NIS 26 min read

NIS 2 Risk Assessment: How to Evaluate Cybersecurity Risks

Risk assessment is the foundation of NIS 2 compliance. Article 21 requires organizations to take a risk-based approach to cybersecurity, meaning all security measures must be proportionate to the risks identified. A structured risk assessment process helps you identify threats, evaluate vulnerabilities, and prioritize your cybersecurity investments effectively.

Key Takeaways

Point Summary
Mandatory Risk analysis is the first of the 10 cybersecurity measures required by Article 21
All-hazards approach NIS 2 mandates consideration of all relevant threats, including physical and environmental
Proportionate Measures must be proportionate to risks, entity size, and potential societal impact
Regular review Risk assessments must be updated periodically and after significant changes
ISO 27001 alignment NIS 2 risk assessment aligns closely with ISO 27001 risk assessment methodology

Quick Answer: NIS 2 requires organizations to conduct comprehensive risk assessments covering their network and information systems. The assessment must identify threats and vulnerabilities, evaluate potential impact, and inform proportionate cybersecurity measures. It should be reviewed regularly and updated after significant changes.

The All-Hazards Approach

NIS 2 introduces an "all-hazards approach" to risk assessment. This means organizations must consider threats beyond traditional cyber threats:

Threat Category Examples
Cyber threats Malware, ransomware, phishing, advanced persistent threats, DDoS
Physical threats Natural disasters, fires, flooding, power outages
Human threats Insider threats, social engineering, human error
Supply chain threats Compromised suppliers, vendor vulnerabilities, service disruptions
Technical failures Hardware failures, software bugs, system obsolescence
Environmental Climate events, pandemics, geopolitical disruption

This comprehensive approach ensures organizations do not overlook non-digital threats that can have significant cybersecurity implications.

Risk Assessment Methodology

Step 1: Define Scope and Context

Establish the boundaries of your risk assessment:

  • Identify the network and information systems in scope
  • Understand the business context and critical services provided
  • Determine the regulatory environment (which NIS 2 requirements apply)
  • Consider the entity's role in the broader supply chain and sector
  • Document the risk assessment methodology and criteria

Step 2: Asset Identification

Create a comprehensive inventory of assets:

  • Hardware (servers, networking equipment, endpoints, IoT devices)
  • Software (operating systems, applications, databases)
  • Data (customer data, intellectual property, operational data)
  • Services (cloud services, managed services, third-party integrations)
  • People (employees, contractors, third-party access)
  • Facilities (data centers, offices, remote work environments)

Step 3: Threat Identification

Identify potential threats to each asset category:

  • Review threat intelligence sources relevant to your sector
  • Consider historical incidents in your organization and sector
  • Evaluate the threat landscape specific to your geographic location
  • Assess threats from the supply chain
  • Include emerging threats and evolving attack vectors

Step 4: Vulnerability Assessment

Identify weaknesses that threats could exploit:

  • Conduct technical vulnerability scans of systems and networks
  • Review configurations against security baselines
  • Assess process and procedural weaknesses
  • Evaluate human factors (awareness levels, training gaps)
  • Review third-party and supply chain vulnerabilities

Step 5: Impact Analysis

Evaluate the potential consequences of a successful attack:

Impact Dimension Questions to Consider
Operational How would the incident disrupt service delivery?
Financial What direct and indirect costs would result?
Reputational How would stakeholder trust be affected?
Legal/Regulatory What compliance violations could result?
Societal What broader impact could occur on public safety or welfare?

NIS 2 explicitly requires consideration of the societal dimension, reflecting the directive's focus on protecting critical infrastructure and services.

Step 6: Likelihood Assessment

Estimate the probability of each identified risk materializing:

Likelihood Level Description
Very high Expected to occur multiple times per year
High Likely to occur at least once per year
Medium Possible within a 1-3 year timeframe
Low Unlikely but possible within 5 years
Very low Rare, exceptional circumstances

Step 7: Risk Evaluation

Combine impact and likelihood to determine overall risk levels:

Low Impact Medium Impact High Impact Critical Impact
Very High Likelihood Medium High Critical Critical
High Likelihood Low Medium High Critical
Medium Likelihood Low Medium High High
Low Likelihood Low Low Medium High
Very Low Likelihood Low Low Low Medium

Step 8: Risk Treatment

For each identified risk, decide on a treatment approach:

Treatment When to Use
Mitigate Implement controls to reduce the risk to an acceptable level
Transfer Transfer the risk through insurance or contractual arrangements
Accept Accept the residual risk when it falls within risk appetite
Avoid Eliminate the activity or asset that creates the risk

Document the rationale for each treatment decision and ensure management approval.

Proportionality in Practice

NIS 2 requires that measures be proportionate. When applying the results of your risk assessment, consider:

  • Entity size: A 50-person company will implement measures differently than a 5,000-person organization
  • Exposure: An internet-facing service has different risk profiles than an internal-only system
  • Sector importance: Entities in highly critical sectors face higher expectations
  • Cost-effectiveness: Security investments should be proportionate to the risk reduction achieved
  • State of the art: Consider current best practices and available technologies

Alignment with ISO 27001

Organizations with ISO 27001 certification will find significant overlap between its risk assessment requirements and NIS 2:

Aspect ISO 27001 NIS 2
Risk assessment methodology Required (Clause 6.1.2) Required (Article 21)
Asset-based approach Common practice Encouraged
Risk treatment plan Required (Clause 6.1.3) Required (Article 21)
Management approval Required Required
Regular review Required Required
All-hazards approach Recommended Mandatory

The key addition in NIS 2 is the explicit all-hazards approach and the consideration of societal impact, which may require extending an existing ISO 27001 risk assessment.

Common Questions

How often should we conduct risk assessments?

NIS 2 does not specify a fixed frequency, but risk assessments should be reviewed at least annually and updated after significant changes in the organization, threat landscape, or technology environment. ISO 27001 recommends conducting full risk assessments at least annually, which is a reasonable baseline for NIS 2 compliance as well.

Who should be involved in the risk assessment?

Risk assessments should involve stakeholders from across the organization, including IT, security, operations, legal, and senior management. Management involvement is particularly important given NIS 2's management accountability requirements. External expertise can be valuable for identifying blind spots and benchmarking against sector practices.

Can we use our existing risk assessment framework?

Yes. NIS 2 does not mandate a specific methodology. If you already have a risk assessment process (whether based on ISO 27005, NIST, OCTAVE, or another recognized framework), you can adapt it to cover NIS 2 requirements. The key is ensuring it covers the all-hazards approach and considers the proportionality factors outlined in the directive.

← PreviousNIS 2 Compliance Checklist: A Step-by-Step GuideNext →NIS 2 Compliance Cost: What to Budget
Back to NIS 2 guides