Core Cybersecurity Risk-Management Measures Under NIS2

1. From NIS1 to NIS2: Why Risk-Management Is Now Central

NIS2 (Directive (EU) 2022/2555) significantly raises the bar for cybersecurity in the EU. Since it had to be transposed by 18 October 2024 (about 1 year ago relative to today), most Member States now have national laws in force or in late-stage drafting.

Under NIS1, security obligations were often high-level and unevenly enforced. NIS2 changes this by:

• Defining a core set of risk-management measures in Article 21(2).
• Making these measures mandatory for both essential and important entities (see your earlier module on scope).
• Linking them tightly to supervision and sanctions (Articles 31–34).

NIS2 is technology-neutral and risk-based:

• It does not prescribe specific products or tools.
• It requires entities to implement appropriate and proportionate technical, operational and organisational measures (TOMs) to manage cybersecurity risks.
• These measures must cover network and information systems, the physical environment, and people/processes.

For this module, we treat Article 21(2) as the core checklist, and we map it to ISO/IEC 27001:2022 and related standards (e.g., ISO/IEC 27002:2022, ISO 22301, ISO 27035, ISO 27036, ISO 27005). Your task is to understand each NIS2 requirement and translate it into concrete controls and risk-based choices.

> Key framing: Think of NIS2 Article 21(2) as “what must be covered”, and ISO 27001 + other frameworks as “how to implement it in a structured way.”

2. Article 21(2) Overview: The NIS2 Risk-Management Menu

Article 21(2) lists the minimum areas your measures must cover. Paraphrased and grouped, they are:

1. Risk analysis and information system security policies
2. Incident handling (detection, response, reporting)
3. Business continuity & crisis management (including backup, disaster recovery)
4. Security in supply chains and supplier relationships
5. Security in network and information systems acquisition, development and maintenance (including vulnerability handling and disclosure)
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. Basic cyber hygiene and cybersecurity training
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
9. Human resources security, access control policies and asset management
10. Use of multi-factor authentication (MFA), continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems

Each of these is mandatory in scope, but implementation is risk-based and proportionate:

• A small regional water utility and a pan-European cloud provider must both address incident handling, but the depth and tooling will differ.
• Supervisory authorities will assess whether measures are appropriate given the entity’s risk profile, not whether it copied a specific standard.

In the next steps, we unpack these clusters, map them to ISO 27001 controls, and explore how far you need to go under the proportionality principle.

3. Risk Analysis & Security Policies: Building the NIS2 Control Spine

3.1 What NIS2 Requires

Article 21(2)(a) requires:

> “policies on risk analysis and information system security”

This is the foundation: if your risk analysis and policies are weak, all other measures become arbitrary.

3.2 Mapping to ISO/IEC 27001:2022

Key mappings:

• Clause 4–6: Context of the organization, needs and expectations, risk assessment and treatment.
• Annex A controls (selected):
• A.5.1 Policies for information security
• A.5.3 Segregation of duties
• A.5.7 Threat intelligence
• A.5.9 Inventory of information and other associated assets
• A.5.10 Acceptable use of information and associated assets
• A.5.12 Classification of information
• ISO/IEC 27005: risk management methodology.

3.3 What “Good Enough” Looks Like (for NIS2)

A NIS2-compliant setup typically includes:

1. Formal risk management methodology

• Documented in a policy (e.g., based on ISO 27005 or ENISA guidance).
• Defines impact criteria (e.g., safety, service continuity, data protection, financial loss, reputational impact).
• Defines likelihood scales, risk matrix, and treatment options.

1. Up-to-date asset inventory and criticality classification

• Systems, applications, data sets, networks, facilities.
• Criticality mapped to essential/important services under NIS2.

1. Information security policy suite

• Top-level Information Security Policy approved by top management.
• Supporting policies: access control, acceptable use, mobile/BYOD, remote access, backup, logging & monitoring, etc.

1. Risk register and treatment plans

• Documented high-risk scenarios, owners, deadlines, and chosen controls.

3.4 Edge Case to Consider

• Entity already ISO 27001 certified:
• Usually close to NIS2-compliant, but not automatically compliant.
• You must check that the scope of the ISMS covers all NIS2-relevant services and systems, and that NIS2-specific topics (e.g., secured emergency communications) are explicitly addressed.

> Take-away: For NIS2, you need traceability from risk → policy → controls → evidence. ISO 27001 provides the structure, but you must align the scope and risk criteria with NIS2’s focus on essential/important services.

4. Thought Exercise: Designing a Minimal NIS2 Risk Methodology

Imagine you are the security lead of a mid-sized electricity distribution operator (an essential entity under NIS2) in an EU Member State where the national NIS2 law entered into force in mid-2025.

Your board asks for a 2-page summary of your cybersecurity risk-management approach to show the regulator during an upcoming inspection.

Task: Sketch the outline of that 2-page document. In bullet points, write down:

1. Risk criteria:

• Which impact dimensions will you use (e.g., safety, supply continuity, environment, financial, legal)?
• How will you grade them (e.g., 1–5)?

1. Risk sources & scenarios:

• List at least 5 threat scenarios specific to electricity distribution (e.g., compromise of SCADA, ransomware on billing systems, OT–IT gateway abuse).

1. Method steps:

• How often do you reassess risks?
• Who is involved (roles, not names)?
• How do you decide when a risk is unacceptable and must be treated?

1. Link to controls:

• For one high-risk scenario, write how you would link it to at least three concrete controls (e.g., network segmentation, MFA, incident playbook).

> Reflection: After you draft your outline, ask yourself: Would a regulator be able to see that my controls are clearly driven by risk, not just best-practice checklists?

5. Incident Handling & Reporting: From Detection to Lessons Learned

5.1 NIS2 Requirements

Article 21(2)(b)–(c) covers:

• Incident handling
• Business continuity and crisis management (we focus on continuity later; here we emphasize incident handling itself)

These link to Articles 23–24 on incident notification (early warning, incident notification, final report) with strict timeframes.

5.2 Mapping to ISO & Related Standards

• ISO/IEC 27001 Annex A:
• A.5.26 Response to information security incidents
• A.8.7 Event logging
• A.8.15 Logging and A.8.16 Monitoring activities
• A.8.23 Web filtering, A.8.24 Use of privileged utility programs (supporting controls)
• ISO/IEC 27035-1/2: Incident management principles and procedures.
• ENISA guidance on incident reporting under NIS2 (drafts and final documents published around 2023–2025).

5.3 Practical Control Set

A risk-based NIS2 implementation usually includes:

1. Incident Management Policy & Playbooks

• Defined severity levels (e.g., SEV1–SEV4) with mapped actions.
• Playbooks for top scenarios: ransomware, DDoS, data exfiltration, OT system compromise.

1. Detection & Monitoring

• Centralized logging (SIEM or log management) for critical systems.
• Alerting thresholds aligned with NIS2’s notion of a “significant incident” (impact on service, duration, geographical spread).

1. Structured Response Process

• Triage → Containment → Eradication → Recovery → Post-incident review.
• Clear roles: incident manager, communications lead, legal/compliance, business owner.

1. Regulatory Reporting Workflow

• Internal trigger conditions for NIS2 reporting (e.g., service unavailability > X hours, serious impact on safety).
• Templates for early warning and incident notification including required fields (time, cause, impact, mitigation, cross-border effect).
• Coordination with data protection officer if GDPR personal data breach reporting is also required.

1. Lessons Learned & Control Improvement

• Root cause analysis (technical + organizational).
• Systematic update of risk register and controls.

5.4 Edge Case

• Cloud-reliant SMEs as “important entities”:
• They may have limited in-house SOC capabilities.
• Proportionate implementation can rely on managed detection and response (MDR), but the entity remains accountable under NIS2 and must ensure the provider’s SLAs and reporting support NIS2 incident timeframes.

> Take-away: Under NIS2, incident handling is not just a technical function. It is a regulated process with legal deadlines and documentation requirements.

6. Quick Check: Incident Handling Under NIS2

Test your understanding of how incident handling links to NIS2 obligations.

7. Business Continuity, Crisis Management & Backup: Keeping Services Alive

7.1 NIS2 Requirements

Article 21(2)(c) explicitly includes:

• Business continuity
• Crisis management
• Backup management

The focus is on service continuity, not just data availability.

7.2 ISO & Related Standards

• ISO 22301:2019 – Business continuity management systems.
• ISO/IEC 27001 Annex A:
• A.5.29 Information security during disruption
• A.8.13 Information backup
• A.5.30 ICT readiness for business continuity

7.3 Practical Implementation

1. Business Impact Analysis (BIA)

• Identify critical processes linked to NIS2 services.
• Define Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) for key systems.

1. Continuity & Disaster Recovery Plans

• Documented procedures for switching to alternate sites, manual workarounds, or degraded modes.
• Clear escalation trees and decision thresholds for crisis declaration.

1. Backup Strategy

• Risk-based selection of RPO (Recovery Point Objective) per system.
• 3-2-1 principle: 3 copies, 2 media types, 1 off-site/immutable.
• Regular restore tests and documentation.

1. Crisis Management Structures

• Crisis team with defined roles (CEO/COO, CISO, legal, communications, operations).
• Crisis communication plan (internal, regulators, media, customers).
• Coordination with national CSIRTs and sectoral authorities.

7.4 Proportionality Examples

• Large telecom operator (essential):
• Geo-redundant data centers, hot standby for critical systems, complex crisis simulation exercises.

• Mid-sized waste management company (important):
• Nightly backups to cloud, tested quarterly; documented manual fallback processes; tabletop exercises once per year.

> Take-away: Under NIS2, backups and DR are not optional good practices. They are explicitly mandated and must be demonstrably aligned with service continuity requirements.

8. Supply Chain, Secure Development & Vulnerability Management

8.1 NIS2 Requirements

Article 21(2)(d)–(e) covers:

• Security in supply chains and supplier relationships
• Security in the acquisition, development and maintenance of network and information systems, including:
• Vulnerability handling.
• Coordinated vulnerability disclosure (CVD) where appropriate.

Given recent high-profile supply-chain attacks (e.g., SolarWinds, Kaseya), NIS2 places strong emphasis on third-party risk.

8.2 ISO Mapping

• ISO/IEC 27001 Annex A:
• A.5.19 Information security in supplier relationships
• A.5.20 Addressing information security within supplier agreements
• A.5.21 Managing information security in the ICT supply chain
• A.8.25 Secure development life cycle
• A.8.26 Application security requirements
• A.8.27 Secure system architecture and engineering principles
• A.8.28 Secure coding
• A.8.33 Vulnerability management
• ISO/IEC 27036: Information security for supplier relationships.
• ISO/IEC 29147 & 30111: Vulnerability disclosure and handling.

8.3 Concrete Controls

1. Supplier Risk Management Framework

• Supplier classification (critical vs non-critical).
• Security clauses in contracts (MFA, logging, patching SLAs, breach notification aligned with NIS2, audit rights).
• Onboarding and periodic reassessment (e.g., questionnaires, attestations, audits).

1. Secure SDLC (for in-house or heavily customized systems)

• Security requirements in design (threat modeling).
• Code reviews and static/dynamic analysis.
• Pre-production security testing (penetration testing, fuzzing for critical components).

1. Vulnerability Management

• Centralized vulnerability register.
• Patch management policy with risk-based timelines (e.g., critical internet-facing vulnerabilities patched within X days).
• External vulnerability disclosure channel (security.txt, public PGP key, or bug bounty program for large entities).

8.4 Edge Case: Heavy Cloud Outsourcing

• A small digital infrastructure provider classified as an important entity may rely almost entirely on hyperscale cloud providers.
• Proportional NIS2 implementation still requires:
• Due diligence on provider certifications (e.g., ISO 27001, SOC 2) and their incident/continuity capabilities.
• Contractual mapping of NIS2 reporting timelines and access to logs/forensics.
• Internal processes to aggregate and act on cloud provider alerts.

> Take-away: You cannot outsource NIS2 responsibility. You can outsource implementation, but you must retain governance and assurance over third parties.

9. Quick Check: Supply Chain Security

Evaluate how NIS2 impacts supplier relationships.

10. Human Factor, Training, Cryptography & Access Control

10.1 NIS2 Requirements

Article 21(2)(f)–(j) emphasizes:

• Policies to assess effectiveness of cybersecurity measures
• Basic cyber hygiene and cybersecurity training
• Cryptography and encryption policies
• Human resources security, access control, and asset management
• MFA, continuous authentication, and secured communications (including emergency communications)

10.2 ISO Mapping

• ISO/IEC 27001 Annex A (selected):
• A.5.14 Information security in project management (for effectiveness assessment)
• A.6.3 Information security awareness, education and training
• A.8.2 Privileged access rights
• A.8.3 User access provisioning
• A.8.4 Management of secret authentication information
• A.8.5 Review of user access rights
• A.8.9 Use of cryptography
• A.8.10 Key management
• A.7.4 Physical and environmental security

10.3 Practical Controls

1. Training & Awareness

• Mandatory annual training for all staff, with role-based modules for admins, developers, and executives.
• Phishing simulations, secure remote work guidelines.

1. Access Management & MFA

• Centralized identity and access management (IAM).
• MFA for all remote access and privileged accounts; risk-based MFA for general users.
• Periodic access reviews (at least annually for high-risk systems).

1. Cryptography Policy

• Approved algorithms and key lengths (aligned with current ENISA/EU recommendations).
• Rules for TLS configuration, data-at-rest encryption, and key management (HSMs, rotation, separation of duties).

1. Effectiveness Assessment

• KPIs and KRIs (e.g., patching timelines, phishing click rates, incident MTTR).
• Internal audits and management reviews.
• Penetration testing and red teaming for high-risk entities.

1. Secured Communications & Emergency Channels

• Encrypted email and messaging for sensitive discussions.
• Out-of-band, secure emergency channels (e.g., pre-registered phone trees, secure messaging apps with verified identities) for crisis situations.

> Take-away: NIS2 explicitly pulls people, identity, and cryptography into the core risk-management discussion. Weak MFA or training can undermine even the best technical defenses.

11. Applying Proportionality: Two Contrasting Mini-Case Studies

You will compare two entities and decide how proportionality affects implementation of the same NIS2 requirement.

Case A: Regional Hospital (Essential Entity)

• Runs its own data center with electronic health records (EHR), imaging systems, and on-site labs.
• Limited but dedicated IT and security team.
• High safety and life-critical impact if systems fail.

Case B: Small Managed Service Provider (Important Entity)

• Provides remote monitoring and maintenance for HVAC systems in critical infrastructure facilities.
• Mostly cloud-based; staff are remote.
• Failure impacts comfort and potentially some safety, but usually with longer time scales.

Task: For each of the three NIS2 topics below, write down how implementation differs between A and B, while both remain compliant.

1. Incident Detection & Monitoring

• What tooling and coverage is minimally acceptable for each?
• How often should logs be reviewed or alerts tuned?

1. Backup & Disaster Recovery

• What RTO/RPO might be justified for core systems?
• How often should they test restores?

1. MFA & Access Control

• Which accounts must use MFA in each case?
• Are there any justifiable exceptions, and how would you document them risk-wise?

> Reflection: Proportionality is not an excuse to do the minimum everywhere. It is a way to allocate more security to higher-impact risks while still covering all Article 21(2) topics in a defensible way.

12. Flashcard Review: Core NIS2 Risk-Management Concepts

Flip these cards (mentally or with your own notes) to reinforce key concepts from the module.