NIS2 Article 21 Technical Measures: The Complete Security Requirements Breakdown for 2026

Article 21 of the NIS2 Directive is the technical backbone of EU cybersecurity compliance. While Article 20 addresses governance and board liability, Article 21 defines the specific security measures that essential and important entities must implement. Not “should consider.” Not “may adopt.” Must implement.

Yet most organizations we speak with cannot name all 10 measures, let alone demonstrate compliance with each one. This guide breaks down every Article 21 requirement, explains what auditors expect as evidence, and provides practical implementation guidance based on real enforcement actions already underway across the EU.

What Article 21 Requires

Article 21(1) states that essential and important entities shall take “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.” These measures must be based on an “all-hazards” approach and aim to protect the confidentiality, integrity, availability, and authenticity of data.

Article 21(2) enumerates 10 specific areas these measures must cover. Each one is mandatory, not optional. The proportionality principle means the depth and sophistication of implementation varies by entity size and risk profile — but every entity must address every area.

Here is the complete breakdown.

The 10 Mandatory Security Measures

1. Risk Analysis and Information System Security Policies

Requirement: Entities must conduct and maintain a comprehensive risk analysis of their information systems and implement security policies addressing identified risks.

What this means in practice:

• A documented risk assessment methodology (ISO 27005, NIST RMF, or equivalent)
• Risk register covering all in-scope assets, threats, and vulnerabilities
• Risk treatment decisions documented (accept, mitigate, transfer, avoid)
• Information security policy approved by management body
• Regular reassessment cycle (annually at minimum, or after significant changes)

Audit evidence expected:

• Risk assessment report (dated, within 12 months)
• Risk register with current status
• Board-approved security policy with signature and date
• Evidence of periodic review (meeting minutes, change logs)

Common gap: Organizations conduct risk assessments but fail to maintain them. An 18-month-old risk assessment is a finding. Auditors check the date first.

2. Incident Handling

Requirement: Procedures for detecting, analyzing, and responding to cybersecurity incidents, including the three-phase reporting obligations under Article 23.

What this means in practice:

• Documented incident response plan with defined roles and escalation paths
• Detection capabilities (SIEM, EDR, log monitoring, or equivalent)
• Incident classification framework (severity levels)
• Communication procedures for internal stakeholders and external reporting
• Integration with national CSIRT reporting requirements (24h/72h/1 month timeline)

Audit evidence expected:

• Incident response plan document (current version, recently reviewed)
• Tabletop exercise results (within 24 months)
• Incident log or register (including near-misses)
• Evidence of CSIRT reporting capability (portal access configured, contact details confirmed)

For the complete reporting timeline and requirements, see our NIS2 Incident Reporting Requirements guide.

3. Business Continuity and Crisis Management

Requirement: Business continuity plans, backup management procedures, and disaster recovery capabilities.

What this means in practice:

• Business continuity plan (BCP) covering critical operations
• Disaster recovery plan (DRP) with defined RTOs and RPOs
• Backup strategy (3-2-1 rule: 3 copies, 2 media types, 1 offsite)
• Crisis communication plan
• Regular testing of BCP/DRP (at least annually)

Audit evidence expected:

• BCP and DRP documents (current, tested)
• Backup logs showing successful completion
• Recovery test results demonstrating RTO/RPO achievement
• Crisis management team roster with contact details

Common gap: Having a BCP that exists on paper but has never been tested. Untested plans are worth less than no plan, because they create a false sense of readiness.

4. Supply Chain Security

Requirement: Security practices covering supply chain relationships, including supplier risk assessment and contractual security requirements.

What this means in practice:

• Complete ICT supplier inventory
• Critical supplier identification and classification
• Supplier security assessment program (questionnaires, certifications, audits)
• Contractual security clauses (data processing agreements, security SLAs)
• Ongoing monitoring of supplier security posture

Audit evidence expected:

• ICT supplier register (complete, current)
• Critical supplier list with risk ratings
• Security assessment records for critical suppliers
• Contract templates with security clauses
• Evidence of periodic supplier review

This is one of the highest-priority areas for auditors. France’s ANSSI and Germany’s BSI both focus heavily on supply chain documentation. See our NIS2 France ANSSI Compliance Guide and BSI NIS2 Enforcement Guide for country-specific expectations.

5. Security in Network and Information Systems Acquisition, Development, and Maintenance

Requirement: Security considerations integrated into the acquisition, development, and maintenance of systems.

What this means in practice:

• Secure development lifecycle (SDL) practices
• Security requirements in procurement specifications
• Configuration management and hardening standards
• Patch management procedures
• Change management controls
• Code review and security testing for custom development

Audit evidence expected:

• SDL policy or secure coding standards
• Procurement security requirements template
• Patch management logs (current patch status)
• Configuration baseline documentation
• Change management records with security review

6. Security Assessment of Network and Information Systems

Requirement: Regular assessment of the effectiveness of security measures.

What this means in practice:

• Vulnerability scanning program (at least quarterly)
• Penetration testing (at least annually for essential entities)
• Security audits against a defined standard (ISO 27001, SOC 2, or equivalent)
• Internal security reviews and self-assessments

Audit evidence expected:

• Vulnerability scan reports (recent, with remediation tracking)
• Penetration test report (within 12 months)
• Security audit report or certification
• Remediation tracking showing issues resolved

7. Cryptography

Requirement: Use of cryptographic tools and procedures to protect data confidentiality, integrity, and authenticity.

What this means in practice:

• Encryption at rest for sensitive data
• Encryption in transit (TLS 1.2+ for all external communications)
• Key management procedures (generation, storage, rotation, revocation)
• Cryptographic algorithm selection aligned with current standards (AES-256, RSA-2048+, ECDSA)
• Certificate management (issuance, renewal, revocation)

Audit evidence expected:

• Cryptographic policy document
• Key management procedures
• Certificate inventory with expiry dates
• Evidence of TLS configuration (no deprecated protocols)

Country-specific note: France’s ANSSI publishes its own cryptographic guidance (Guide d’utilisation des mécanismes cryptographiques) which French entities should align with. See our NIS2 France ANSSI Compliance Guide for details.

8. Human Resource Security

Requirement: Security practices related to personnel, including training, background screening, and access management.

What this means in practice:

• Security awareness training program (all employees, annually)
• Role-based security training (IT staff, developers, management)
• Background screening for privileged access roles
• Access management policies (least privilege, need-to-know)
• Onboarding/offboarding procedures with security checkpoints
• Disciplinary processes for security violations

Audit evidence expected:

• Training records (attendance, completion rates, content)
• Background screening policy and records (anonymized for audit)
• Access management policy
• Onboarding/offboarding checklists with security items
• Evidence of access reviews (at least quarterly)

9. Hygiene Practices and Cybersecurity Training

Requirement: Basic cybersecurity hygiene practices and cybersecurity training for all staff.

What this means in practice:

• Multi-factor authentication (MFA) on all critical systems
• Password policy aligned with current guidance (NIST SP 800-63B or equivalent)
• Endpoint protection (antivirus, EDR) on all managed devices
• Email security controls (SPF, DKIM, DMARC)
• Regular security awareness campaigns
• Phishing simulation exercises
• Clear desk and screen lock policies

Audit evidence expected:

• MFA enrollment rates
• Endpoint protection deployment coverage
• Email authentication records (SPF/DKIM/DMARC)
• Phishing simulation results and improvement trends
• Training completion records

10. Use of Multi-Factor Authentication and Continuous Authentication Solutions

Requirement: Implementation of multi-factor authentication or continuous authentication solutions.

What this means in practice:

• MFA deployed on:
  • Remote access (VPN, remote desktop)
  • Privileged accounts (admin, root, service accounts)
  • Cloud services and SaaS applications
  • Email systems
  • Critical business applications
• Continuous authentication for high-risk sessions (behavioral analysis, session management)
• MFA methods that meet minimum security standards (not SMS-only)

Audit evidence expected:

• MFA deployment documentation (systems covered, method used)
• Exception list for systems without MFA (with compensating controls)
• MFA bypass procedure (with approval documentation)
• Identity and access management architecture diagram

Common gap: Implementing MFA but allowing SMS as the only second factor. NIS2 enforcement authorities consider SMS-based MFA insufficient for critical systems. Hardware tokens or authenticator apps are expected.

How Article 21 Connects to Other NIS2 Requirements

Article 21 does not exist in isolation. It connects to several other NIS2 provisions:

• Article 20 (Governance): Management bodies must approve and oversee Article 21 measures. Personal liability attaches to governance failures. See our NIS2 Board Liability guide.

• Article 23 (Incident Reporting): The incident handling measures in Article 21(2)(b) must support the 24-hour early warning, 72-hour notification, and 1-month final report timeline. See our NIS2 Incident Reporting Requirements.

• Article 22 (Registration): Entities must register with their national competent authority and demonstrate Article 21 compliance as part of the registration process.

• Penalties (Article 35-36): Failure to implement Article 21 measures triggers the maximum penalty regime: €10M or 2% of global turnover for essential entities, €7M or 1.4% for important entities. See our NIS2 Penalties and Fines guide.

Implementation Priority Matrix

Not all 10 measures carry equal audit risk. Based on enforcement actions observed across EU member states, here is the priority matrix:

Priority	Measure	Audit Focus	Typical Gap
Critical	Incident Handling	Reporting capability, test history	Untested IR plans
Critical	Supply Chain Security	Supplier register, assessments	No register exists
Critical	Governance (risk analysis + policies)	Board approval, documentation currency	Stale risk assessments
High	Business Continuity	BCP/DRP testing, backup verification	Paper-only BCP
High	HR Security / Training	Training records, access reviews	No training records
High	Cryptography	TLS config, key management	Deprecated protocols
Medium	Security Assessment	Vuln scanning, pentest reports	Irregular scanning
Medium	Hygiene / MFA	MFA deployment, endpoint coverage	SMS-only MFA
Medium	Secure Development	SDL practices, patch management	No SDL policy
Standard	System Acquisition	Procurement security requirements	No procurement criteria

Recommendation: If your organization has limited time before a supervisory visit, focus on the three critical items first. An entity with documented risk analysis, tested incident response, and a complete supplier register is in a significantly stronger position than one with perfect cryptography but none of the three.

Cost of Implementation

For organizations budgeting Article 21 compliance, see our detailed NIS2 Compliance Cost guide. Quick summary:

Entity Type	Typical Total Investment	Timeline
Essential (250+ employees)	€150,000 – €2,000,000+	6–18 months
Important (50-249 employees)	€30,000 – €500,000	3–12 months

Free Tools to Assess Your Article 21 Readiness

• NIS2 Compliance Checker: Free tool that assesses your entity classification and identifies gaps across all 10 Article 21 measures in under 5 minutes.

• NIS2 Compliance Checklist PDF: Downloadable 15-point checklist covering every Article 21 domain with actionable items.

• Cyber Risk Calculator: Estimate your financial risk exposure from non-compliance and calculate the ROI of compliance investment.

The Bottom Line

Article 21 is the technical core of NIS2. Every measure is mandatory. Every measure requires documented evidence. Every measure will be examined during a supervisory visit.

The entities that will face the most difficulty are not those that lack sophisticated security tools — it is those that lack documentation and evidence of the measures they have already implemented. A well-documented, tested, and maintained set of basic controls consistently outperforms a sophisticated but undocumented security architecture in a NIS2 audit.

Start with the three critical measures. Document everything. Test what you can. And if you need a structured approach, download the free checklist and work through it systematically.

---

Sources:

• European Parliament and Council (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union.
• ENISA (2024). Technical guidance on the security measures of Article 21. Athens: ENISA.
• ANSSI (2025). Guide d’utilisation des mécanismes cryptographiques. Paris: ANSSI.
• NIST (2020). SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management. Gaithersburg: NIST.