How to Ensure Compliance with NIS 2 Article 21
Jessica Doering

March 19, 2025

~

3

 minutes reading time

NIS 2 Article 21 - Cybersecurity risk management measures

Again, it is worth mentioning that of the entire NIS 2 Directive (45 articles), only three articles are relevant for companies that want to comply with the regulations. One of them is Article 21. In addition, Article 20 (Governance) and Article 23 (Reporting Obligations) play a significant role. This blog post is about NIS 2 Article 21 - Cybersecurity Risk Management Measures and how ISO 27001 covers this area.

NIS 2 Article 21: Cybersecurity risk management measures

The fact that cyber threats are constantly evolving is nothing new. Therefore, the European Union has introduced new and stricter regulations (like the NIS 2 directive) for organizations operating in essential sectors.

An important aspect of this directive is Article 21, which outlines the requirements for cybersecurity risk management measures.

What is NIS 2?

The NIS 2 Directive (Network and Information Security 2) is an update of the original NIS Directive that expands its scope and strengthens cybersecurity requirements. The directive applies to a wide range of sectors deemed critical to the functioning of society, including energy, healthcare, finance, public administration, and digital infrastructure. Read more about it on this blog.

Article 21: Core Requirements of Cybersecurity Risk Management

Article 21 of NIS 2 focuses on ensuring that organizations adopt a comprehensive and risk-based approach to managing cybersecurity risks. The main requirements include:

  • Risk Assessment: Companies must regularly assess the risks associated with their IT and OT (Operational Technology) infrastructure. This involves identifying vulnerabilities, potential threats, and the likelihood of cyberattacks that could affect the availability, integrity, and confidentiality of essential services.

  • Security Policies and Procedures: Organizations are required to implement formal security policies. These policies should cover areas such as access control, patch management, network security, incident detection, and response.

  • Supply Chain Security: Businesses must also take steps to secure their supply chains. This means evaluating the cybersecurity posture of third-party vendors and partners and ensuring that they meet minimum security standards.

  • Incident Response and Recovery: Article 21 emphasizes the importance of having a well-defined incident response process. This includes the capability to detect, respond to, and recover from cybersecurity incidents quickly and effectively.

  • Use of State-of-the-Art Technology: Organizations are encouraged to employ state-of-the-art technologies and best practices to enhance their cybersecurity resilience. This includes adopting advanced tools for threat detection, monitoring, and defense.

  • Training and Awareness: A critical aspect of risk management is ensuring that staff are aware of cybersecurity risks and are regularly trained on the latest security practices. Building a culture of security awareness is vital in reducing human errors that could lead to cyber incidents.

Why is Article 21 (NIS2) significant?

The introduction of Article 21 is a clear signal that the European Union is serious about improving cybersecurity standards in critical sectors. The mandatory implementation of risk management measures is intended to ensure that organizations take a proactive approach to security, rather than simply reacting to threats after they have materialized. By focusing on prevention and damage control, NIS 2 aims to create a more resilient and secure digital infrastructure across Europe.

Failure to comply with Article 21 can result in severe consequences, including fines, reputational damage and even temporary suspension of operations. For businesses, compliance is not just about avoiding penalties, but also about protecting their operations and maintaining the trust of customers and stakeholders.

Mapping ISO 27001 to NIS 2 Article 21

Organizations that are already certified to ISO 27001, the international standard for information security management, are well placed to meet the requirements of Article 21. ISO 27001 provides a framework for risk assessment, incident management and continuous improvement that closely matches the risk management measures outlined in NIS 2.

However, organizations should conduct a gap analysis to ensure that all aspects of Article 21 are covered, particularly with regard to supply chain security and the use of state-of-the-art technology. 

How Secfix Can Help

Navigating the complexities of NIS 2 compliance can be challenging, but with the right tools and support, it is doable. At Secfix, we specialize in helping organizations automate their cybersecurity risk management processes and ensure compliance with standards such as ISO 27001 and NIS 2. Our platform makes it easier to conduct risk assessments, monitor third-party providers, and comply with the latest security measures.

With our automated platform, organizations can simplify the compliance process, save time, and reduce the risk of costly penalties. If you are preparing for NIS 2, let Secfix help you create a resilient, secure, and compliant cybersecurity framework.

Book a consultation with us.

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

Book demo

non-binding and free of charge

Other Articles

What is the best information security framework for my business?

Which Information Security Framework Does Your Business Need?

What compliance frameworks exist for information security?

GDPR

ISO 27001

NIS 2

SOC 2

TISAX

What are the NIS 2 reporting obligations for companies?

NIS 2 Article 23 - Reporting Obligations

What are the NIS 2 reporting obligations?

NIS 2

Data Protection

NIS 2 Article 20: Governance, Cybersecurity Compliance & ISO 27001

NIS 2 Article 20 - Governance

What are the NIS 2 governance requirements?

ISO 27001

NIS 2

NIS Directive Explained: From NIS 1 to NIS 2 Compliance

NIS 1 and NIS 2 - What You need to know

NIS 1 vs. NIS 2: Key Differences and Compliance Requirements

NIS 2

Data Protection

Streamline NIS 2 with Secfix

Who needs NIS 2 compliance?

Who is impacted by european NIS 2 Directive?

Data Protection

NIS 2

Secfix Trust Center: Showcese ISO 27001 certification and SOC 2 reports, win more deals. Read more.

Introducing Secfix Trust Center: Build Trust and Streamline Security Reviews

Introducing new feature: Secfix Trust Center. Showcase your security and close deals faster.

Product updates

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

NIS 2

ISO 27001

NIS 2
NIS 2
ISO 27001
ISO 27001