NIS2 Article 21: The 10 Mandatory Security Measures

Article 21 of NIS2 is the heart of the directive's technical requirements. It mandates that covered entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of their network and information systems. The measures must be based on a risk-based approach and consider the state of the art, applicable standards, and the costs of implementation.

1. Risk Analysis and Information Security Policies

You must have a documented information security policy that is approved by senior management and communicated to all staff. This policy must be supported by a formal risk analysis process that identifies, evaluates, and treats cybersecurity risks. Your risk analysis should cover all assets (hardware, software, data, people, processes), threat scenarios relevant to your sector, and the potential business impact of incidents. The policy must be reviewed at regular intervals and after significant incidents or changes.

2. Incident Handling

You must have documented procedures for detecting, reporting, analysing, and recovering from cybersecurity incidents. This includes: clear roles and responsibilities for incident response, a defined escalation path from detection to management notification, playbooks for common incident types (ransomware, data breach, DDoS), integration with your legal and communications teams for breach notification, and post-incident review processes to capture lessons learned. Incident handling capability must be tested regularly through exercises.

3. Business Continuity and Crisis Management

NIS2 requires that you maintain the ability to continue delivering your services even during and after significant cybersecurity incidents. This requires a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) that specifically address cyber scenarios. You must define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems, maintain tested backups, and have documented crisis management procedures. Backups must be isolated from the primary environment to protect against ransomware.

4. Supply Chain Security

Article 21(2)(d) specifically requires that you address security in your supply chain, including the security aspects of the relationships between your organisation and your direct suppliers and service providers. You must assess the cybersecurity practices of critical suppliers, include cybersecurity requirements in supplier contracts, monitor suppliers for security incidents, and have a process for managing the risk when suppliers fail to meet your requirements. This is one of the most challenging new requirements for many organisations.

5. Security in Network and Information Systems Acquisition, Development and Maintenance

Security must be built into your systems from the design phase, not bolted on afterwards. This requires: secure software development practices (SSDLC), vulnerability management for all software and hardware, patch management with defined timelines based on severity, penetration testing and code review for critical systems, and processes for managing the end-of-life of hardware and software. You should also have a process for receiving and acting on vulnerability disclosures.

6. Policies and Procedures to Assess Effectiveness of Security Measures

It is not sufficient to simply implement security measures — you must verify that they are working as intended. This requires a formal security testing and assurance programme that may include: internal security audits, external penetration tests, vulnerability assessments, threat hunting exercises, and security metrics and KPIs reported to management. The results of these assessments must feed back into your risk analysis and drive continuous improvement.

7. Cyber Hygiene Practices and Cybersecurity Training

All staff — not just IT staff — must receive cybersecurity awareness training appropriate to their role. For technical staff, this includes training on secure configuration, patching, and incident response. For general staff, it includes phishing awareness, password hygiene, and social engineering recognition. Senior management require training on their specific obligations under NIS2 (Article 20). Cyber hygiene measures include: regular password changes and prohibition of weak passwords, keeping software updated, using only authorised devices and software, and clear desk and screen lock policies.

8. Cryptography and Encryption

You must have a cryptography policy that governs how cryptographic controls are used to protect the confidentiality, integrity, and authenticity of information. This includes: encryption of data at rest for sensitive information, encryption of data in transit (TLS 1.2 or higher for all external communications), secure key management practices, use of approved and current cryptographic algorithms, and a process for rotating keys and certificates. You must also maintain awareness of cryptographic developments and be prepared to migrate to stronger algorithms as required.

9. Human Resources Security, Access Control Policies and Asset Management

Access to systems and data must be controlled on a least-privilege basis. This requires a formal access control policy, user provisioning and de-provisioning processes (especially for leavers), regular access reviews, privileged access management (PAM) for administrative accounts, and an accurate asset inventory that maps users to their access rights. HR processes must include pre-employment screening for roles with access to sensitive systems and clear processes for handling leavers including immediate access revocation.

10. Multi-Factor Authentication and Secure Communications

NIS2 explicitly requires the use of multi-factor authentication (MFA) or continuous authentication solutions where appropriate, as well as secured voice, video, and text communications, and secured emergency communication systems. MFA should be applied to all remote access, all privileged access, all email and collaboration tools, and any access to systems holding sensitive data. Voice communications used to discuss sensitive matters must use encrypted channels.