NIS2Tecnica

The ten minimum technical measures NIS2 demands

Article 21 lists ten mandatory areas. We map them to concrete controls already in ISO 27001 and NIST CSF, avoiding duplicate work.

2 min read

TL;DR

Article 21 of NIS2 lists ten areas of mandatory technical measures. Mapped to ISO 27001:2022 and NIST CSF controls they translate to 30-40 practical controls. Organisations already ISO 27001-compliant have 80% of the work done.

The ten Article 21 areas

  1. Risk analysis policies and information system security.
  2. Incident handling.
  3. Business continuity and crisis management (backup, disaster recovery).
  4. Supply chain security.
  5. Security in acquisition, development and maintenance of systems.
  6. Procedures to assess the effectiveness of measures.
  7. Cyber hygiene practices and training.
  8. Cryptography and encryption.
  9. Human resource security and access control.
  10. Multi-factor authentication and secure communications.

Mapping to ISO 27001:2022

| NIS2 art. 21 | ISO 27001 (Annex A) | |---|---| | 1. Risk analysis | A.5.1, A.5.2, A.5.7 | | 2. Incident handling | A.5.24-5.28 | | 3. Business continuity | A.5.29, A.5.30, A.8.13, A.8.14 | | 4. Supply chain | A.5.19-5.23 | | 5. SDLC security | A.8.25-8.31 | | 6. Effectiveness assessment | A.5.36, A.8.16 | | 7. Cyber hygiene | A.6.3, A.8.7 | | 8. Encryption | A.8.24 | | 9. HR security | A.6.1-6.7 | | 10. MFA | A.5.17, A.8.5 |

Mapping to NIST CSF 2.0

The six NIST pillars (Govern, Identify, Protect, Detect, Respond, Recover) cover all of NIS2. Organisations using NIST as their framework can do the inverse mapping without rewriting policies.

The 5 measures most often flagged in audits

In NC frequency order:

  1. Documented DR drills (NIS2 point 3): missing evidence.
  2. Supplier risk assessment (point 4): unstructured.
  3. Incident notification procedure (point 2): missing or untested.
  4. MFA on privileged accounts (point 10): incomplete.
  5. Cyber training (point 7): not documented.

How to prioritise

To start from zero in 90 days:

  • days 1-30: points 1, 2, 3 (governance and continuity);
  • days 31-60: points 4, 7, 9, 10 (supply chain, people, MFA);
  • days 61-90: points 5, 6, 8 (development, assessment, cryptography).

FAQ

Do I have to cover all 10 points perfectly?

No. The directive asks for measures appropriate to risk. A small SMB can do less than a large bank, provided it shows the proportionality.

Can I use cloud and SaaS to reduce effort?

Yes, but supply chain risk (point 4) grows. It needs documenting.

How much does a full implementation cost?

For a medium SMB already with decent backups: €15-30k one-off.

For the audit checklist, NIS2 audit checklist. For supply chain, NIS2 and IT suppliers.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo