Risk Management (NIS2)

NIS2 requires essential and important entities to implement appropriate technical and organisational measures to manage cybersecurity risks. The risk management approach must be based on an ongoing assessment and must be proportionate to the risks the organisation faces.

Back to Dictionary

What is risk management under NIS2?

Risk management is at the heart of the NIS2 Directive. The directive does not require organisations to eliminate all risks -- it requires them to identify, assess and manage risks in a manner that is proportionate to their risk profile and the potential consequences of an attack.

The approach is risk-based: the greater the consequences a breach would have for the organisation and those it provides services to, the more robust the measures it is expected to implement.

NIS2 Article 21 -- the specific requirements

NIS2 Article 21 specifies the minimum measures that must form part of the risk management framework:

Policies on risk analysis and information system security: Documented policies governing how risks are identified, assessed and treated.
Incident handling: Procedures for detecting, analysing, containing and responding to cybersecurity incidents.
Business continuity and crisis management: Backup procedures, disaster recovery and crisis management plans.
Supply chain security: Assessment and management of risks arising from relationships with direct suppliers and service providers.
Security in network and information system acquisition, development and maintenance: Embedding security throughout the system lifecycle.
Policies and procedures for assessing the effectiveness of measures: Regular evaluation of whether implemented controls achieve their objectives.
Basic cyber hygiene practices and training: Ensuring staff awareness and competence in cybersecurity.
Policies on the use of cryptography and encryption: Appropriate use of cryptographic controls to protect data.
Human resources security, access control and asset management: Controls governing personnel, access rights and asset inventories.
Multi-factor authentication and secure communications: Use of strong authentication and encrypted communication solutions.

Risk management in practice

A NIS2-compliant risk management process will typically include:

Identification: Map assets, threats and vulnerabilities across the organisation.
Assessment: Analyse the likelihood and impact of identified risks.
Treatment: Select and implement appropriate controls to mitigate unacceptable risks.
Monitoring: Continuously monitor risks and the effectiveness of controls.
Reporting: Document the process and report to management on risk posture.

Proportionality principle: NIS2 requires measures that are 'appropriate and proportionate' to the risks. A small municipal IT department is not expected to implement the same level of controls as a large bank -- but both must take a systematic approach to risk management.

Frequently Asked Questions about Risk Management (NIS2)

What does NIS2 require for risk management?

NIS2 Article 21 requires organisations to implement appropriate technical and organisational measures based on a systematic risk assessment. Measures must be proportionate to the risks and include incident handling, supply chain security, cryptography and more.

Is ISO 27001 sufficient for NIS2 risk management?

ISO 27001 provides a strong foundation for NIS2 risk management and there is significant overlap. However, NIS2 imposes specific requirements for incident reporting and supply chain security that ISO 27001 does not directly cover. An ISO 27001 certification is a good starting point but is not sufficient on its own.

How often must NIS2 risk assessments be performed?

NIS2 requires an ongoing, continuous approach to risk management. Risk assessments should be updated regularly and whenever there are significant changes to the threat landscape, the organisation's systems or its operations.

Does NIS2 apply the same requirements to all organisations?

No. NIS2 applies a proportionality principle: measures must be appropriate to the organisation's size, risk exposure and the potential societal impact of a disruption. Essential entities face stricter supervisory requirements than important entities.

What happens if an organisation fails to comply with NIS2 risk management requirements?

NIS2 introduces significant enforcement powers, including administrative fines of up to EUR 10 million or 2% of global annual turnover for essential entities. Supervisory authorities may also issue binding instructions and conduct on-site inspections.