The ten cybersecurity risk-management measures.
Article 21(2).
Article 21 of the NIS2 Directive requires Member States to ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. These measures shall be based on an all-hazards approach and shall include at least the following ten areas.
Organisations must establish and maintain policies on risk analysis and information system security. This includes defining a governance framework, conducting regular risk assessments, maintaining a risk register, and establishing review cycles for security policies. Konforme’s assessment covers policy maturity, risk register completeness, and governance structure.
Procedures for the prevention, detection, and response to incidents, including escalation paths and notification obligations. NIS2 introduces strict incident reporting timelines — an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. Konforme tracks your incident handling maturity and response plan readiness.
Business continuity management including backup management, disaster recovery, and crisis management. Organisations must ensure they can maintain essential functions during and after an incident. Konforme scans your cloud backup configurations and assesses your BCP/DRP documentation maturity.
Security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. This includes assessing supplier risk, contractual security requirements, and monitoring the supply chain for vulnerabilities. Konforme evaluates your vendor risk management processes and third-party controls.
Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure. Konforme’s technical scanner checks your AWS and Azure configurations against NIS2-mapped controls for network segmentation, firewall rules, VPC security, and vulnerability management.
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. Organisations must regularly test and evaluate their security posture. Konforme provides continuous scoring that shows exactly where your compliance gaps are and how they’re trending over time.
Basic cyber hygiene practices and cybersecurity training for staff. NIS2 explicitly requires that management bodies undergo training as well. Konforme’s employee training campaigns let you assign policy acknowledgments and security quizzes, track completion, and build an audit trail.
Policies and procedures regarding the use of cryptography and, where appropriate, encryption. Konforme’s technical scanner checks encryption-at-rest and in-transit configurations across your cloud infrastructure — S3 buckets, RDS instances, EBS volumes, Azure Storage, and more.
Human resources security, access control policies, and asset management. This covers the full employee lifecycle from onboarding to offboarding, role-based access control, and least-privilege principles. Konforme checks IAM configurations, password policies, and assesses your HR security processes.
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity. Konforme checks MFA enforcement across your cloud accounts and assesses your authentication posture holistically.
Konforme maps every assessment and control to these ten requirements.
Start your assessment →- Article 21(2) of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022.
- The measures listed above represent the minimum requirements. Member States may impose additional measures through national transposition.
- Essential entities are subject to proactive supervision; important entities are subject to reactive supervision.