NIS2 Article 21: The security checklist before the deadline
The countdown has begun. The NIS2 directive imposes strict obligations. You must act now to secure your systems. A cyberattack costs an average of €466,000 for an SME in France [1]. Compliance is not an option; it is a necessity.
Establish clear policies
Define your risk analysis policies. Formalize the security of your information systems. These documents guide your teams. They prove your commitment in the event of an audit.
Cybersecurity Threat Report
Download our Cybersecurity Threat Report and outlook for 2026.
A comprehensive analysis of the evolution of threats by sector and by country.
Learn how to protect your assets from the latest threats and be compliant with the latest regulations.
Manage incidents effectively
Prepare for the inevitable. Implement detection, response, and recovery procedures. Every minute counts during an attack. Speed minimizes the impact.
Ensure business continuity
Your business must keep running. Establish robust backup plans. Plan for disaster recovery. Manage crises with a defined plan. Downtime is expensive.
Secure the supply chain
Your suppliers are your weak links. Evaluate their security. Integrate strict contractual clauses. A flaw at a provider directly impacts you, which is why supplier visibility and contractual control need to be part of the checklist from the start.
Integrate security into the lifecycle
Security is not an afterthought. Integrate it from the design phase. Manage vulnerabilities proactively. This applies to the acquisition, development, and maintenance of your systems.
Evaluate the effectiveness of measures
Measure what matters. Regularly audit your systems. Perform penetration tests. The effectiveness of your measures must be proven. This allows you to adjust your strategy.
Train and raise awareness among your teams
Humans remain the primary target. Train your employees. Implement basic cyber hygiene practices. Awareness reduces the risk of human error.
Use cryptography and encryption
Protect your sensitive data. Implement encryption solutions. Use cryptography for communications. It is an essential barrier against interception.
Control access and resources
Who accesses what? Define strict access control policies. Manage your IT assets. Human resources security is paramount. Every account must be justified.
Deploy Multi-Factor Authentication (MFA)
Strengthen access to your systems. MFA is a simple and effective measure. It drastically reduces the risk of compromise. MFA adoption is close to 87% for large enterprises [2]. For SMEs/mid-caps, this figure is much lower. Deploy it everywhere.
Key takeaways
| NIS2 Article 21 Measure | Concrete Action for the CISO/CIO |
|---|---|
| Clear policies | Draft and distribute security and risk analysis policies. |
| Incident management | Set up a SOC or an incident response process. |
| Business continuity | Test disaster recovery plans (DRP) and business continuity plans (BCP). |
| Supply chain | Assess the security of critical suppliers. |
| Lifecycle security | Integrate code reviews and security testing. |
| Measure evaluation | Conduct regular internal and external audits. |
| Training and awareness | Organize simulated phishing campaigns and training sessions. |
| Cryptography and encryption | Encrypt sensitive data at rest and in transit. |
| Access and resource control | Implement the principle of least privilege. |
| Multi-factor authentication | Deploy MFA on all sensitive access points. |
NIS2 Article 21 FAQ
What is Article 21 of NIS2?
Article 21 details the ten risk management measures. These measures are mandatory for essential and important entities. They cover the security of network and information systems.
What is the deadline to comply with NIS2?
At EU level, Member States had to transpose NIS2 by 17 October 2024. In practice, your timeline depends on the national implementation that applies to your entity and on when your competent authority begins supervision. The safest assumption is to prepare before a formal audit date is announced.
What happens in case of non-compliance?
Penalties can be severe. They reach up to €10 million or 2% of global turnover. The company’s reputation is also at stake. Non-compliance impacts customer trust.
References
[1] Cost of a cyberattack: €466,000 (SME) / €13M (Mid-cap) - ADHEL
[2] Multi-Factor Authentication (MFA) Market Overview - 360 Research Reports