10 Critical Security Measures Required by NIS2

The Legal Basis: Article 21 of NIS2

Article 21 of the NIS2 Directive requires covered entities to take "appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems."

These measures must account for:

• The state of the art in cybersecurity
• Applicable standards (European or international)
• The cost of implementation relative to risks
• The size of the entity and exposure to risk
• The likelihood and severity of potential incidents

Measure 1: Risk Assessment and Information Security Policies

Every NIS2-covered entity must establish a formal risk management framework that includes:

• Regular identification and assessment of cybersecurity risks
• A documented information security policy approved by senior management
• Periodic review and update cycles (at minimum annually, or after significant changes)
• Risk treatment plans addressing identified gaps

In practice: This means moving beyond ad-hoc security practices toward a structured, documented approach. Many organizations use ISO/IEC 27001 or NIST CSF as their framework backbone, adapting it to NIS2 requirements.

Measure 2: Incident Handling

Organizations must have clearly defined procedures for detecting, analyzing, containing, and recovering from cybersecurity incidents. This includes:

• A Security Operations Centre (SOC) function, whether in-house or outsourced
• An incident response plan (IRP) tested at least annually
• Defined roles and escalation paths for incident management
• A Communication plan covering internal stakeholders, authorities, and (where required) customers

In practice: The incident response plan must also incorporate NIS2's strict reporting timelines (covered in a separate post). Incident drills and tabletop exercises are strongly recommended.

Measure 3: Business Continuity, Backup, and Disaster Recovery

NIS2 requires entities to ensure that essential services can continue or rapidly resume following a disruptive cybersecurity incident. This involves:

• Regular, tested data backups stored separately from production systems
• A Business Continuity Plan (BCP) covering key operational scenarios
• A Disaster Recovery Plan (DRP) with defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
• Crisis management procedures for severe incidents

In practice: Cloud-based backup solutions and geographically redundant architectures are increasingly standard. Ensure your BCP/DRP documentation is up to date and that staff know their roles.

Measure 4: Supply Chain Security

Organizations must assess and manage cybersecurity risks across their entire supply chain. This includes direct suppliers, ICT service providers, and in some cases, sub-contractors.

Requirements include:

• Supplier risk assessments as part of procurement processes
• Contractual security requirements included in vendor agreements
• Ongoing monitoring of supplier security posture
• A process for managing and revoking third-party access

In practice: Many breaches originate through trusted third parties. Implement a Third-Party Risk Management (TPRM) program and consider requiring suppliers to demonstrate their own NIS2 or ISO 27001 compliance.

Measure 5: Security in Network and Information Systems Acquisition, Development, and Maintenance

Security must be built into rather than bolted onto systems throughout their lifecycle:

• Secure development practices (SDLC, code review, SAST/DAST)
• Vulnerability management programs covering regular scanning and patch management
• Penetration testing of critical systems at regular intervals
• Security requirements defined in procurement specifications

In practice: Organizations that develop software internally must adopt DevSecOps principles. Those relying on third-party products must enforce patch management SLAs and monitor vendor security advisories.

Measure 6: Policies and Procedures for Assessing Effectiveness

NIS2 requires organizations to be able to demonstrate that their security measures are effective:

• Regular internal audits of cybersecurity controls
• Key Performance Indicators (KPIs) for security operations
• Reporting to management on the effectiveness of cybersecurity measures
• Use of external auditors or certifications (e.g., ISO 27001) to validate posture

In practice: Evidence collection is critical. Regulators and auditors will want to see logs, reports, audit trails, and management sign-off demonstrating controls are working.

Measure 7: Cybersecurity Hygiene and Training

Human error remains the leading cause of cybersecurity incidents. NIS2 requires:

• Regular cybersecurity awareness training for all staff
• Specialized training for IT/security personnel
• A culture of security awareness embedded in organizational processes
• Phishing simulation programs and security newsletters

In practice: Training should be role-specific — what a finance employee needs to know differs from what a system administrator requires. Document all training activities for audit purposes.

Measure 8: Policies and Procedures on Cryptography and Encryption

Organizations must implement appropriate cryptographic controls:

• Encryption of sensitive data at rest and in transit
• Documented key management procedures including generation, rotation, and revocation
• Use of current, industry-standard algorithms (avoid deprecated standards like SHA-1, MD5, DES)
• Certificates and PKI management procedures

In practice: Review all data flows to identify where encryption is absent or outdated. Tools like TLS 1.3 for transit, AES-256 for storage, and hardware security modules (HSMs) for key management are current best practices.

Measure 9: Human Resources Security, Access Control, and Asset Management

People, access, and assets must be managed systematically:

• Access control policies based on the principle of least privilege
• Multi-Factor Authentication (MFA) for all administrative and remote access
• Joiners/movers/leavers procedures for managing access throughout the employee lifecycle
• Asset inventory covering hardware, software, data, and cloud resources
• Background verification procedures for staff with access to critical systems

In practice: Privileged Access Management (PAM) solutions are increasingly considered essential for organizations managing critical infrastructure. Zero-trust architectures are emerging as best practice.

Measure 10: Use of Multi-Factor Authentication (MFA) and Secure Communication

NIS2 explicitly mandates the use of:

• Multi-factor authentication (MFA) or continuous authentication for access to critical systems
• Encrypted communications for sensitive information exchange
• Emergency communication systems that remain functional during and after an incident

In practice: MFA should be deployed across all externally accessible systems (VPN, email, cloud services, remote desktop) as a minimum. Where possible, extend MFA to internal systems housing critical or sensitive data.

Proportionality: One Size Does Not Fit All

It's important to understand that NIS2 does not require every organization to implement the same level of controls. The directive explicitly calls for measures proportionate to the organization's:

• Size and resources
• Risk exposure and sector criticality
• Current maturity level

A hospital must treat its security posture differently from a waste management company. However, the obligation to implement all 10 categories applies to all covered entities — what varies is the depth and sophistication of implementation.