Evidence ChecklistEU

NIS2 Article 21 Control-by-Control Evidence

A control-by-control evidence checklist for the ten cybersecurity risk-management measure areas in NIS2 Article 21.

Use it to connect each Article 21 control area to owners, policies, tests, supplier records, logs, approvals, and review triggers without treating a generic certificate as the whole evidence file.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

NIS2 Article 21 requires essential and important entities to apply appropriate and proportionate technical, operational, and organisational cybersecurity risk-management measures. This artifact turns the Article 21 measure list into an evidence checklist: what to keep for each control area, who should own it, and when it should be refreshed.

Section 1

What Article 21 Evidence Needs to Prove

The evidence file should show more than the existence of a cybersecurity program. It should show that the entity has identified Article 21 controls, selected measures proportionate to its risks, implemented them for the relevant network and information systems, and kept management oversight visible.

Keep Article 20 governance evidence beside the Article 21 control evidence. Management bodies must approve the cybersecurity risk-management measures, oversee implementation, and receive training, so board or management approval records are part of the evidence trail.

  • Record the entity classification basis, covered services, Member State implementation context, and the systems in scope.
  • Map each Article 21(2) control area to a named policy, procedure, technical control, test, or register.
  • Keep evidence of proportionality: risk exposure, entity size, likelihood and severity of incidents, and expected societal or economic impact.
  • Attach management-body approval, oversight reporting, and training records to the control evidence set.
  • When a measure is not applicable or not feasible, document the reasoning and any compensating measure rather than leaving the control blank.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 and Article 21 support the governance, approval, proportionality, and risk-management evidence expected on this page.
Implementing Regulation (EU) 2024/2690
Recitals explain that covered digital-sector entities should document why technical requirements are not appropriate, applicable, or feasible.
Section 2

Article 21 Control Areas and Evidence Records

Use the Article 21(2) list as the spine of the evidence matrix. Each row should state the control area, the responsible owner, the implemented measure, the evidence record, the last review date, and the next trigger for review.

| Control area | Owner | Implemented measure | Evidence record | Last review | Next review trigger | | --- | --- | --- | --- | --- | --- | | Governance and risk analysis | CISO / risk owner | Risk methodology, risk register, security policy, and management approval | Approved risk assessment, treatment plan, and board reporting | Latest annual review | Major risk change or annual policy review | | Incident handling | SOC / incident manager | Triage, escalation, response, and lessons learned | Incident handling procedure, incident records, and post-incident reviews | Latest incident exercise | Significant incident or procedure update | | Business continuity and crisis management | BCM lead | Backup, recovery, and crisis roles | BIA, DR plan, recovery test results, and crisis plan | Latest recovery test | Major service change or failed test | | Supply chain security | Procurement / vendor owner | Supplier screening and contract controls | Supplier inventory, risk assessments, clauses, and vulnerability review records | Latest supplier review | New direct supplier or contract renewal | | Secure acquisition, development, maintenance, vulnerability handling, and disclosure | Engineering / product owner | Security requirements, change control, patching, and disclosure handling | SDLC controls, patch logs, vulnerability intake, and disclosure records | Latest release cycle | Major release or critical vulnerability | | Effectiveness assessment | Security assurance lead | Testing and audit program | Test plan, scan results, penetration tests, remediation tracker, and audit outputs | Latest test cycle | New material weakness or scheduled retest | | Cyber hygiene and training | HR / awareness lead | Awareness, training, and secure working practices | Completion records, phishing exercises, and device configuration standards | Latest training campaign | New starter cohort or annual refresh | | Cryptography and encryption | Security architecture lead | Encryption standards and key management | Crypto policy, key management records, exception approvals, and review notes | Latest crypto review | Algorithm change or exception renewal | | Human resources security, access control, and asset management | IAM / asset owner | Joiner-mover-leaver, privileged access, and inventory controls | Access reviews, asset inventory, classification, lifecycle, and end-of-life records | Latest access review | Role change, asset disposal, or access exception | | Multi-factor or continuous authentication and secure communications | Identity / communications owner | MFA coverage and secure channels | MFA enforcement evidence, exception approvals, and secure communication procedures | Latest authentication review | New privileged route, remote access change, or exception expiry |

  • Risk analysis and information system security: risk methodology, risk register, security policy, topic-specific policies, risk treatment plan, and management approval.
  • Incident handling: incident handling procedure, event triage rules, escalation paths, incident records, lessons learned, and links to Article 23 notification workflow evidence.
  • Business continuity and crisis management: business impact analysis, backup management, disaster recovery plan, crisis roles, recovery test results, and dependency records.
  • Supply chain security: direct supplier and service-provider inventory, supplier risk assessments, contract security clauses, secure development checks, and evidence that supplier vulnerabilities were considered.
  • Acquisition, development, maintenance, vulnerability handling, and disclosure: security requirements for ICT products and services, change records, vulnerability intake, patch management, and disclosure handling.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21(2)(a) through (e) supply the first five control areas used in the evidence matrix.
Implementing Regulation (EU) 2024/2690
The implementing regulation supports concrete evidence for security policies, risk treatment, incident detection, continuity analysis, supplier contracts, testing, and patch management for covered digital sectors.
Section 3

Effectiveness, Training, Cryptography, Access, Assets, and Authentication

The second half of Article 21(2) is often where evidence becomes thin. A policy title alone is not enough; the record should show how the control was put into operation and how the entity knows it is working.

For entities covered by Implementing Regulation (EU) 2024/2690, the annexed requirements and ENISA guidance provide additional implementation structure for digital infrastructure, ICT service management, digital provider, and trust-service contexts.

  • Effectiveness assessment: testing policy, vulnerability scans, penetration tests, configuration tests, security audits, remediation records, and independent review outputs.
  • Cyber hygiene and cybersecurity training: training completion, awareness topics, phishing or social-engineering education, secure remote-working practices, and software update or device configuration controls.
  • Cryptography and encryption: cryptography policy, encryption decisions, key management responsibilities, exceptions, and review records for systems handling sensitive or critical information.
  • Human resources security, access control, and asset management: joiner-mover-leaver controls, privileged access review, disciplinary process references, asset inventory, asset owner, classification, patch status, and end-of-life records.
  • Multi-factor or continuous authentication and secure communications: privileged and remote-access authentication coverage, exception approvals, secure voice, video, text, and emergency communication arrangements where appropriate.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21(2)(f) through (j) supply the effectiveness, training, cryptography, access, asset, and authentication control areas.
Implementing Regulation (EU) 2024/2690
Recitals on testing, cyber hygiene, access control, MFA, asset inventory, roles, and physical security support the evidence examples listed here.
ENISA - NIS2 Technical Implementation Guidance
ENISA guidance supports practical implementation and mapping evidence for entities addressed by Implementing Regulation (EU) 2024/2690.
Section 4

How to Build the Evidence Matrix

Build one row per Article 21 control area and one additional row for governance. Avoid a single undifferentiated folder called "NIS2 evidence"; it makes gaps hard to spot and does not show whether all ten control areas have been addressed.

For each row, keep the legal source, the internal implementation reference, the control owner, the evidence location, the latest test or approval, and the next review trigger. That structure lets legal, security, procurement, engineering, and management-body reviewers use the same record.

  • Use the Article 21 control wording as the row label so reviewers can trace evidence back to the directive.
  • Separate evidence of design from evidence of operation, such as policy approval versus a completed access review or recovery test.
  • Mark the systems, suppliers, services, and business units covered by the evidence so scope is visible.
  • Record exceptions, compensating measures, and risk acceptance decisions with owner and approval evidence.
  • Refresh rows after significant service changes, new direct suppliers, major incidents, material infrastructure changes, or changes in national implementation guidance.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21(4) supports corrective-action tracking where an entity finds that its measures do not comply.
European Commission - NIS2 Directive overview
The Commission overview supports the page context that NIS2 introduces risk-management and reporting requirements across more sectors.
Section 5

Implementation Checklist for Article 21 Evidence

Use this checklist before presenting Article 21 evidence to management, auditors, or a competent authority. It focuses on traceability: every claim should connect to a source, an owner, an implemented measure, and retrievable proof.

Do not treat a framework mapping, supplier certificate, or general security policy as complete Article 21 evidence unless it is tied back to the specific control area and scope it supports.

Does NIS2 Article 21 require one evidence record or control-by-control evidence?

Article 21 lists multiple cybersecurity risk-management measure areas. A control-by-control evidence matrix is the safer working format because it shows how each Article 21(2) area is implemented, owned, tested, and reviewed.

Can a certification or framework mapping replace Article 21 evidence?

No. A certification or mapping can support the file, but the evidence still needs to show the entity's own scope, risks, implemented measures, management oversight, supplier context, tests, exceptions, and corrective actions.

  • All ten Article 21(2) control areas have a row, owner, evidence record, and review trigger.
  • Management-body approval and oversight records are linked to the control evidence.
  • Supplier evidence covers direct suppliers and service providers, including vulnerabilities and cybersecurity practices considered for each relevant relationship.
  • Testing evidence shows whether measures are implemented and functioning, not only that tests were scheduled.
  • Asset and access evidence identifies owners, classifications, privileged access, MFA coverage, lifecycle state, and exceptions.
  • Non-applicable or infeasible requirements are explained with documented reasoning and compensating measures where used.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21 is the source for the ten control areas and the proportionality standard used in this checklist.
Implementing Regulation (EU) 2024/2690
The implementing regulation supports keeping specific policy, test, supplier, asset, access, and compensating-measure records for covered digital-sector entities.
ENISA - NIS2 Technical Implementation Guidance
ENISA guidance gives practical implementation context and mapping support for the technical requirements in Implementing Regulation (EU) 2024/2690.
Recommended next step

Build a control-by-control Article 21 evidence matrix

Sorena can help map Article 21 control areas to policies, tests, supplier records, asset evidence, access reviews, management approvals, and corrective-action tracking.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 21 control evidence, implementation scope, supplier records, and technical requirements using the cited sources on this page.

Explore next step
Talk to Sorena
Review NIS2 Article 21 evidence

Walk through your Article 21 evidence matrix, control gaps, source support, and next implementation records with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Article 21 is the source for the ten control areas and the proportionality standard used in this checklist.
"shall include at least"
ENISA - NIS2 Technical Implementation Guidance
enisa.europa.eu
Referenced sections
  • ENISA guidance gives practical implementation context and mapping support for the technical requirements in Implementing Regulation (EU) 2024/2690.
"practical advice"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • The Commission overview supports the page context that NIS2 introduces risk-management and reporting requirements across more sectors.
"risk management measures"
Implementing Regulation (EU) 2024/2690
eur-lex.europa.eu
Referenced sections
  • The implementing regulation supports keeping specific policy, test, supplier, asset, access, and compensating-measure records for covered digital-sector entities.
"compensating measures"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.