Worked examples, not templates
Each example below describes a fictional organisation, its risk landscape, and how it would approach a NIS2-aligned NIST SP 800-30 risk assessment. The threat sources, threat events, likelihood scores, and impact areas are illustrative — your organisation’s situation will differ.
Use these examples to understand the scope and structure of an assessment before starting your own. They answer the most common question practitioners ask: “What should I actually put in each step?”
Small healthcare provider
A private medical clinic with 65 employees in the Netherlands. As a health sector entity with more than 50 employees, it qualifies as an important entity under NIS2. The clinic runs an electronic patient record (EPR) system, a scheduling platform, and a laboratory information system (LIS) connected to an external laboratory.
Key risk areas
Patient data confidentiality is the primary concern. Ransomware targeting healthcare is a well-documented threat. The EPR is internet-accessible for remote consultations. The external lab connection is a third-party dependency with limited contractual security requirements.
What to assess first
Start with the EPR as the highest-criticality asset. Scope the assessment to: the EPR and its hosting environment, the scheduling portal, and the LIS-to-lab integration. Document that physical building systems are out of scope for this assessment.
How to structure the assessment
Use system-level tier (Tier 3). Prioritise adversarial threat sources (cyber criminals, ransomware operators). Key threat events: credential theft via phishing, ransomware on the EPR, and supply chain compromise via the lab integration.
Threat sources to include
Cyber criminals (ransomware operators), opportunistic attackers exploiting unpatched software, and the third-party laboratory as an inadvertent supply chain risk source.
Representative threat events
Phishing leading to credential theft; ransomware encrypting the EPR; unauthorised access to patient records via weak portal authentication; data leakage through the lab API.
Key vulnerabilities
No MFA on EPR remote access; backup recovery not tested in 12 months; no security requirements in the laboratory service contract; no staff phishing simulation conducted.
Expected high-risk findings
Ransomware on EPR (Very High impact: patient care disruption, GDPR notification, NIS2 incident reporting). Credential theft on portal (High likelihood given no MFA; High impact on patient data).
NIS2 Article 21 gaps likely identified
Art. 21(2)(j): No MFA on remote access. Art. 21(2)(d): No contractual security requirements with laboratory. Art. 21(2)(c): Untested recovery procedures. Art. 21(2)(g): No recent staff security training.
Recommended next steps
Implement MFA on EPR remote access (quick win). Test backup recovery. Add security obligations to laboratory contract at next renewal. Schedule a staff phishing simulation.
Mid-size logistics company
A road freight and last-mile delivery company with 280 employees operating across Belgium and Germany. With more than 250 employees in transport, it qualifies as an essential entity under NIS2. It operates a fleet management system, a warehouse management system (WMS), a customer portal, and relies on GPS tracking and route optimisation software from a US-based SaaS provider.
Key risk areas
Operational continuity is critical — downtime translates to missed deliveries and contractual penalties. The company handles time-sensitive pharmaceutical and food shipments. The GPS/routing SaaS has servers outside the EU.
What to assess first
Prioritise the WMS and fleet management system as the most operationally critical assets. Conduct a dedicated supply chain assessment for the GPS/routing SaaS. The customer portal is a separate, lower-priority assessment.
How to structure the assessment
Use system-level tier for WMS and fleet management. Include structural and environmental threat sources. Score cascading impact: a WMS outage affects warehouse operations, dispatch, and invoicing simultaneously.
Threat sources to include
Cyber criminals targeting logistics for extortion, nation-state actors (transport is a NIS2 critical sector), structural hardware failures, and the US-based SaaS vendor as a supply chain risk source.
Representative threat events
Ransomware encrypting the WMS; GPS system unavailability due to vendor outage; supply chain compromise via SaaS provider update mechanism; insider misuse of fleet tracking data.
Key vulnerabilities
Single SaaS dependency with no contractual uptime guarantees; WMS backup on same network segment as primary; no multi-site incident response plan tested; driver mobile devices not enrolled in MDM.
Expected high-risk findings
Ransomware on WMS (Very High: multi-site shutdown, NIS2 incident reporting as essential entity, contractual penalties). SaaS GPS outage (High: no manual fallback procedure documented).
NIS2 Article 21 gaps likely identified
Art. 21(2)(c): No tested multi-site business continuity plan. Art. 21(2)(d): SaaS vendor not assessed; EU data residency not contractually addressed. Art. 21(2)(b): No WMS incident response playbook.
Recommended next steps
Negotiate SaaS contract to include uptime SLA, security obligations, and EU data residency. Develop and test WMS incident response playbook. Move WMS backups to an isolated network segment. Enrol driver devices in MDM.
IT service provider (MSP)
A managed IT service provider with 90 employees headquartered in Denmark, providing infrastructure management, helpdesk, and cloud migration services to 45 client organisations. As an ICT service management provider with more than 50 employees, it is an important entity under NIS2. It holds privileged access to the network infrastructure of all 45 clients.
Key risk areas
MSPs are high-value targets because a single compromise gives access to all client environments. The MSP’s own security posture is a supply chain risk for each of its 45 clients, creating NIS2 obligations and significant reputational liability.
What to assess first
Prioritise the privileged access management (PAM) infrastructure and remote monitoring and management (RMM) platform. Compromise of either provides immediate lateral movement to all clients. Assess them as separate system-level assessments.
How to structure the assessment
Use system-level tier for PAM and RMM separately. Frame impact in terms of client harm, not only internal harm. Address the MSP’s dual role as a NIS2-subject entity and as a supply chain risk source for its clients.
Threat sources to include
Nation-state actors (MSPs are explicitly targeted in threat intelligence), organised crime groups, malicious insiders with client access, and the RMM software vendor as a supply chain risk source.
Representative threat events
Adversary compromise of RMM to push malicious scripts to all 45 clients; credential theft from PAM; insider exfiltration of client data; supply chain attack via RMM vendor update mechanism.
Key vulnerabilities
RMM access uses shared credentials across the technician team (no individual accountability); no client access segmentation in PAM; no anomaly detection on RMM usage; no vetting process for new staff before granting client access.
Expected high-risk findings
RMM platform compromise (Very High: simultaneous exposure of all 45 clients; NIS2 incident notification obligations; severe reputational damage). Insider credential misuse (High: limited detection; broad client access scope).
NIS2 Article 21 gaps likely identified
Art. 21(2)(i): Shared credentials; no individual accountability for privileged actions. Art. 21(2)(f): No anomaly detection or audit logging on RMM. Art. 21(2)(d): No security requirements in client contracts covering the MSP’s own security posture.
Recommended next steps
Migrate RMM to individual named accounts with MFA immediately. Implement client access segmentation in PAM. Enable RMM audit logging and alerting for unusual access patterns. Add MSP security obligations to client contracts.
Ready to run your own assessment?
Open Risk Register walks you through the same structured NIST SP 800-30 process used in the examples above. Each step builds on the last — from defining your scope to a prioritised risk register you can present to management and regulators. Entirely browser-based, no sign-up required.