NIS 27 min readUpdated Feb 2026

NIS 2 Requirements: What Organizations Must Implement

Article 21 of the NIS 2 Directive outlines the cybersecurity risk-management measures that all in-scope entities must implement. These requirements form the foundation of NIS 2 compliance, covering everything from risk analysis to incident handling and supply chain security. This guide breaks down each requirement and what it means in practice.

Robin Coste

•

Co-founder

Robin is a co-founder of Bastion, bringing extensive experience in compliance automation and security strategy. Previously, he led compliance as a tech lead at Palantir. He helps startups navigate the complexities of SOC 2 and ISO 27001 certification.

SOC 2ISO 27001Compliance AutomationSecurity Strategy

Key Takeaways

Point	Summary
10 core measures	Article 21 specifies 10 categories of cybersecurity measures all entities must implement
Risk-based approach	Measures must be proportionate to the risks, considering entity size, exposure, and incident likelihood
State of the art	Organizations must consider the latest cybersecurity technologies and practices
Management approval	Senior management must approve risk-management measures and oversee their implementation
International standards	The directive encourages use of standards like ISO 27001

Quick Answer: NIS 2 requires organizations to implement 10 categories of cybersecurity measures, including risk analysis, incident handling, business continuity, supply chain security, and access control. All measures must be proportionate to the organization's risk profile, approved by management, and regularly reviewed.

The 10 Core Requirements

1. Risk Analysis and Information Security Policies

Organizations must establish and maintain policies for risk analysis and information system security. This includes:

Risk assessment methodology: A documented approach to identifying, analyzing, and evaluating cybersecurity risks
Information security policy: A comprehensive policy covering the security of network and information systems
Regular reviews: Periodic reassessment of risks and policy updates based on changes in the threat landscape or business environment
Asset inventory: Identification and classification of critical assets, including network and information systems

This requirement aligns closely with ISO 27001's risk assessment process, making organizations with existing ISO 27001 certification well-positioned for compliance.

2. Incident Handling

Entities must have robust processes for preventing, detecting, and responding to cybersecurity incidents:

Detection capabilities: Monitoring tools and processes to identify security incidents promptly
Response procedures: Documented incident response plans with clear roles and responsibilities
Classification system: A framework for categorizing incidents by severity and impact
Communication protocols: Internal and external communication procedures during an incident
Post-incident analysis: Processes for learning from incidents and improving defenses

See our detailed guide on NIS 2 incident reporting for the specific notification timelines and obligations.

3. Business Continuity and Crisis Management

Organizations must plan for operational resilience:

Business continuity plans: Documented plans for maintaining essential operations during and after an incident
Disaster recovery: Procedures for restoring systems and data after disruption
Backup management: Regular, tested backups with secure storage and restoration capabilities
Crisis management: Organizational structures and procedures for managing crises, including communication chains and decision-making authority

4. Supply Chain Security

One of NIS 2's most significant additions is the explicit requirement for supply chain security:

Supplier risk assessment: Evaluation of cybersecurity risks posed by direct suppliers and service providers
Contractual requirements: Security clauses in contracts with suppliers covering cybersecurity measures, incident notification, and audit rights
Monitoring: Ongoing oversight of supplier security posture
Vulnerability management: Processes to address vulnerabilities discovered in third-party products or services

This is covered in detail in our NIS 2 supply chain security guide.

5. Security in Network and Information System Acquisition, Development, and Maintenance

Security must be embedded throughout the system lifecycle:

Secure development practices: Security requirements in the design, development, and testing of systems
Vulnerability handling: Processes for identifying and addressing vulnerabilities in systems
Patch management: Timely application of security patches and updates
Change management: Controlled processes for modifying network and information systems

6. Policies and Procedures for Assessing Cybersecurity Effectiveness

Organizations must regularly evaluate whether their cybersecurity measures work:

Security assessments: Regular testing of security controls and their effectiveness
Penetration testing: Periodic testing to identify exploitable vulnerabilities
Audit programs: Internal or external audits of cybersecurity measures
Metrics and reporting: Key performance indicators for cybersecurity effectiveness
Continuous improvement: Processes for acting on assessment findings

7. Basic Cyber Hygiene and Cybersecurity Training

Every organization must implement fundamental cybersecurity practices and ensure their workforce is trained:

Cyber hygiene practices: Password policies, software update procedures, secure configuration, and network segmentation
Security awareness training: Regular training for all employees on cybersecurity risks and responsibilities
Management training: NIS 2 explicitly requires management bodies to undergo cybersecurity training
Role-specific training: Additional training for staff with specific security responsibilities

8. Policies on the Use of Cryptography and Encryption

Organizations must have clear policies governing cryptographic controls:

Encryption policies: When and how data should be encrypted at rest and in transit
Key management: Procedures for generating, storing, distributing, and revoking cryptographic keys
Standards compliance: Use of recognized encryption standards and algorithms
Regular review: Assessment of cryptographic controls against evolving threats

9. Human Resources Security, Access Control, and Asset Management

This broad requirement covers several interconnected areas:

Human resources security: Background checks, security terms in employment contracts, security responsibilities during and after employment
Access control: Policies for granting, reviewing, and revoking access based on the principle of least privilege
Asset management: Inventory of assets, classification of information, and handling procedures
Identity management: Processes for managing user identities and their access rights

10. Multi-factor Authentication and Secured Communications

Organizations must implement strong authentication and communication security:

Multi-factor authentication (MFA): Use of MFA or continuous authentication solutions where appropriate
Secured voice, video, and text communications: Protection of communications within the organization
Secured emergency communications: Ensuring communication capabilities during incidents and crises

Proportionality Principle

NIS 2 requires measures to be proportionate. When implementing these requirements, organizations should consider:

Factor	Consideration
Entity size	Resources and capabilities available
Risk exposure	Likelihood and severity of potential incidents
Societal impact	Potential consequences for society and the economy
Dependency	Degree to which other sectors depend on the entity's services
Cost of implementation	Economic viability of security measures relative to risk reduction

This means a small managed service provider will not be expected to implement the same scale of measures as a major energy provider, but both must address each of the 10 requirement categories.

Management Accountability

NIS 2 places direct accountability on management bodies. Senior leadership must:

Approve the cybersecurity risk-management measures
Oversee the implementation of these measures
Be held liable for infringements
Undergo regular cybersecurity training
Offer similar training to employees

This represents a significant shift from previous approaches where cybersecurity was often delegated entirely to technical teams.

Common Questions

How specific are the NIS 2 technical requirements?

NIS 2 is deliberately principles-based rather than prescriptive. It outlines what must be achieved (the 10 requirement categories) but leaves organizations flexibility in how they achieve it. The European Commission may adopt implementing acts with more specific technical details for certain sectors.

Can we use existing security frameworks to comply?

Yes. The directive explicitly encourages the use of European and international standards. ISO 27001, IEC 62443, and other recognized frameworks provide excellent foundations for meeting NIS 2 requirements. Organizations already certified to ISO 27001 will find significant overlap with NIS 2 requirements.

Do all 10 requirements apply equally?

All 10 categories apply to every in-scope entity, but the depth and sophistication of implementation should be proportionate to the organization's risk profile. A healthcare provider will naturally emphasize different aspects than a cloud service provider, but both must address all 10 areas.

← PreviousNIS 2 Essential vs Important Entities: Key Differences Next →NIS 2 Incident Reporting: Timelines and Obligations

Back to NIS 2 guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company