What NIS2 Article 21 requires
NIS2 Directive Article 21 sets out the cybersecurity risk-management measures that essential and important entities must implement. Article 21(2) defines 10 mandatory categories of measures. They must be “appropriate and proportionate” — meaning the level of implementation must be justified by a documented risk assessment.
This checklist covers all 10 Article 21(2) measures. Use it to assess your current status, identify gaps, and prioritise your security improvement programme. A structured risk assessment provides the evidence that your controls are proportionate to the actual risks your organisation faces.
NIS2 Article 21(2) — all 10 security measures
Each measure is summarised below with an explanation of what it entails and how a structured risk assessment supports its implementation.
Risk analysis and security policies
Establish written cybersecurity policies and conduct a documented risk analysis. This is the foundation of all other measures and the primary output of Open Risk Register.
Incident handling
Define procedures for detecting, classifying, responding to, and recovering from security incidents. Includes reporting timelines to your national competent authority.
Business continuity and crisis management
Maintain backup management procedures, disaster recovery plans, and crisis management capabilities to ensure operational continuity after a significant incident.
Supply chain security
Assess and manage security risks arising from third-party dependencies and supply chain relationships. Document the security posture of critical suppliers and service providers.
Security in acquisition and development
Apply security requirements to the procurement, development, and maintenance of network and information systems, including vulnerability handling in acquired components.
Effectiveness assessment policies
Establish policies and procedures to assess the effectiveness of your cybersecurity risk-management measures, including regular reviews and testing.
Cyber hygiene and training
Implement basic cyber hygiene practices across the organisation and provide cybersecurity training and awareness programmes for staff at all levels.
Cryptography and encryption
Establish policies on the use of cryptography and, where appropriate, encryption for protecting data at rest and in transit. Policies must be proportionate to the risk.
Human resources security and access control
Implement human resources security measures, access control policies, and asset management for systems and data. Includes background checks where proportionate.
Multi-factor authentication and secure communications
Use multi-factor authentication or continuous authentication for access to critical systems. Implement secured voice, video, and text communications where appropriate.
How risk assessment supports every measure
Article 21 requires measures to be “appropriate and proportionate to the risks.” A documented risk assessment is not just one of the 10 measures — it is the evidence base that validates all the others.
Justifies your controls
Supervisory authorities can ask why you chose a specific control. A risk register showing threat, likelihood, and impact gives you an evidence-based answer for every security decision.
Prioritises your gaps
A risk assessment tells you which measures are most critical for your specific system. Not every measure needs the same depth of implementation — proportionality means focusing where risk is highest.
Enables ongoing compliance
NIS2 requires ongoing risk management, not a one-time exercise. A browser-based register you can update keeps your compliance documentation current without institutional overhead.
Five steps to using this checklist effectively
Read through all 10 mandatory measures. For each one, build a shared understanding with your management team of what the measure requires in the context of your organisation and sector.
For each measure, determine whether it is fully implemented, partially implemented, or not yet in place. Be honest and document your findings. This internal assessment is designed to identify what needs attention, not to look good.
Document which measures require further investment or policy work. Feed these gaps into your risk assessment as predisposing conditions and vulnerabilities, and into your security improvement plan as prioritised actions.
Use Open Risk Register to conduct a NIST SP 800-30 risk assessment for each in-scope system. The assessment produces a risk register showing which Article 21 measures are most critical given the threats your systems actually face.
NIS2 requires ongoing risk management. Review your checklist status and risk register at least annually, and after any significant change to your systems, operations, or threat landscape. Export your risk register as JSON to maintain a historical record.
About NIS2 legal compliance
- Not legal advice. This page summarises NIS2 Article 21 measures for educational purposes. It does not constitute legal, regulatory, or professional security advice. Consult a qualified legal adviser for formal compliance guidance.
- No certification. Completing this checklist does not certify NIS2 compliance. Compliance also involves registration with your national competent authority, incident reporting, and ongoing supervision.
- Member state variation. NIS2 is an EU directive. Implementation details vary by member state. Your national transposition law may impose additional requirements.
- Scope verification required. Whether your organisation is an essential or important entity depends on your sector, size, and national classification rules. Verify your scope with your national competent authority.
- Proportionality is risk-based. The depth of implementation for each measure must be proportionate to your risk. A risk assessment provides the evidence for your proportionality decisions.
Turn your checklist gaps into a risk register
Conduct a structured NIST SP 800-30 risk assessment and document your Article 21 evidence.
Start Risk Assessment →