Skip to main content
NIS2Certify
Back to overview

NIS2 Article 21(2)(f): The 'Assess Effectiveness' Measure Most Teams Skip

By NIS2Certify
nis2article-21effectiveness-assessmentpenetration-testingmsp
NIS2 Article 21(2)(f): The 'Assess Effectiveness' Measure Most Teams Skip

When an auditor opens your NIS2 file, they don't start with your firewall rules. They start with the question almost nobody prepares for: prove that your security controls actually work.

That question lives in Article 21(2)(f) — the requirement for "policies and procedures to assess the effectiveness of cybersecurity risk-management measures." It's the shortest of the ten measures and the one most organisations treat as an afterthought. It's also the one that exposes whether the other nine are real or just documentation.

If you run security for clients as an MSP or vCISO, this is where you either look credible or get caught out. Here's how the effectiveness loop actually works, and how to build evidence a supervisor will accept.

Article 21(2)(f) is the audit loop, not a control

Nine of the ten Article 21 measures are things you do: risk analysis, incident handling, backups, encryption, access control. Measure (f) is different. It's the feedback mechanism that checks whether those nine are doing their job — and feeds the findings back into your risk assessment.

The directive doesn't ask you to assess effectiveness once and file it. It asks for a standing process: you implement a control, you test it, you find the gap, you fix it, you re-test. Without that loop, every other measure is an assumption.

This matters because supervisors don't audit intentions. They audit whether your stated controls produce the outcomes you claim. A backup policy that has never been restore-tested is, to a regulator, an untested claim.

Article 21 — 10 NIS2 Cybersecurity Measures
Article 21
10 Cybersecurity Measures
Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
People & Assets
7Cyber hygiene & training
9HR security & access control

"Assess effectiveness" has a specific, testable meaning

The phrase sounds vague until you break it into the four things an assessment programme has to produce.

First, an internal audit schedule for the information security programme — defined scope, defined cadence, named owner. Second, measurable indicators: KPIs and KRIs that show whether controls are trending in the right direction (patch SLA adherence, MFA coverage, mean time to detect). Third, periodic management reviews where leadership signs off on the findings. Fourth, at least one layer of independent assessment — internal audit, an external auditor, or a third-party attestation such as ISO 27001 or SOC 2.

NIS2 doesn't fix a frequency. But "periodically and systematically" is the standard, and regulators read repeat findings as a tell. An item that appears in two consecutive audits without resolution signals that your effectiveness assessment is cosmetic, not operational. That single pattern does more damage in an audit than the original gap.

Penetration testing is how you prove technical controls work

Self-assessment tells you whether you wrote the policy. Penetration testing tells you whether the policy survives contact with an attacker.

Article 21(2)(f) doesn't name penetration testing, but it's the cleanest way to satisfy the technical side of effectiveness assessment. Automated vulnerability scanning catches known CVEs. A pen test validates whether your controls hold up against an adversary chaining several weaknesses together — the failure mode scanners miss.

For systems supporting essential services, the working baseline is an annual penetration test, plus a fresh test after any major architectural change. A SaaS provider that re-platforms its authentication stack and waits twelve months for the next scheduled test has a defensible gap. One concrete example: a manufacturer passed its scanner clean for a year, then a pen test found that a legacy VPN appliance — out of scope for the scanner — gave domain admin in two hops. That finding is exactly what (f) exists to surface.

Pair the test with a coordinated vulnerability disclosure policy published on your site with a named security contact. That's not optional polish — it's part of how Article 21(2)(e) on vulnerability handling and (f) on effectiveness reinforce each other.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
YesNo
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
YesNo
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
YesNo
NIS2 does not directly apply to your organisation.
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

Effectiveness gaps cascade into the rest of your obligations

A weak effectiveness loop doesn't stay contained. It propagates.

Miss a control failure in your own environment and you carry that blind spot into every incident report you file — because you can't accurately describe what failed if you never measured whether it worked. It also undermines your supply chain obligations under Article 21(2)(d): if you can't demonstrate your own controls are effective, you can't credibly attest to them when a client's procurement team asks. And board members now sit in the personal-liability line for governance failures, so an effectiveness programme that exists only on paper becomes their exposure, not just yours.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

What MSPs and vCISOs should operationalise this quarter

The organisations that handle (f) well don't run a bigger audit. They run a tighter loop.

Build a single effectiveness register that maps each Article 21 control to its test method, last test date, result, and remediation owner. Set the cadence: continuous monitoring for KPIs, quarterly management review, annual independent assessment and penetration test. Close the loop visibly — every finding gets a ticket, an owner, and a re-test date, so you can show a regulator the gap and the fix in the same view.

The deliverable that wins an audit isn't a clean report. It's a documented finding from six months ago, the remediation, and the re-test that confirmed it closed. That sequence proves the loop is real.

For your clients, this is also the most defensible upsell you have. "We test whether your controls work and prove it to your regulator" is a sharper pitch than "we manage your security." Effectiveness assessment is the one measure that turns compliance work into demonstrable assurance.

If you're not sure where your clients' effectiveness gaps sit today, start with a structured readiness assessment that maps current controls against all ten Article 21 measures — including the one most teams skip. Run a free NIS2 quick scan to see where the gaps are before an auditor does.

For the full breakdown of the other nine measures, see our Article 21 ten measures explained guide, and pair it with our step-by-step gap analysis.