NIS2 Requirements Under Art. 21

Overview: NIS2 Requirements Under Art. 21

The NIS2 Directive (EU 2022/2555) pursues a clear objective: establishing a uniformly high level of cybersecurity across the entire European Union. Article 21 forms the centrepiece of the directive and defines ten specific risk management measures that affected entities must implement. These measures follow an all-hazards approach and cover technical, organisational, and personnel aspects of information security.

Unlike the original NIS Directive of 2016, NIS2 leaves significantly less room for interpretation. The requirements are more precisely formulated and apply to a much larger number of organisations. In Germany, implementation is governed by the NIS2 Implementation Act (NIS2UmsuCG), which transposes the EU requirements into national law.

Below, we explain each of the ten measures from Art. 21 in detail and show you what they mean in practice.

1. Risk Analysis and Security Policies

The foundation of any NIS2-compliant security strategy is a systematic risk analysis. You must identify, assess, and document the risks relevant to your entity. This concerns not only IT systems but also business processes, supply chains, and physical infrastructure.

Based on this analysis, you develop a comprehensive security policy that defines protection objectives, assigns responsibilities, and derives concrete measures. The risk analysis is not a one-off exercise but must be updated regularly, particularly when the threat landscape or organisational structure changes.

Practical tip: Use recognised methodologies such as ISO 27005 or the BSI Standard 200-3 as a framework. A GRC tool like Kopexa can structure the risk analysis and automate documentation.

2. Incident Handling

NIS2 imposes strict requirements on the handling of security incidents. You need a documented incident response process covering detection, analysis, containment, eradication, and recovery. The tiered reporting obligations to the competent authority are particularly important:

• 24hEarly warning: Within 24 hours of becoming aware of a significant security incident, you must submit an initial notification to the competent authority. This includes a preliminary assessment of whether the incident is likely the result of unlawful or malicious acts and whether cross-border effects are possible.
• 72hIncident notification: Within 72 hours, a more detailed report follows, including an initial assessment of the incident, its severity, its impact, and, where available, the indicators of compromise (IoCs).
• 30 daysFinal report: No later than one month after the incident notification, you submit a comprehensive final report. This includes a detailed description of the incident, root cause analysis, the remedial measures taken, and recommendations for preventing similar incidents.

These deadlines are ambitious. Without prepared processes and templates, you will struggle to meet them. Prepare reporting templates in advance and practise the procedure regularly. More on the consequences of non-compliance can be found on our NIS2 Penalties and Sanctions page.

3. Business Continuity and Crisis Management

You must ensure that your organisation remains operational even in a crisis. This includes business continuity plans that define how critical business processes are maintained or restored as quickly as possible during an outage. The plans must be regularly tested and updated.

Specifically, this encompasses: backup strategies with defined RPO/RTO values, disaster recovery plans for critical systems, crisis management structures with clear decision-making paths, and regular emergency exercises. The supervisory authority expects you to demonstrate that your plans work in practice.

The Business Impact Analysis (BIA) forms the foundation: Which business processes are critical? How long can a maximum outage last? At what point do irreversible damages occur? Based on this analysis, you prioritise your recovery measures.

4. Supply Chain Security

Supply chain security is one of the most far-reaching innovations of NIS2. You must assess the cybersecurity of your direct suppliers and service providers and incorporate it into your own risk analysis. This applies to both technical suppliers (cloud providers, software vendors) and non-technical service providers.

In practice, this means: You need a structured supplier assessment process that embeds security requirements in contracts, provides for regular reviews, and ensures monitoring of the supplier landscape. Particularly critical suppliers should provide evidence of their own security measures, such as ISO 27001 certifications or SOC 2 reports.

Tip: Start by classifying your suppliers by criticality. Not every supplier requires the same depth of assessment. Focus initially on suppliers that have access to your systems or sensitive data.

5. Security in Acquisition, Development, and Maintenance

NIS2 requires that security be integrated from the outset into the acquisition, development, and maintenance of network and information systems. This includes both the assessment of third-party software and the secure development of in-house applications.

For software development, this means a Secure Development Lifecycle (SDLC) with code reviews, static code analysis, and penetration testing. During procurement, security requirements should be part of the tender criteria. For maintenance, patch management processes are required to ensure that known vulnerabilities are closed promptly.

Vulnerability management plays a central role here: You must be able to systematically identify, prioritise, and remediate vulnerabilities in your systems. This includes subscribing to CVE feeds and using vulnerability scanning tools.

6. Assessing the Effectiveness of Measures

It is not enough to implement security measures. You must regularly review and demonstrate their effectiveness. NIS2 explicitly requires policies and procedures for assessing the effectiveness of risk management measures.

In practice, this includes: internal audits, penetration tests, tabletop exercises, KPI tracking (e.g. Mean Time to Detect, Mean Time to Respond), and management reviews. The results feed into the continuous improvement of your security posture.

Document your reviews carefully. The supervisory authority may require evidence of the effectiveness of your measures as part of supervisory activities. A GRC tool helps you capture all reviews in an auditable manner. More on this in our NIS2 Checklist.

7. Cyber Hygiene and Training

The human element is often the weakest link in the security chain. NIS2 requires basic cyber hygiene practices and regular cybersecurity training for all employees. Notably, Art. 20 explicitly obliges senior management to participate in training as well.

Cyber hygiene encompasses fundamental practices such as secure password policies, regular software updates, phishing awareness, and secure handling of mobile devices. Training should be role-specific: IT administrators need more in-depth technical training than employees in accounting.

Recommendation: Conduct mandatory security awareness training at least once a year and supplement it with phishing simulations to measure effectiveness. Document participation and results as compliance evidence.

8. Cryptography

NIS2 requires policies and procedures for the use of cryptography and, where relevant, encryption. You must ensure that sensitive data is appropriately encrypted both during transmission (in transit) and during storage (at rest).

This includes selecting appropriate encryption algorithms (e.g. AES-256, RSA-2048), key management procedures, TLS configurations, and encryption of databases and backups. Certificate management is also part of this: expired certificates are a common security risk.

Practical tip: Create a cryptography policy that specifies which algorithms and key lengths are approved within your organisation. Also plan for migration to quantum-safe methods once they are standardised.

9. Personnel Security and Access Controls

NIS2 requires measures for personnel security, access control policies, and structured asset management. You must ensure that only authorised individuals can access sensitive systems and data, following the principle of least privilege.

Specifically, this includes: a centralised identity and access management system, role-based access controls (RBAC), regular access reviews, processes for onboarding/offboarding, and the management of privileged access (Privileged Access Management).

Physical access control also applies: Who has access to server rooms, data centres, and other critical areas? Maintain a register of all assets and assign a responsible person to each asset.

10. Multi-Factor Authentication

The final measure under Art. 21 requires the use of multi-factor authentication (MFA) or continuous authentication. MFA is one of the most effective measures against credential-based attacks and should be deployed wherever critical systems or sensitive data are accessed.

NIS2 also mentions secured voice, video, and text communications as well as secured emergency communication systems. This means: You must also plan for the eventuality that your primary communication system is compromised. An out-of-band channel for crisis communication is mandatory.

Deploy MFA at a minimum for VPN access, admin accounts, cloud management consoles, and email systems. Prefer phishing-resistant methods such as FIDO2/WebAuthn over SMS-based codes.

Differences: Important vs. Essential Entities

NIS2 distinguishes between two categories of affected entities. While the security requirements under Art. 21 are identical for both categories, the supervisory arrangements and sanctions differ significantly.

Regardless of category: The ten measures under Art. 21 apply equally to all affected entities. The difference lies primarily in the intensity of supervision and the level of sanctions. Details on fines can be found on our NIS2 Penalties and Sanctions page.

Unsure whether your organisation is affected? Use the applicability check on our NIS2 Overview page or work through the steps in our NIS2 Checklist to assess your current status.

Implementation Priorities: Where to Start?

Implementing all ten requirements simultaneously is unrealistic. Since the NIS2UmsuCG has been in force since 06.12.2025, every week counts. A sensible prioritisation helps you quickly close the largest compliance gaps while establishing the most effective protective measures first.

Phase 1: Lay the Foundation (Month 1-3)

Start with the risk analysis (Measure 1) and the incident response process (Measure 2). The risk analysis is the basis for all subsequent decisions: without it, you do not know where your greatest vulnerabilities lie. The incident response process is a priority because reporting obligations apply immediately. If a significant security incident occurs tomorrow, you must inform the competent authority within 24 hours. Without prepared processes, this is impossible to achieve.

In parallel: Deploy multi-factor authentication (Measure 10) for all critical systems. MFA is relatively quick to implement and immediately reduces your attack risk significantly.

Phase 2: Build Resilience (Month 3-6)

In the second phase, address business continuity (Measure 3) and supply chain security (Measure 4). The business impact analysis and emergency plans take time but pay off with every incident. The supply chain assessment is resource-intensive because you must involve external partners. Start with the most critical suppliers and work your way forward.

At the same time, roll out the training programme (Measure 7). Under Art. 20 NIS2, senior management must personally participate in training. Plan this early, as executive calendars tend to fill up quickly.

Phase 3: Deepen Systematic Approach (Month 6-9)

Now come the measures that characterise a mature security management system: security in acquisition and development (Measure 5), effectiveness assessment (Measure 6), cryptography policies (Measure 8), and access controls (Measure 9). These measures build on the foundation of the first two phases.

The effectiveness assessment (Measure 6) is particularly important: it ensures that all previously implemented measures actually work. Plan initial internal audits and penetration tests to identify weaknesses in your implementation before the supervisory authority finds them.

Phase 4: Continuous Improvement (from Month 9)

NIS2 compliance is not a project with an end date but an ongoing process. From Phase 4 onwards, the goal is to further develop all ten measures within the PDCA cycle (Plan-Do-Check-Act). Regularly review your risk analysis, update emergency plans after exercises, adjust supplier assessments, and refine training content based on current threats. Maintain complete records at all times, as the supervisory authority can conduct inspections at any time.

Important: These phases are recommendations, not rigid prescriptions. Depending on your organisation's starting position, the sequence may vary. If you already operate an ISO 27001-certified ISMS, for example, you can complete Phase 1 much more quickly. The best way to create a concrete roadmap for your organisation is by using our NIS2 Checklist.

Relationship to Existing Standards

If your organisation is already certified to ISO 27001, BSI IT-Grundschutz, or TISAX, you have a significant head start. The NIS2 requirements overlap substantially with established standards. However, none of these standards fully covers NIS2. You must identify and close the gaps in a targeted manner.

ISO 27001 and NIS2

ISO 27001:2022 offers the greatest coverage. The Annex A controls address nearly all ten NIS2 measures. In particular, risk analysis, access controls, cryptography, incident management, and business continuity are well covered. What ISO 27001 does not or only partially cover: the specific reporting obligations (24h/72h/30 days), supply chain assessment at the depth required by NIS2, and executive liability under Art. 20.

Practical tip: Take your existing Statement of Applicability (SoA) and compare it against the ten NIS2 measures. The gap analysis will show you where additional work is needed. Typical gaps lie in reporting processes, supply chain documentation, and formal executive training.

BSI IT-Grundschutz and NIS2

BSI IT-Grundschutz comprehensively covers the technical and organisational requirements of NIS2, particularly in the areas of risk analysis, BCM, and cryptography. Since the BSI is also the supervisory authority for NIS2 in Germany, audit practices are aligned with the Grundschutz modules. Organisations with BSI Grundschutz certification have a natural advantage in demonstrating compliance.

Supplementary requirements also apply here regarding the NIS2-specific reporting obligations and formal supplier assessment. BSI Standard 200-4 (BCM) provides an excellent basis for Measure 3 but must be supplemented with the NIS2-specific recovery requirements.

TISAX and NIS2

TISAX (Trusted Information Security Assessment Exchange) is widely used in the automotive industry and is based on the VDA ISA catalogue. TISAX covers many NIS2-relevant areas but focuses more on the protection of prototypes and development data. Supply chain security is well addressed in TISAX, which benefits you with Measure 4.

Gaps exist in the NIS2 reporting obligations, effectiveness assessment at the required frequency, and explicit executive liability. If you are TISAX-certified, use existing documentation as a starting point and selectively supplement the NIS2-specific requirements.

The table shows: Existing certifications are a strong starting point but not a substitute for dedicated NIS2 implementation. In particular, the reporting obligations and executive liability are NIS2-specific and are not fully covered by any existing standard. Use a GRC tool like Kopexa to transparently manage the mapping of your existing controls to the NIS2 requirements and systematically close gaps.