Control BaselineEU NIS2

NIS2 Article 21 control baseline

Turn Article 21 into a working cybersecurity risk-management baseline: minimum control areas, ownership, evidence, proportionality, and supplier-risk checks.

Use this page to compare an existing security program against the Directive's all-hazards requirements without treating a generic ISO checklist as enough on its own.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 21 of Directive (EU) 2022/2555 requires essential and important entities to use appropriate and proportionate technical, operational, and organisational measures for the security of the network and information systems used for their operations or services. A useful baseline should therefore start with Article 21's minimum measure groups, then add entity-specific risk, service impact, supplier exposure, and evidence that the measures are implemented and reviewed.

Section 1

What belongs in a NIS2 Article 21 control baseline?

The baseline should cover all ten Article 21(2) measure groups. It is not limited to technical controls: it also needs governance, incident handling, business continuity, supplier security, secure acquisition and development, effectiveness testing, cyber hygiene and training, cryptography, human resources security, access control, asset management, and appropriate authentication and secure communications.

Do not flatten those requirements into a one-row statement that the entity has a security policy. A reviewer should be able to see which control family maps to each Article 21 point and which systems, services, owners, and evidence records support it.

  • Risk analysis and information system security policies approved at the right management level.
  • Incident-handling procedures for prevention, detection, analysis, containment, response, and recovery.
  • Business continuity records covering backup management, disaster recovery, and crisis management.
  • Supply-chain controls for direct suppliers and service providers, including security clauses where appropriate.
  • Acquisition, development, maintenance, vulnerability-handling, disclosure, testing, training, cryptography, HR security, access-control, asset-management, MFA, and secure communications controls.
Sources for this answer
Directive (EU) 2022/2555, Article 21
Article 21(1) and 21(2) define the all-hazards cybersecurity risk-management baseline and list the minimum measure groups.
Commission Implementing Regulation (EU) 2024/2690
The regulation sets technical and methodological Article 21 requirements for covered DNS, TLD, cloud, data centre, CDN, managed service, managed security service, online marketplace, online search, social networking, and trust service entities.
Section 2

How should proportionality be recorded?

Article 21 is risk-based, but that does not make the baseline optional. The Directive says the level of security must be appropriate to the risks posed, taking account of state of the art, relevant European and international standards where applicable, implementation cost, risk exposure, entity size, incident likelihood, incident severity, and societal or economic impact.

For covered entities under the implementing regulation, a control that is treated as not appropriate, not applicable, or not feasible should be documented in a comprehensible way. That record is part of the baseline because it explains why the entity chose the implemented measure, compensating measure, or gap-remediation path.

  • Record the service or system covered by the control and the risk it addresses.
  • State whether the measure is implemented, partially implemented, replaced by a compensating measure, or not applicable.
  • Link the decision to risk exposure, size and structure, incident likelihood, severity, and expected service impact.
  • Track corrective measures without undue delay when the entity finds that it does not comply with Article 21(2).
Sources for this answer
Directive (EU) 2022/2555, Article 21
Article 21 explains the proportionality factors for choosing cybersecurity risk-management measures and the duty to take corrective measures when controls are not met.
Commission Implementing Regulation (EU) 2024/2690
The regulation recognises proportionality, compensating measures, and documented reasoning where technical and methodological requirements are not appropriate, applicable, or feasible.
Section 3

What evidence should each control family maintain?

Evidence should prove both design and operation. For example, a policy alone may show intent, but Article 21 evidence should also show risk treatment, role assignment, testing, supplier review, asset classification, training, and remediation where those items are relevant to the entity's services.

The implementing regulation is especially useful as an evidence model for covered digital providers because it refers to management-body approval, topic-specific policies, risk treatment plans, monitoring of events and incidents, supplier policies and contract clauses, security testing, patch management, access policy, asset inventory, and assigned cybersecurity roles.

  • Governance evidence: security policy, topic-specific policies, management approval, indicators, roles, responsibilities, and oversight records.
  • Risk evidence: risk assessment, risk treatment plan, accepted or compensating measures, and links to affected services.
  • Operational evidence: incident procedures, event monitoring, backup and recovery records, crisis-management exercises, vulnerability handling, patch procedures, and security-test findings.
  • Supplier and asset evidence: direct supplier register, supplier-risk review, security clauses, ICT acquisition requirements, asset inventory, classification, owner, lifecycle status, and end-of-life information.
  • People and access evidence: cyber hygiene training, HR security steps, access-control policy, privileged-access controls, MFA or continuous authentication decisions, and secure communication controls where appropriate.
Sources for this answer
Commission Implementing Regulation (EU) 2024/2690
The recitals and annex describe implementation evidence areas such as policies, risk treatment, supplier clauses, security testing, patching, access control, MFA, and asset inventories.
ENISA NIS2 Technical Implementation Guidance
ENISA's guidance supports implementation of Commission Implementing Regulation (EU) 2024/2690 with practical advice, evidence examples, and mappings for covered entity types.
Section 4

Where do teams most often under-scope Article 21?

The main under-scope risk is treating Article 21 as a security-certification mapping exercise. Certifications and standards can support a baseline, but the NIS2 record still needs to show coverage of the Directive's measure groups, the proportionality assessment, supplier-specific vulnerabilities, and the services affected by an incident.

Another common gap is overlooking the physical environment, supplier relationships, and direct service impact. Article 21 uses an all-hazards approach for network and information systems and their physical environment, and it requires supplier-security decisions to consider vulnerabilities specific to each direct supplier and service provider.

  • Do not omit physical and environmental threats when they can affect network and information systems.
  • Do not rely on a supplier certificate without reviewing direct supplier vulnerabilities and the quality of supplier cybersecurity practices.
  • Do not treat MFA, secure communications, or emergency communications as automatically irrelevant; record the basis for the decision where they are not used.
  • Do not separate Article 21 evidence from Article 20 management-body approval and training records when those records show oversight of the baseline.
Sources for this answer
Directive (EU) 2022/2555, Articles 20 and 21
Article 20 covers management-body approval, oversight, liability, and training; Article 21 covers the cybersecurity risk-management measures and supplier-security considerations.
Commission Implementing Regulation (EU) 2024/2690
The regulation expands Article 21 implementation detail for covered entities, including physical and environmental security, supplier clauses, access control, MFA, cyber hygiene, and asset management.
Section 5

Implementation checklist for a NIS2 Article 21 control baseline

Use this checklist to turn Article 21 into a reviewable control baseline. Each item should produce an evidence record, not only a statement that the control exists.

If the entity is in a sector covered by Commission Implementing Regulation (EU) 2024/2690, check the applicable technical and methodological requirements in that regulation as part of the same baseline review.

Is an ISO 27001 control mapping enough for NIS2 Article 21?

No. Standards can support the baseline, and Article 21 refers to relevant European and international standards where applicable, but the entity still needs a NIS2-specific record that covers Article 21's minimum measure groups, proportionality factors, supplier-security considerations, and evidence of implementation.

What should be saved when a control is not applicable or not feasible?

Save the reason, the risk and service context, the approving owner, any compensating measure, and the next review trigger. For entities covered by Commission Implementing Regulation (EU) 2024/2690, the regulation specifically expects comprehensible documentation when a requirement is treated as not appropriate, not applicable, or not feasible.

  • Map every Article 21(2) measure group to at least one policy, procedure, control owner, system or service scope, and evidence record.
  • Document the proportionality analysis for implemented, compensating, partial, and not-applicable controls.
  • Confirm management-body approval and oversight records for the cybersecurity risk-management measures.
  • Review direct suppliers and service providers for relevant vulnerabilities, cybersecurity practices, secure development procedures, and security clauses.
  • Keep security-test findings, incident-handling records, vulnerability and patch records, training records, asset inventories, access-control evidence, and remediation actions together with the Article 21 mapping.
Sources for this answer
Directive (EU) 2022/2555, Article 21
Article 21 is the primary source for the baseline's minimum control groups, proportionality analysis, supplier-security requirement, and corrective-measure duty.
Commission Implementing Regulation (EU) 2024/2690
The regulation provides detailed implementation expectations for covered digital, ICT service management, and trust service entities.
ENISA NIS2 Technical Implementation Guidance
ENISA's guidance provides implementation support and evidence-oriented mappings for entities subject to Regulation (EU) 2024/2690.
Recommended next step

Use this baseline to organise Article 21 controls and proof

Sorena can help map Article 21 measure groups to owners, systems, supplier records, implementation evidence, and review steps for your NIS2 program.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 21 control groups, supplier security, proportionality, and evidence records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your Article 21 baseline, evidence gaps, supplier-risk records, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

Commission Implementing Regulation (EU) 2024/2690
eur-lex.europa.eu
Referenced sections
  • The regulation provides detailed implementation expectations for covered digital, ICT service management, and trust service entities.
"cybersecurity risk-management measures"
Directive (EU) 2022/2555, Article 21
eur-lex.europa.eu
Referenced sections
  • Article 21 is the primary source for the baseline's minimum control groups, proportionality analysis, supplier-security requirement, and corrective-measure duty.
"shall include at least the following"
Directive (EU) 2022/2555, Articles 20 and 21
eur-lex.europa.eu
Referenced sections
  • Article 20 covers management-body approval, oversight, liability, and training; Article 21 covers the cybersecurity risk-management measures and supplier-security considerations.
"approve the cybersecurity risk-management measures"
ENISA NIS2 Technical Implementation Guidance
enisa.europa.eu
Referenced sections
  • ENISA's guidance provides implementation support and evidence-oriented mappings for entities subject to Regulation (EU) 2024/2690.
"Supporting NIS2 implementation"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.