Article 21Control Baseline

EU NIS2 Directive (EU) 2022/2555 Article 21 Control Baseline

Convert Article 21(a) to (j) into controls you can implement and defend.

Output: a control baseline with owners, KPIs, and evidence artifacts aligned to your services and risk exposure.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 23, 2026

Updated

Feb 23, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 23, 2026

Updated Feb 23, 2026

Overview

Article 21 is the NIS2 control baseline. It is broad on purpose. Your job is to convert the legal measures into specific controls, measurable acceptance criteria, testing cadence, and evidence that show the controls actually work.

Section 1

What Article 21 requires (and what "appropriate and proportionate" means in practice)

Article 21 requires essential and important entities to take technical, operational, and organisational measures to manage risks to the network and information systems used for operations or service delivery and to prevent or minimise incident impact.

Appropriate and proportionate means risk-based implementation: state of the art, cost, size, exposure, likelihood, severity, and societal or economic impact all matter.

Scope the baseline per legal entity and per service: what systems, which recipients, which critical dependencies.
Define a measurable control baseline (not only policies): logging coverage, patch SLAs, restore tests, MFA coverage, supplier assurance coverage.
Treat physical environment as in-scope (Article 21 "all-hazards" approach): data centre access, environmental controls, resilience.
Prove effectiveness (Article 21(2)(f)): internal audit, control testing, metrics, and management review decisions.

Section 2

Article 21(2)(a) to (j) mapped to control families you can implement

Use this mapping to build a control register. For each item: set an owner, define acceptance criteria, choose evidence, set a test cadence, and log exceptions.

(a) Risk analysis and security policies: service inventory, risk method, treatment plans, policy set, and review cadence.
(b) Incident handling: triage, escalation, containment, recovery, lessons learned, and evidence preservation.
(c) Business continuity and crisis management: backup strategy, recovery plans, restore testing, crisis roles, and communications.
(d) Supply chain security: supplier tiering, due diligence, contract controls, service monitoring, and supplier incident paths.
(e) Security in acquisition, development, and maintenance: secure design, change control, patching, vulnerability handling, and disclosure.
(f) Effectiveness assessment: control tests, scans, audits, tabletop exercises, and corrective action tracking.
(g) Basic cyber hygiene and training: secure configuration, asset hygiene, role-based awareness, and periodic refresh.
(h) Cryptography and, where appropriate, encryption: data classification, key management, certificate lifecycle, and exception handling.
(i) Human resources security, access control, and asset management: joiner-mover-leaver controls, privileged access, least privilege, and asset lifecycle.
(j) Multi-factor authentication, secure communications, and secure voice, video, and text communications where appropriate.

Section 3

Where Implementing Regulation (EU) 2024/2690 adds specificity

The Commission adopted Implementing Regulation (EU) 2024/2690 on 17 October 2024 and it was published on 18 October 2024. It entered into force on 7 November 2024 and applies directly in Member States.

It covers DNS service providers, TLD name registries, cloud providers, data centre providers, CDN providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, social networking services platforms, and trust service providers.

Confirm whether your entity is in one of the covered categories before using the regulation as a required baseline.
Use ENISA Technical Implementation Guidance version 1.0 from June 2025 as a non-binding implementation aid, not as a substitute for the law.
Map the implementing regulation controls to your evidence pack so significance decisions, logging, supplier controls, and recovery controls are consistent.

Section 4

Audit-ready evidence pack

Supervision powers include requests for policies and evidence, security audits, scans, and enforcement actions. Your goal is to make compliance explainable in minutes, not weeks.

Control register: Article 21 mapping -> control IDs -> owners -> KPIs -> evidence links.
Risk assessment pack: methodology, risk register, treatment plans, and formal risk acceptance decisions.
Security operations evidence: monitoring coverage, alert triage SLAs, incident logs, and post-incident reviews.
Resilience evidence: backup inventory, restore-test results, DR exercises, and crisis management exercises.
Supplier assurance: tiering, due diligence records, contract clauses, periodic reviews, and supplier incident communications.
Training and governance: management approval minutes (Article 20), training records, and management oversight cadence.

Recommended next step

Turn EU NIS2 Directive (EU) 2022/2555 Article 21 Control Baseline into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Article 21 Control Baseline from turning this guidance into a repeatable review process to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Article 21 Control Baseline

Start from EU NIS2 Directive (EU) 2022/2555 Article 21 Control Baseline and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Article 21 Control Baseline.

Explore next step

Section 5

A 90 day implementation plan

If you're starting from scratch, sequence the work to create immediate risk reduction and a defensible baseline quickly.

Days 0-14: scope memo + service inventory + essential/important classification + control register draft.
Days 15-30: incident workflow + reporting triggers + crisis comms + backup/restore baseline and restore test.
Days 31-60: supplier tiering + contract addenda + vulnerability handling program + privileged access/MFA coverage.
Days 61-90: effectiveness testing cadence (audits/scans/tabletops), KPI dashboards, and management review sign-off.

Primary sources

References and citations

Commission Implementing Regulation (EU) 2024/2690 (EUR-Lex)

eur-lex.europa.eu

Referenced sections

Binding technical and methodological requirements for covered digital providers and trust service providers, plus further specification of significant incident cases.

Directive (EU) 2022/2555 (NIS2) - Official Journal text (EUR-Lex)

eur-lex.europa.eu

Referenced sections