NIS2 Article 21 sets out the security measures that essential and important entities must implement. Unlike the original NIS1, which used vague language about "appropriate measures," NIS2 is specific. This article lists every required measure, explains what it means in practice, and identifies the key implementation questions.
NIS2 Article 21: The Full List
NIS2 Article 21(2) lists the minimum security measures:
(a) Policies on risk analysis and information system security
What it means: A documented information security risk management process — identify threats and vulnerabilities, assess impact and likelihood, implement controls, review regularly.
In practice:
- Maintain a risk register
- Conduct formal risk assessments at defined intervals (minimum annual)
- Risk assessment scope: IT systems, operational technology, supply chain, people, physical environments
- Management approval of the risk assessment and treatment plan
- Document the rationale for risk treatment decisions
(b) Incident handling
What it means: A documented procedure for detecting, responding to, and reporting security incidents — including the NIS2 notification obligations.
In practice:
- Incident classification criteria — what counts as a "significant incident" under NIS2
- Escalation path from detection to management notification
- 24-hour early warning capability to national CSIRT
- 72-hour detailed notification capability
- Incident documentation and post-incident review process
- SIEM or log management to support incident detection
(c) Business continuity and crisis management
What it means: Systems and processes to maintain operations during disruptions — backups, disaster recovery, and crisis management.
In practice:
- Backup policy: frequency, retention, off-site or air-gapped backup for critical data
- Recovery time objectives (RTOs) and recovery point objectives (RPOs) defined
- Disaster recovery plan documented and tested
- Business continuity plan for extended disruptions
- Crisis management procedure for major incidents affecting service delivery
- Annual testing of recovery procedures with documented results
(d) Supply chain security
What it means: Security practices covering direct suppliers and service providers that provide ICT products or services relevant to the entity's security.
In practice:
- Inventory of critical ICT suppliers
- Risk assessment for each critical supplier
- Security requirements in supplier contracts
- Due diligence at supplier onboarding
- Annual review of critical supplier security posture
- Incident notification requirements in supplier agreements
(e) Security in network and information systems acquisition, development, and maintenance
What it means: Security is built into the lifecycle of systems — from procurement and development through to decommission.
In practice:
- Secure software development lifecycle (SSDLC) with security reviews at key stages
- Dependency scanning and software composition analysis
- Code review and/or static analysis for security issues
- Penetration testing before major releases
- Security requirements in procurement for third-party software
- Change management process with security impact assessment
(f) Policies and procedures to assess effectiveness of cybersecurity risk management measures
What it means: You must measure whether your security controls are working — not just have them on paper.
In practice:
- Key security metrics tracked and reported to management
- Annual internal security audit or assessment
- Penetration testing (at least annual for essential entities)
- Vulnerability scanning programme with documented remediation tracking
- Management review of security programme effectiveness
(g) Basic cyber hygiene practices and cybersecurity training
What it means: Foundational security practices for all staff, plus regular training.
In practice:
- Security awareness training for all employees — minimum annual
- Phishing simulation programme
- Management body cybersecurity training (Article 20 obligation)
- Secure password and credential management practices
- Clear desk and screen lock policies
- Joiner/mover/leaver process for access management
(h) Policies and procedures regarding the use of cryptography and encryption
What it means: Encryption must be used where appropriate — not just considered.
In practice:
- TLS 1.2+ for all data in transit (TLS 1.3 preferred)
- AES-256 or equivalent for data at rest on sensitive systems
- Documented key management: key generation, storage, rotation, and revocation
- Certificate management and monitoring for expiry
- No weak or deprecated cryptographic algorithms (MD5, SHA-1, DES, 3DES)
(i) Human resources security, access control policies, and asset management
What it means: People, access, and assets must be managed with security in mind.
In practice:
- Background checks for staff with access to sensitive systems (proportionate to role)
- Onboarding security training
- Access provisioning based on least privilege
- Regular access reviews (minimum annual) to remove stale access
- Offboarding process for immediate access revocation
- Asset inventory covering hardware and software
- Procedures for secure disposal of hardware
(j) Multi-factor authentication or continuous authentication solutions
What it means: MFA is explicitly required — not optional.
In practice:
- MFA on all systems: not just email, but internal applications, cloud platforms, code repositories, remote access
- Privileged access (administrative) must use MFA plus additional controls (PAM)
- Phishing-resistant MFA (hardware keys, passkeys) preferred for privileged access
- Remote access (VPN, SSH, RDP) requires MFA
- Customer-facing accounts should support MFA; for essential entities, MFA may be required for customer admin accounts