NIS2: Cybersecurity Risk Management
Cybersecurity Risk Management Measures [Art 21]
Rule: Essential and important entities must take appropriate and proportionate technical, operational, and organizational measures to manage risks to network and information security.
Core Requirement [Art 21(1)]
Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.
Measures must:
- Be proportionate to entity size, exposure, and likelihood/severity of incidents
- Consider state of the art and cost of implementation
- Take into account standards and technical specifications
- Ensure level of security appropriate to risks
10 Minimum Measures [Art 21(2)]
| # | Measure | Description |
|---|---|---|
| (a) | Risk analysis and policies | Policies on risk analysis and information system security |
| (b) | Incident handling | Procedures for incident prevention, detection, response |
| (c) | Business continuity | Backup management, disaster recovery, crisis management |
| (d) | Supply chain security | Security relating to relationships with suppliers and service providers |
| (e) | Secure development | Security in acquisition, development, and maintenance of systems, including vulnerability handling and disclosure |
| (f) | Effectiveness assessment | Policies and procedures to assess effectiveness of risk management measures |
| (g) | Cyber hygiene and training | Basic cyber hygiene practices and cybersecurity training |
| (h) | Cryptography | Policies and procedures regarding use of cryptography and, where appropriate, encryption |
| (i) | Human resources and access control | HR security, access control policies, asset management |
| (j) | Authentication | Use of multi-factor authentication, continuous authentication solutions, secured communications |
Risk-Based Approach [Art 21(1)]
Assessment must consider:
| Factor | Consideration |
|---|---|
| Exposure to risks | How vulnerable is the entity? |
| Size of entity | Proportionate to resources |
| Likelihood of incidents | How probable is an attack? |
| Severity of incidents | What’s the potential impact? |
| Societal and economic impact | Effects on others if compromised |
All-Hazards Approach [Art 21(2)]
Measures must address all hazards, including:
- Cyberattacks (malware, ransomware, DDoS)
- Physical threats (fire, flood, theft)
- Human error
- System failures
- Supply chain compromises
Proportionality
Measures scale with risk:
| Entity Type | Expected Investment | Audit Depth |
|---|---|---|
| Large essential entity | Comprehensive program | Full external audit |
| Medium important entity | Appropriate measures | Risk-based assessment |
| Small (if covered) | Basic protections | Proportionate review |
Minimum Standards and Specifications [Art 21(5)]
Commission can adopt implementing acts specifying:
- Technical and methodological requirements
- Sector-specific standards
- When existing standards should be used
Current guidance references:
- ISO/IEC 27001 (information security management)
- NIST Cybersecurity Framework
- ENISA guidance documents
Multi-Factor Authentication [Art 21(2)(j)]
Must use where appropriate:
- MFA — Two or more authentication factors
- Continuous authentication — Ongoing verification during sessions
- Secured voice, video, text — Encrypted communications
Vulnerability Management [Art 21(2)(e)]
Must address:
- Coordinated vulnerability disclosure
- Patching and remediation processes
- Secure development lifecycle
Documentation Requirements
| Document | Purpose |
|---|---|
| Risk assessment | Document identified risks and mitigation |
| Security policies | Written policies covering all 10 measures |
| Incident response plan | Procedures for detection, containment, recovery |
| Business continuity plan | Backup, DR, crisis management |
| Training records | Evidence of staff training |
| Supplier assessments | Due diligence on third parties |
Implementation Priority
If starting from scratch, prioritize:
- Risk assessment — Understand your exposure
- Access control + MFA — Prevent unauthorized access
- Backup and recovery — Ensure business continuity
- Incident handling — Prepare for breaches
- Supply chain review — Assess vendor risks
- Training — Build staff awareness
- Full program — Implement all 10 measures