NIS2 Risk Assessment Tool

Q: What does a NIS2 risk assessment need to include?

A NIS2-compliant risk assessment must identify threats, assess likelihood and impact, document controls, and produce a risk register justifying measures under Article 21(2).

Q: Does using this tool make me NIS2 compliant?

No tool alone guarantees compliance. NIS2 compliance involves legal obligations and incident reporting. However, this tool produces the documented risk assessment required under Article 21(2)(a).

Q: How long does a NIS2 risk assessment take?

A focused assessment for one system typically takes 2 to 4 hours using the guided workflow and pre-loaded NIST threat catalogues.

Regulatory context

What NIS2 requires for risk assessment

NIS2 Directive Article 21 mandates that essential and important entities implement “appropriate and proportionate technical, operational and organisational measures” to manage cybersecurity risks. Article 21(2)(a) specifically requires risk analysis and information system security policies as the foundational measure.

The assessment must consider the state of the art, applicable standards, implementation costs, and the probability and severity of incidents. Measures must be proportionate — and proportionality can only be demonstrated through a documented risk analysis.

How Open Risk Register helps

Designed for NIS2 compliance documentation

Open Risk Register implements the NIST SP 800-30 Revision 1 risk assessment framework — a globally recognised methodology that maps directly onto NIS2 Article 21 requirements.

Structured NIST workflow

The nine-step NIST SP 800-30 process guides you from scope definition through threat identification, vulnerability assessment, and risk determination — producing a fully documented register.

Article 21 aligned

Each assessment step maps to NIS2 Article 21 security measures. The output demonstrates proportionate risk management across all 10 mandatory measures.

Private by design

Your risk data stays in your browser's localStorage. No account, no server transmission, no vendor lock-in. Risk data is sensitive — it should never leave your control.

Step-by-step walkthrough

Nine steps from scope to risk register

Open Risk Register follows the NIST SP 800-30 R1 process. Each step builds on the previous one, ensuring completeness and auditability.

Dashboard

Create and manage multiple assessments. Each covers one system, stored independently in your browser.

Assessment Setup

Define the system under review: name, description, scope boundaries, and organisational context.

Risk Model

Select assessment tier (system or organisation-level), risk scale, and the assessment approach for your maturity.

Threat Sources

Choose from the NIST Appendix D catalogue — adversarial, accidental, structural, and environmental sources.

Threat Events

Map specific attack scenarios to each threat source from the full NIST SP 800-30 Appendix E catalogue.

Vulnerabilities

Document predisposing conditions and control weaknesses that increase the probability of a threat event succeeding.

Likelihood

Score overall likelihood of each threat event, combining source characteristics with your vulnerability profile.

Impact

Assess the potential harm across operational, financial, and reputational dimensions if each threat event occurs.

Results

Review your prioritised risk register. Export as JSON or print a PDF report for governance documentation.

Comparison

Open Risk Register vs spreadsheet approach

Many organisations attempt NIS2 risk assessment using a custom spreadsheet. Here is how the two approaches compare.

Feature	Open Risk Register	Spreadsheet Template
NIST SP 800-30 workflow	Built-in, guided step-by-step	Manual mapping required
Threat source catalogue	Pre-loaded from NIST Appendix D	Must be built from scratch
Threat event catalogue	Pre-loaded from NIST Appendix E	Must be built from scratch
Risk level calculation	Automatic from likelihood and impact	Manual formulas, error-prone
NIS2 Article 21 alignment	Each step mapped to Article 21 measures	No inherent alignment
Export options	JSON backup and PDF report	Spreadsheet file only
Data privacy	Browser-only, no server storage	Stored on local or shared drive
Cost	Free forever	Free to build, costly to maintain

Frequently asked questions

NIS2 risk assessment questions

What does a NIS2 risk assessment need to include?

A NIS2-compliant risk assessment must identify threats facing your systems, assess their likelihood and potential impact, document existing controls, and determine residual risk. The output should be a risk register that justifies the security measures you have implemented under Article 21(2).

Does using this tool make me NIS2 compliant?

No tool alone makes you compliant. NIS2 compliance involves legal obligations, incident reporting to national competent authorities, and governance at board level. However, a documented risk assessment is a mandatory prerequisite under Article 21(2)(a), and this tool produces exactly that.

How long does a NIS2 risk assessment take?

A focused risk assessment for a single system typically takes 2–4 hours. The guided workflow and pre-loaded NIST threat catalogues significantly reduce the time compared to starting from a blank spreadsheet.

Can I run assessments for multiple systems?

Yes. The dashboard supports multiple independent assessments stored in your browser. Each assessment is scoped to a specific system or process, and you can export each one individually.