nis2audit

The NIS2 security measures: Article 21 explained

Updated 2026-07-06 2 min read

At the heart of NIS2 is Article 21: a baseline of ten risk-management measures. They are principles, not a prescriptive checklist — but you must implement and evidence them.

A risk-based baseline

Article 21 requires appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. What "appropriate" means scales with your size and risk — but all ten areas must be addressed.

The ten measures

  • Risk analysis & information security policies — a documented basis for your security decisions.
  • Incident handling — detect, respond to and recover from incidents.
  • Business continuity — backups, disaster recovery and crisis management.
  • Supply-chain security — manage the risks from suppliers and service providers.
  • Secure acquisition, development & maintenance — including vulnerability handling and disclosure.
  • Effectiveness testing — assess whether your measures actually work.
  • Cyber hygiene & training — basic practices and staff awareness.
  • Cryptography & encryption — policies and use of encryption.
  • Access control & asset management — human-resources security, least privilege and knowing your assets.
  • Multi-factor authentication & secure communications — MFA, and secured voice, video and text and emergency comms.

Where organisations struggle

  • Supply-chain security — hard to get visibility across many vendors.
  • Effectiveness testing — measures exist on paper but are never tested.
  • Documentation — controls are in place but not evidenced for an audit.

A gap assessment against these ten measures is the fastest way to see where you stand.

FAQ

Related questions

Are the NIS2 measures prescriptive?

No — they are risk-based principles. You must address all ten areas with measures appropriate and proportionate to your size and risk, and be able to show they are implemented and effective.

Does NIS2 require multi-factor authentication?

Yes. MFA and secured communications are explicitly named among the Article 21 measures, alongside access control and encryption.

How do we show our measures are effective?

Through testing and evidence — vulnerability assessments, penetration testing, exercises and documented reviews. "Testing the effectiveness of measures" is itself one of the ten requirements.