All resources
Requirements·20 January 2026·8 min read

NIS2 Article 21: the 10 cybersecurity measures explained

Article 21 is the operational heart of NIS2: ten minimum measures every entity must implement and, crucially, be able to prove.

What Article 21 requires

Article 21 of NIS2 requires in-scope entities to take 'appropriate and proportionate technical, operational and organisational measures' to manage cyber risk. It then lists ten minimum measures. The expectation isn't just to have them; it's to be able to demonstrate them on request.

The ten measures

  • 1. Risk analysis and information system security policies.
  • 2. Incident handling: detection, response and recovery.
  • 3. Business continuity: backups, disaster recovery and crisis management.
  • 4. Supply-chain security, including the security of supplier relationships.
  • 5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
  • 6. Policies and procedures to assess the effectiveness of risk-management measures.
  • 7. Basic cyber hygiene practices and cybersecurity training.
  • 8. Policies on the use of cryptography and, where appropriate, encryption.
  • 9. Human-resources security, access-control policies and asset management.
  • 10. Multi-factor authentication, secured communications, and secured emergency communications where appropriate.

The hard part: proving it continuously

Having a policy on paper is not the same as evidencing the measure in practice. Regulators (and auditors) increasingly want to see that controls are live and effective; measure 6 literally requires you to assess their effectiveness.

That means continuous evidence: who changed what, when, and whether the control actually fired. Screenshots and once-a-year spreadsheets don't hold up.

How Alexus maps to Article 21

Alexus scores you continuously against each of the ten measures, with a per-control evidence trail you can drill into. Asset management and access control draw on a live, reconciled inventory; incident handling and effectiveness assessment draw on the operational graph; every change is hash-chained for the audit trail.

The result: when someone asks 'show me measure 4', the answer is a query, not a fire drill. This article is general guidance, not legal advice.

Make NIS2 evidence a query, not a project

Alexus turns the IT operations you already run into continuous Article 21 readiness, ready-to-file Article 23 reports and a hash-chained audit trail.