The 10 NIS2 Cybersecurity Measures Explained: A Practical Guide to Article 21

Article 21 is the heart of the NIS2 Directive. It defines the ten cybersecurity risk management measures that every essential and important entity must implement. Not as suggestions — as legal requirements.

But the directive text is dense and legalistic. This guide translates each measure into practical language: what it means, why it matters, and what you actually need to do.

Overview: the 10 measures at a glance

Article 21 — 10 NIS2 Cybersecurity Measures
🛡️
Article 21
10 Cybersecurity Measures
📊Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
🚨Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
🔗Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
🔐Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
👥People & Assets
7Cyber hygiene & training
9HR security & access control

Risk analysis (measure 1) is the foundation — it informs most other measures. Effectiveness assessment (measure 6) closes the loop by verifying everything works. Training (measure 7) enables people to execute all other measures properly.

The 10 measures explained

Measure 1: Risk analysis and information security policies

What it means: Organisations must establish a systematic methodology for identifying and assessing cybersecurity risks. This includes documenting assets, threats, and vulnerabilities, then determining the likelihood and potential impact of incidents. The outcome feeds directly into a formal information security policy that sets out management's commitments, responsibilities, and the principles governing how information is protected.

In practice: Start by mapping your critical assets — systems, data, and processes. Conduct a structured risk assessment at least annually and whenever significant changes occur. Document your risk treatment decisions (accept, mitigate, transfer, avoid). Publish an information security policy signed off by senior management, and review it regularly. Assign clear ownership for each risk so that mitigation actions are actually followed through.

Measure 2: Incident handling

What it means: Organisations must have documented procedures for detecting, classifying, responding to, and reporting cybersecurity incidents. NIS2 introduces strict notification timelines: an early warning to the national CSIRT or competent authority within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within one month.

In practice: Build an incident response plan that defines what counts as a significant incident, who is responsible for each step, and how evidence is preserved. Establish a 24/7 escalation path so that the duty officer can always reach the decision-maker. Integrate alerting from SIEM, EDR, and other monitoring tools. Run tabletop exercises at least once a year to test your plan under realistic conditions. Keep a log of all incidents — including near-misses — to feed lessons learned back into your risk process.

Diagram laden...

Measure 3: Business continuity and crisis management

What it means: Organisations must ensure they can continue to deliver essential services even during and after a serious cyber incident. This covers backup strategies, disaster recovery (DR) plans, and broader crisis management arrangements that involve senior leadership and, where relevant, external stakeholders.

In practice: Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems. Implement automated, encrypted backups stored in a geographically separate location, and test restores regularly. Develop a DR runbook with step-by-step procedures for the most likely failure scenarios. Hold crisis management exercises that include the executive team, so leadership knows their roles before an actual emergency unfolds.

Measure 4: Supply chain security

What it means: The security posture of your suppliers and service providers directly affects your own risk. NIS2 requires organisations to assess the cybersecurity practices of direct suppliers, ensure contractual security obligations are in place, and manage the risks introduced by third parties throughout the relationship lifecycle.

In practice: Maintain a register of all third parties with access to your systems or data. Perform risk-based due diligence before onboarding new suppliers — use questionnaires, certifications (e.g. ISO 27001), or audit rights. Include minimum security requirements in contracts: incident notification obligations, right-to-audit clauses, and data-handling standards. Review critical suppliers annually and terminate relationships that pose unacceptable risks.

Measure 5: Security in network and information systems

What it means: Technical security controls must be applied across the full lifecycle of network and information systems — from design and development through operation and decommissioning. This encompasses secure-by-default configurations, vulnerability management, and timely patching.

In practice: Apply a hardening baseline to all servers, endpoints, and network devices. Maintain an up-to-date asset inventory so nothing is overlooked. Subscribe to vulnerability intelligence feeds and set SLAs for patching: critical vulnerabilities within 72 hours, high within 30 days. Use network segmentation to limit lateral movement. Enforce secure development practices — code reviews, static analysis, and dependency scanning — for any software your organisation builds or customises.

Measure 6: Effectiveness assessment of cybersecurity measures

What it means: Organisations must have mechanisms to evaluate whether their security controls are actually working. This includes regular testing, independent auditing, and the use of metrics to demonstrate and improve security performance over time.

In practice: Establish a set of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for your security programme. Commission penetration tests at least annually — and after major changes — to validate technical controls. Conduct internal audits against your security policies and NIS2 requirements. Present findings to senior management with clear remediation timelines. Use the results to update your risk assessment and prioritise investment.

Measure 7: Basic cyber hygiene and cybersecurity training

What it means: Human behaviour remains one of the largest attack vectors. NIS2 requires organisations to implement basic cyber hygiene practices across the workforce and to provide role-appropriate cybersecurity training. Hygiene covers fundamentals such as password management, software updates, and phishing awareness.

In practice: Roll out mandatory security awareness training for all staff at onboarding and at least annually thereafter. Tailor advanced modules for IT administrators, developers, and executives. Run simulated phishing campaigns to measure and improve staff vigilance. Publish clear, accessible guidelines on acceptable use, clean-desk policy, and remote-working security. Track completion rates and feed results into your overall risk picture.

Measure 8: Cryptography and encryption policies

What it means: Organisations must define and enforce policies governing the use of cryptographic controls to protect the confidentiality, integrity, and authenticity of information. This includes specifying approved algorithms, key lengths, and key management procedures.

In practice: Publish a cryptography policy that mandates the use of current, industry-accepted algorithms (e.g. AES-256 for data at rest, TLS 1.2/1.3 for data in transit). Establish a key management procedure covering generation, storage, rotation, and destruction of cryptographic keys. Ensure sensitive data is encrypted end-to-end — including backups and removable media. Review your cryptographic standards at least every two years, as algorithms can become obsolete.

Measure 9: HR security, access control and asset management

What it means: Security risks arise throughout the employee lifecycle — from recruitment to departure. NIS2 requires appropriate personnel security controls (including background verification where lawful), a robust access control framework based on least privilege and need-to-know, and a comprehensive asset inventory.

In practice: Define screening requirements for roles with elevated access to sensitive systems or data. Implement a formal joiner-mover-leaver (JML) process: provision access on day one, adjust it when roles change, and revoke it immediately on departure. Apply Role-Based Access Control (RBAC) and review access rights quarterly. Maintain a current inventory of all hardware and software assets, tagged with their owner and classification level.

Measure 10: Multi-factor authentication and secure communications

What it means: Passwords alone are insufficient to protect access to sensitive systems. NIS2 requires the use of multi-factor authentication (MFA) and encrypted communication channels, particularly for administrative access, remote connectivity, and communications involving critical information.

In practice: Enforce MFA on all externally accessible systems — VPN, webmail, cloud portals, and remote desktop — as a minimum. Extend MFA to all privileged accounts and sensitive internal systems. Use phishing-resistant MFA methods (e.g. FIDO2/hardware tokens) for the most critical access. Ensure all administrative communications use encrypted channels (e.g. encrypted email, secure messaging platforms). Maintain emergency access procedures that are both secure and reliably available when primary authentication paths fail.

Prioritisation: where to start

If you're starting from scratch, here's a practical order:

Phase	Measures	Why first
Phase 1	1 (Risk analysis), 9 (Access control), 10 (MFA)	Foundation + quick wins
Phase 2	2 (Incident handling), 3 (Business continuity)	Resilience basics
Phase 3	7 (Training), 8 (Cryptography)	People + data protection
Phase 4	4 (Supply chain), 5 (Secure development), 6 (Effectiveness)	Maturity + verification

This is a practical suggestion, not a legal hierarchy. All 10 measures are equally required under NIS2.

Find out where you stand

Our free NIS2 quickscan assesses your organisation against all 10 Article 21 measure categories in just a few minutes. For each measure, you'll see whether you're on track or where the gaps are.