vendor may conflict with your own data governance policies or client contracts.
Open Risk Register solves all of these issues by keeping data exclusively in your browser's localStorage. Nothing is transmitted to any server. Read more about local-first security.
Start your NIS2 self-assessment now
Free, open source, and entirely in your browser. No account. No data upload. No cost.
Start Self-Assessment →