Security Measures (NIS2)

NIS2 Article 21 sets out the minimum security measures that essential and important entities must implement. The requirements span from technical controls such as encryption and multi-factor authentication to organisational measures such as policies, procedures and training.

Back to Dictionary

NIS2 Article 21 -- overview

NIS2 Article 21 establishes the minimum requirements for security measures that all essential and important entities must implement. The requirements are expressed as categories of measures rather than specific technologies -- it is up to each organisation to implement measures in a manner appropriate to its risk profile.

Technical measures

The technical measures required under NIS2 include:

Encryption: Encryption of data at rest and in transit to protect confidentiality.
Access control: The principle of least privilege and role-based access management.
Multi-factor authentication (MFA): Requirement for MFA for critical systems and remote access.
Network segmentation: Dividing the network to limit the spread of attacks.
Vulnerability management: Continuous scanning, discovery and patching of vulnerabilities.
Logging and monitoring: Logging of security events and monitoring of systems for anomalies.
Backup and recovery: Regular backups and tested recovery procedures.

Organisational measures

The organisational measures include:

Information security policies: Documented policies for risk analysis and information security.
Incident handling: Procedures for detection, analysis and response to security incidents.
Business continuity plans: Business continuity and disaster recovery plans.
Training: Cyber hygiene training and awareness for all employees.
Personnel security: Procedures for hiring, termination and internal role changes.
Supply chain management: Assessment and management of security in the supply chain.

All 10 categories are mandatory: NIS2 Article 21(2) lists 10 specific categories of measures, all of which are mandatory. The organisation chooses how to implement them, but cannot opt out of any category.

The proportionality principle

NIS2 requires measures that are "appropriate and proportionate" to:

The risks the organisation is exposed to
The size and type of the organisation
The potential impact of an incident on society and other organisations
The likelihood of incidents occurring

This means that a small important entity is not expected to implement the same measures as a large essential entity, but both must address all 10 categories. The proportionality principle also connects to sanctions -- the adequacy of measures is assessed in the context of the organisation's risk profile.

Frequently Asked Questions about Security Measures (NIS2)

What are the 10 measure categories in NIS2?

NIS2 Article 21(2) specifies: (a) risk analysis and information security policies, (b) incident handling, (c) business continuity and crisis management, (d) supply chain security, (e) security in acquisition and development, (f) policies to assess measure effectiveness, (g) cyber hygiene and training, (h) cryptography and encryption, (i) personnel security and access management, (j) multi-factor authentication and secure communication.

Does NIS2 require specific technologies?

No. NIS2 specifies categories of measures, not specific technologies or products. The organisation chooses which technologies and solutions best meet the requirements in relation to its risk profile and size.

Are all 10 categories mandatory?

Yes. All 10 categories listed in Article 21(2) are mandatory. Organisations choose how to implement them proportionally, but cannot exclude any category entirely.

How does proportionality work in practice?

The extent of measures must be appropriate to the organisation's size, risk profile, the nature of its services and the potential consequences of incidents. A small entity implements differently from a large one, but both must address all categories.

What happens if an organisation fails to implement the required measures?

Failure to implement adequate security measures can lead to sanctions including fines of up to EUR 10 million or 2% of global turnover for essential entities, as well as binding instructions, security audits and in serious cases, temporary management bans.