NIS2 Article 21: the 10 cybersecurity measures explained
Article 21 is the operational heart of NIS2: ten minimum measures every entity must implement and, crucially, be able to prove.
What Article 21 requires
Article 21 of NIS2 requires in-scope entities to take 'appropriate and proportionate technical, operational and organisational measures' to manage cyber risk. It then lists ten minimum measures. The expectation isn't just to have them; it's to be able to demonstrate them on request.
The ten measures
- 1. Risk analysis and information system security policies.
- 2. Incident handling: detection, response and recovery.
- 3. Business continuity: backups, disaster recovery and crisis management.
- 4. Supply-chain security, including the security of supplier relationships.
- 5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
- 6. Policies and procedures to assess the effectiveness of risk-management measures.
- 7. Basic cyber hygiene practices and cybersecurity training.
- 8. Policies on the use of cryptography and, where appropriate, encryption.
- 9. Human-resources security, access-control policies and asset management.
- 10. Multi-factor authentication, secured communications, and secured emergency communications where appropriate.
The hard part: proving it continuously
Having a policy on paper is not the same as evidencing the measure in practice. Regulators (and auditors) increasingly want to see that controls are live and effective; measure 6 literally requires you to assess their effectiveness.
That means continuous evidence: who changed what, when, and whether the control actually fired. Screenshots and once-a-year spreadsheets don't hold up.
How Alexus maps to Article 21
Alexus scores you continuously against each of the ten measures, with a per-control evidence trail you can drill into. Asset management and access control draw on a live, reconciled inventory; incident handling and effectiveness assessment draw on the operational graph; every change is hash-chained for the audit trail.
The result: when someone asks 'show me measure 4', the answer is a query, not a fire drill. This article is general guidance, not legal advice.