The NIS2 Directive (Directive 2022/2555) makes cybersecurity risk management a legal obligation for an estimated 160,000 entities across the European Union. Article 21 specifies ten minimum security measures that essential and important entities must implement, while Article 20 places personal accountability on management bodies for approving and overseeing those measures. For organisations already operating under GDPR or ISO 27001, many of these requirements will look familiar – but NIS2 introduces sector-specific enforcement and board-level liability that go beyond existing frameworks.
This article explains each of the ten NIS2 risk management measures, the governance obligations that surround them, and how to map them against controls you may already have in place. Our NIS2 compliance guide covers the full scope of the directive.
What Does NIS2 Require for Risk Management?
Article 21 requires essential and important entities to take “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.” The directive mandates an all-hazards approach – organisations must address threats ranging from cyberattacks and system failures to physical disruptions and supply chain compromises.
ENISA’s implementation guidance clarifies that measures must account for the entity’s size, the likelihood and severity of incidents, the state of the art in cybersecurity technology, and the cost of implementation relative to the risks. A cloud infrastructure provider faces different expectations than a mid-sized food manufacturer – but both must demonstrate a systematic approach to nis2 risk management.
The 10 Minimum Security Measures Under Article 21
Article 21(2) enumerates ten categories of measures. These are minimum requirements – member states may impose additional obligations during national transposition.
Risk Analysis, Incident Handling, and Business Continuity
Risk analysis and information system security policies. Entities must establish documented risk assessment methodologies, asset inventories, threat identification processes, and risk treatment plans. According to the European Commission’s impact assessment, only 37% of entities subject to the original NIS Directive had comprehensive risk analysis policies in place. The requirement goes beyond a one-time assessment – organisations must conduct periodic reviews and update their analysis when significant changes occur.
Incident handling. Entities must implement procedures for detecting, analysing, containing, and recovering from security incidents. This works in tandem with the directive’s incident reporting obligations, which mandate early warning within 24 hours, full notification within 72 hours, and a final report within one month.
Business continuity and crisis management. ENISA’s 2025 Threat Landscape report found that 43% of significant cybersecurity incidents in essential services resulted in operational disruption lasting more than 24 hours. Organisations must maintain tested backup systems, define recovery time objectives (RTOs) and recovery point objectives (RPOs), and establish crisis management structures.
Supply Chain, Network Security, and Vulnerability Handling
Supply chain security has become one of the most demanding NIS2 requirements. Entities must assess the cybersecurity practices of critical suppliers, define security requirements in contracts, and monitor supplier compliance. An estimated 62% of significant cyber incidents in 2024 involved exploitation of a third-party component or service according to ENISA. Our DORA ICT risk management guide covers similar requirements in the financial services context.
Network and information systems security covers the full lifecycle: secure procurement, secure development practices, and security testing before deployment. Organisations must integrate security into development lifecycles and maintain secure configuration baselines.
Vulnerability handling and disclosure. Entities must implement vulnerability scanning, patch management, and coordinated vulnerability disclosure processes. The average time to exploit a newly disclosed vulnerability fell to 15 days in 2025, down from 32 days in 2022 according to ENISA – making effective vulnerability management a core component of nis2 risk management.
Cybersecurity Assessment, Cryptography, HR Security, and MFA
Assessing cybersecurity effectiveness. Organisations must evaluate whether their measures are working through internal audits, penetration testing, and continuous monitoring. This aligns with ISO 27001’s Plan-Do-Check-Act cycle and with DORA’s resilience testing requirements.
Cryptography and encryption. Article 21 requires policies for cryptography covering data in transit, at rest, and in processing. The “where appropriate” qualifier reflects proportionality – entities must make documented, risk-based decisions about where cryptographic controls apply.
Human resources security, access control, and asset management. This spans background checks, security awareness training, least-privilege access, role-based access management, and comprehensive asset inventories. According to Verizon’s 2025 Data Breach Investigations Report, 68% of breaches involved a human element.
Multi-factor authentication and secure communications. MFA is a baseline expectation for access to critical systems and administrative functions. The measure also requires secured voice, video, and text communications, and secured emergency communication systems.
How Does Board Accountability Work Under Article 20?
Article 20 introduces direct governance accountability. Management bodies must approve the cybersecurity risk management measures, oversee their implementation, undergo cybersecurity training, and accept liability for infringements. The European Commission estimates that fewer than 25% of boards in newly in-scope entities had formal cybersecurity oversight mechanisms prior to NIS2’s transposition deadline.
This is not advisory language. Board members who fail to approve adequate measures or oversee implementation can face personal sanctions, including temporary bans from exercising managerial functions. For organisations subject to both NIS2 and GDPR, Article 20 creates a governance obligation that extends beyond the GDPR’s accountability principle. Our NIS2 vs GDPR comparison details how these governance models intersect.
How Do These Measures Overlap with GDPR and ISO 27001?
GDPR Article 32 requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The overlap with NIS2 Article 21 is substantial:
| Domain | NIS2 Article 21 | GDPR Article 32 |
|---|---|---|
| Risk-based approach | Proportionate to risk | Appropriate to risk |
| Encryption | Required where appropriate | Explicitly listed |
| Business continuity | Backup, DR, crisis management | Restore availability |
| Effectiveness testing | Audits and assessments | Regular testing and evaluating |
| Supply chain security | Detailed requirements | Processor due diligence (Art. 28) |
Organisations already compliant with GDPR Article 32 have a foundation, but NIS2 demands more granularity in supply chain security, vulnerability handling, and crisis management.
ISO 27001:2022 maps well to NIS2’s requirements across its Annex A controls – risk analysis (clauses 6.1, 8.2), incident handling (A.5.24-A.5.28), business continuity (A.5.29-A.5.30), supply chain (A.5.19-A.5.23), access control (A.5.15-A.5.18), and cryptography (A.8.24). An ISO 27001-certified organisation is well positioned but should not assume full coverage. NIS2’s board accountability and crisis management requirements may exceed what a standard ISMS addresses.
For financial entities, DORA adds another layer – see our DORA compliance guide and the cross-regulation incident reporting analysis.
Implementing NIS2 Risk Management in Practice
Practical implementation follows a structured path: scope determination, gap analysis against the ten Article 21 measures, formal risk assessment of all network and information systems supporting essential services, remediation planning prioritised by risk severity, governance integration per Article 20, documentation for audit readiness, and continuous improvement cycles.
Legiscope’s compliance platform can accelerate the gap analysis and documentation phases by mapping existing controls against NIS2’s requirements and generating audit-ready evidence.
Enforcement and Penalties
The enforcement regime differs by entity category. Essential entities face administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face fines of up to EUR 7 million or 1.4% of turnover. Supervisory authorities may also impose binding instructions, security audit orders, and temporary suspension of certifications.
These penalties apply specifically to failures in nis2 risk management measures under Article 21 and governance obligations under Article 20. The EU compliance stack in 2026 provides broader context on how NIS2 enforcement interacts with GDPR and DORA penalty regimes.
Frequently Asked Questions
What is the difference between NIS2 risk management and GDPR security requirements?
NIS2 Article 21 prescribes ten specific categories of cybersecurity measures with an all-hazards scope covering network and information system security. GDPR Article 32 requires appropriate security measures focused on protecting personal data. NIS2 is more granular in areas such as supply chain security and vulnerability handling, while GDPR’s obligations are broader in application but less prescriptive in technical detail.
Does ISO 27001 certification satisfy NIS2 requirements?
ISO 27001 provides a strong foundation and covers many of the same control domains. However, NIS2 includes requirements – particularly board accountability (Article 20), supply chain security, and crisis management – that may not be fully addressed by a standard ISMS. A targeted gap analysis is necessary to confirm coverage.
Who is personally liable for NIS2 cybersecurity failures?
Article 20 makes management bodies accountable for approving and overseeing cybersecurity risk management measures. Member states may impose personal liability on individual board members or senior managers who fail to discharge these obligations, including temporary bans from exercising managerial functions. The European Commission’s infringement tracker monitors transposition progress across member states.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope