NIS2 security measures: the requirements of Article 21
By ComplyBricks · Last reviewed Jul 12, 2026
If you're in scope for NIS2, Article 21 is the heart of what you have to do: implement a set of baseline cybersecurity risk-management measures, proportionate to your risk. This guide walks through them in plain language.
The proportionality principle
NIS2 doesn't demand identical controls from everyone. Art. 21(1) requires appropriate and proportionate technical, operational and organisational measures, judged against your risk exposure, size, and the likelihood and severity of incidents. A small important entity and a large essential one implement the same categories of measure at different depths.
The ten measures (Art. 21(2))
The directive lists a baseline set of measures that in-scope entities must cover:
- Risk analysis and information system security policies — a documented, risk-based approach to security.
- Incident handling — detecting, responding to, and recovering from security incidents.
- Business continuity — backup management, disaster recovery, and crisis management.
- Supply-chain security — including the security of relationships with direct suppliers and service providers.
- Security in acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of your cybersecurity risk-management measures.
- Basic cyber hygiene practices and cybersecurity training.
- Cryptography — policies and procedures on the use of cryptography and, where appropriate, encryption.
- Human resources security, access control policies, and asset management.
- Multi-factor authentication or continuous authentication, and secured voice, video, text and emergency communications where appropriate.
How this maps to what you may already do
If you run an ISO 27001 ISMS, most of these measures already have a home in your controls and policies — see NIS2 vs ISO 27001 for the overlap and the gaps NIS2 adds on top (notably incident reporting and management accountability).
Management responsibility
NIS2 makes senior management responsible: management bodies must approve the cybersecurity measures, oversee their implementation, and follow training. This accountability — and the potential liability behind it — is one of the biggest shifts from the earlier NIS regime.
Next step
Not sure whether NIS2 applies to you in the first place? Start with Am I in scope for NIS2?.
References
- NIS2 — Directive (EU) 2022/2555, Art. 21 (cybersecurity risk-management measures)
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →