NIS2 Requirements: Article 21 Risk Management Measures

Article 20 of the NIS2 Directive introduces governance obligations that are unprecedented in EU cybersecurity law. Management bodies of both essential and important entities must approve the cybersecurity risk management measures adopted by their entity, oversee their implementation, and can be held personally liable for infringements.

This provision transforms cybersecurity from a purely technical concern into a board-level governance obligation. Management body members — which includes the board of directors, executive management, and equivalent governing bodies depending on the entity's legal form — are required to undergo training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices. They must also ensure that similar training is offered to employees on a regular basis.

The personal liability provision in Article 20(2) is particularly significant. Member states must ensure that management body members can be held liable for infringements of Article 21, in accordance with national law. This means that a board member who fails to approve adequate cybersecurity measures, or who does not exercise adequate oversight, can face personal consequences — not just corporate penalties. The exact scope of personal liability varies by member state transposition, but the Directive sets a clear floor: management body engagement is mandatory, not optional.

In practice, this requires entities to establish documented governance processes: board-approved cybersecurity policies, regular reporting on cybersecurity posture to the management body, evidence of management training completion, and clear accountability structures mapping cybersecurity responsibilities to named individuals.

Article 21(1) requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems used for their operations or services. These measures must be based on an all-hazards approach that aims to protect network and information systems and their physical environment from incidents.

Article 21(2) specifies ten minimum measures that entities must implement. These are not optional — all ten must be addressed, though the depth and sophistication of implementation should be proportionate to the entity's risk exposure, size, and the likelihood and severity of incidents. The measures represent a comprehensive cybersecurity programme spanning governance, technical controls, operational procedures, and human factors.

The following subsections detail each of the ten measures individually, providing implementation guidance and mapping to corresponding ISO 27001 Annex A controls.

The first measure requires entities to establish policies on risk analysis and information system security. This is the foundational requirement upon which all other measures build — without a systematic understanding of risks, the remaining measures cannot be effectively prioritised or implemented.

In practice, this requires: a documented information security policy approved by the management body, a risk assessment methodology appropriate to the entity's context, regular risk assessments covering threats, vulnerabilities, and impacts to network and information systems, a risk treatment plan with clear ownership and timelines, and periodic review and update of both policy and risk assessments.

The risk assessment must be genuinely contextual — it should reflect the entity's specific sector, operational technology environment, supply chain dependencies, and threat landscape. A formulaic checkbox exercise will not satisfy the requirement.

Entities must establish procedures and capabilities for incident handling, covering the full lifecycle from detection through response to recovery. This measure complements the external reporting obligations in Article 23 — while Art. 23 addresses what must be reported externally to CSIRTs, Art. 21(2)(b) addresses the internal capability to detect, analyse, contain, and recover from incidents.

Effective incident handling requires: defined incident classification criteria aligned with Art. 23(3) significant incident thresholds, incident response procedures with clear roles and escalation paths, technical capabilities for incident detection and forensic analysis, communication plans for internal stakeholders and external parties (CSIRTs, affected entities, law enforcement), post-incident review processes to identify lessons learned and improve defences, and regular testing of incident response plans through tabletop exercises or simulations.

This measure requires business continuity management including backup management, disaster recovery, and crisis management. It recognises that cybersecurity incidents can cause operational disruptions that require pre-planned recovery capabilities.

Implementation should include: business impact analysis identifying critical business processes and their dependencies on network and information systems, business continuity plans covering scenarios from ransomware to infrastructure failure, backup strategies following the 3-2-1 principle (three copies, two media types, one off-site) with regular testing of restoration procedures, disaster recovery plans with defined recovery time objectives (RTOs) and recovery point objectives (RPOs), crisis management procedures for escalated incidents requiring executive decision-making, and regular testing through drills and exercises.

The inclusion of crisis management alongside business continuity is notable — it acknowledges that severe cyber incidents require not just technical recovery but coordinated organisational response involving communications, legal, regulatory affairs, and executive leadership.

Supply chain security measures must address the security-related aspects between the entity and its direct suppliers or service providers. This is one of the most operationally demanding NIS2 requirements because it extends security obligations beyond the entity's own perimeter.

Article 21(3) further specifies that when assessing which measures are appropriate, entities must take into account the vulnerabilities specific to each direct supplier and service provider, the overall quality of products and cybersecurity practices of suppliers including their secure development procedures, and the results of coordinated security risk assessments of critical supply chains carried out by the Cooperation Group.

Practical implementation requires: a supplier risk assessment process that evaluates cybersecurity posture as part of vendor due diligence, contractual clauses requiring suppliers to implement appropriate cybersecurity measures and report incidents, continuous monitoring of supplier risk posture including tracking known vulnerabilities in supplied products, processes for responding to supply chain compromise scenarios (e.g., the SolarWinds pattern), and participation in or consideration of coordinated supply chain risk assessments at EU level.

For managed service providers (MSPs) and managed security service providers (MSSPs) — which are themselves in scope of NIS2 — supply chain requirements create a cascading effect: these providers must both comply with NIS2 as in-scope entities and demonstrate sufficient security to satisfy the supply chain requirements of their clients.

This measure covers security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure. It addresses the full lifecycle from procurement of systems through development to ongoing maintenance.

Implementation requires: secure procurement processes that include security requirements in specifications and evaluate supplier security posture, secure development practices for internally developed systems (secure coding standards, code review, static and dynamic analysis), vulnerability management processes including regular scanning, prioritised remediation, and tracking, patch management with defined timelines based on severity — critical vulnerabilities should be addressed with urgency, participation in or establishment of coordinated vulnerability disclosure procedures, and asset management to maintain visibility of all network and information systems requiring maintenance.

The explicit inclusion of vulnerability handling and disclosure reflects the EU's emphasis on coordinated vulnerability disclosure (CVD) as a key component of cyber resilience. Article 12 separately addresses coordinated vulnerability disclosure at member state level, establishing CSIRTs as coordinators.

Entities must have policies and procedures to assess the effectiveness of their cybersecurity risk management measures. This is a meta-requirement — it asks organisations to verify that the other nine measures are actually working, not just documented.

This requires: internal audit programmes covering cybersecurity controls, key performance indicators (KPIs) and key risk indicators (KRIs) for cybersecurity, vulnerability assessments and penetration testing at regular intervals, management review of cybersecurity posture with documented outcomes, and continuous improvement processes driven by assessment findings, incident lessons learned, and evolving threats.

The assessment must be genuine — pro-forma audits that always conclude with satisfactory findings will not withstand supervisory scrutiny. National competent authorities can request evidence of effectiveness assessments and will evaluate whether the methodology and conclusions are reasonable.

This measure requires the implementation of basic cyber hygiene practices and cybersecurity training programmes. It recognises that human factors remain a primary attack vector and that technical controls alone are insufficient.

Basic cyber hygiene practices should include: password management policies and enforcement, phishing awareness and social engineering resistance, secure use of removable media and mobile devices, clean desk and clean screen policies, secure remote working practices, and software update discipline.

Cybersecurity training must be role-appropriate: general awareness training for all employees, specialised training for IT and security teams, management body training as separately required by Article 20(2), and training for privileged access holders. Training should be regular (not one-time), tracked for completion, assessed for effectiveness, and updated to reflect current threats.

Recital 89 specifically notes that cyber hygiene practices include zero trust principles, software updates, device configuration, network segmentation, identity and access management, and user awareness — providing additional guidance on what the Directive considers baseline cyber hygiene.

Entities must have policies and procedures regarding the use of cryptography and, where appropriate, encryption. This measure addresses one of the fundamental technical controls for protecting data confidentiality and integrity.

Implementation should cover: a cryptography policy defining approved algorithms, key lengths, and protocols, encryption requirements for data at rest and in transit classified by sensitivity, key management procedures including generation, distribution, storage, rotation, and destruction, certificate management processes, and regular review of cryptographic standards against evolving threats (e.g., post-quantum readiness assessment).

The qualification 'where appropriate' does not mean encryption is optional — it means entities must make a documented, risk-based decision about where encryption is applied. For most organisations, encryption of data in transit (TLS) and sensitive data at rest will be baseline expectations.

This measure covers human resources security, access control policies, and asset management. It addresses the intersection of people, permissions, and the assets they access.

Human resources security includes: pre-employment screening and background checks appropriate to the role, security awareness as part of onboarding, defined security responsibilities in employment terms and conditions, disciplinary processes for security policy violations, comprehensive offboarding procedures including immediate revocation of access, and ongoing management of personnel with privileged access.

Access control policies should implement the principle of least privilege: role-based access control (RBAC) or attribute-based access control (ABAC), regular access reviews and recertification, privileged access management with just-in-time provisioning where feasible, access logging and monitoring, and segregation of duties for critical functions.

Asset management provides the foundation for effective access control — you cannot control access to assets you do not know exist. This requires maintaining an inventory of network and information system assets including hardware, software, data, and service dependencies.

The final measure requires the use of multi-factor authentication (MFA) or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.

This is the most technically specific measure in Article 21 and reflects the critical role of strong authentication in preventing unauthorized access. Implementation should include: MFA for all remote access and privileged operations as a minimum, consideration of MFA for all user access to business-critical systems, evaluation of continuous authentication approaches (e.g., behavioral analytics, risk-based adaptive authentication) for high-risk environments, end-to-end encryption for sensitive communications, and secured emergency communication channels that remain operational during cyber incidents (out-of-band communications).

The requirement for secured emergency communications is particularly important — during a cyber incident, the entity's primary communication channels may be compromised. Having pre-established out-of-band communication capabilities (e.g., separate mobile devices, physical meeting protocols) is essential for effective incident response.

The 'where appropriate' qualification applies to the specific technologies, not to the general obligation. The entity must be able to justify any decision not to implement MFA for a given system or access type based on documented risk assessment.

Article 21(1) establishes that measures must be 'appropriate and proportionate' — this proportionality principle is crucial for practical implementation. The Directive does not impose a one-size-fits-all approach.

When determining what is proportionate, entities must consider: the degree of exposure to risks, the entity's size, the likelihood of occurrence of incidents and their severity (including societal and economic impact), the state of the art of relevant technology, and relevant European and international standards.

In practice, proportionality means that a large energy utility classified as essential will be expected to implement significantly more sophisticated and comprehensive measures than a medium-sized food manufacturer classified as important. Both must address all ten measures, but the depth, sophistication, and investment will reasonably differ.

The European Commission may adopt implementing acts to specify technical and methodological requirements for the measures in Article 21(2), providing more detailed guidance. Until such implementing acts are adopted, entities should use established standards such as ISO 27001, ENISA guidelines, and national standards as reference points for determining appropriate implementation levels.

Importantly, proportionality is not a justification for minimal compliance. It is a framework for calibrating effort — entities must still be able to demonstrate that their chosen level of implementation is adequate for their specific risk profile. National competent authorities will assess proportionality during supervision.