Artifact GuideEU

NIS2 Article 21 Gap Assessment Workflow

Map existing cybersecurity controls to Article 21 risk-management measures, identify missing evidence, and assign owners for remediation and management review.

Use this workflow with the NIS2 Directive, Commission Implementing Regulation (EU) 2024/2690 where it applies, and ENISA implementation guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

This workflow helps security, legal, risk, procurement, and operations teams assess gaps against NIS2 Article 21. It starts with scope, then maps current policies, controls, and evidence to the Article 21(2) measure areas before turning gaps into owned remediation work.

Section 1

Start with scope and proportionality

Confirm whether the entity, service, country implementation, and sector facts bring the activity within NIS2 before scoring controls. Article 21 applies to essential and important entities, but Member State implementation and sector-specific rules can affect the practical evidence request.

For the gap assessment, record the risk context that Article 21 uses: state of the art, relevant European and international standards where applicable, cost of implementation, entity size, exposure to risk, and the likelihood and severity of incidents.

  • Identify the entity type, relevant Annex I or Annex II sector, Member State implementation route, and service boundary being assessed.
  • Separate EU-level Article 21 requirements from local supervisory forms, registrations, portals, or templates.
  • Write down why each control is proportionate for the assessed service, not just whether a policy exists.
  • Flag any cross-border service, supplier dependency, or critical system that may change the risk treatment decision.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21 sets the proportionality frame for cybersecurity risk-management measures taken by essential and important entities.
European Commission - NIS2 Directive overview
Commission overview for the NIS2 policy context, scope expansion, and high-level obligations.
Section 2

Map Article 21(2) measure areas to current controls

Use Article 21(2) as the control taxonomy for the first pass. Each row should name the current control, owner, system or process covered, evidence location, gap rating, and remediation action.

Do not collapse supplier security, incident handling, access control, cryptography, and business continuity into one generic security-policy row. Article 21 expects coverage across multiple technical, operational, and organisational measure areas.

  • Risk analysis and information system security: risk methodology, risk criteria, risk register, treatment plan, and management acceptance of residual risk.
  • Incident handling: procedures for detecting, analysing, containing, responding to, recovering from, documenting, and reporting incidents.
  • Business continuity and crisis management: backup management, disaster recovery, continuity plans, and crisis roles.
  • Supply chain and acquisition security: direct supplier and service-provider risks, secure development, vulnerability handling, and disclosure.
  • Effectiveness, hygiene, cryptography, HR security, access control, asset management, authentication, and secure communications: test evidence, training records, policy reviews, logs, inventories, and exceptions.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21(2) lists the minimum areas that the gap assessment should map to current measures and evidence.
ENISA - NIS2 technical implementation guidance
ENISA guidance provides implementation guidance and examples of evidence for the technical and methodological requirements.
Section 3

Use the implementing regulation carefully

Commission Implementing Regulation (EU) 2024/2690 gives detailed technical and methodological requirements for specific digital infrastructure, ICT service management, digital provider, and trust-service entity types named in Article 21(5). Use it directly for those covered entities and as useful guidance only when another entity is outside that regulation's scope.

When it applies, align the gap assessment to the regulation's annexed requirements and ENISA's evidence examples. For other NIS2 entities, record the national rule or supervisory expectation that turns Article 21 into a concrete control requirement.

  • Check whether the assessed service is a DNS service, TLD registry, cloud computing service, data centre service, CDN, managed service, managed security service, online marketplace, online search engine, social networking service platform, or trust service.
  • If the implementing regulation applies, map each relevant annex requirement to a control, evidence item, gap, owner, and remediation due date.
  • If it does not apply, avoid presenting the regulation as binding for the entity; cite it as guidance only where appropriate and add the controlling national source when available.
  • Keep compensating measures separate from full control implementation so reviewers can see what is accepted, temporary, or pending.
Sources for this answer
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Sets technical and methodological requirements for Article 21 cybersecurity risk-management measures for the specified covered entity types.
ENISA - NIS2 technical implementation guidance
Explains that ENISA guidance supports the implementing regulation and is advisory rather than a replacement for national frameworks.
Section 4

Evidence fields for each gap row

A useful gap assessment is not a maturity score alone. Each row should let a reviewer trace the requirement to the actual control, proof, owner, and decision on residual risk.

Use evidence that shows the measure is in place and maintained. ENISA examples include documented frameworks, risk assessments, treatment plans, approval records, procedures, logs, organisational charts, and review change logs, depending on the requirement being assessed.

  • Requirement reference: Article 21(2) point, implementing-regulation annex point where applicable, and national source if the local rule adds detail.
  • Current-state evidence: policy, procedure, register, ticket, audit result, test result, training record, supplier assessment, log sample, asset inventory, or approval record.
  • Gap statement: missing control, weak evidence, unclear owner, outdated review, unsupported exception, or unaccepted residual risk.
  • Remediation owner: the person or team able to change the system, contract, process, training, or evidence repository.
  • Review trigger: significant operational change, risk change, incident, supplier change, audit finding, authority request, or scheduled review.
Sources for this answer
ENISA - NIS2 technical implementation guidance
Provides practical evidence examples for NIS2 cybersecurity risk-management requirements.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
The annexed technical and methodological requirements can be used as row-level references for covered entity types.
Section 5

Close the assessment with management visibility

Article 20 links Article 21 measures to management-body approval, oversight, training, and potential liability under Member State law. The close-out package should therefore be ready for management review, not only security-team tracking.

Before closing the assessment, confirm that residual risks have been accepted by the right governance body or accountable role, that corrective measures are tracked without undue delay where non-compliance is found, and that the evidence can be retrieved for customers, auditors, or competent authorities.

What should a NIS2 Article 21 gap assessment produce?

It should produce a control-to-requirement map, evidence list, gap register, remediation owner map, residual-risk acceptance record, and review trigger list for the assessed service or entity.

Can ENISA guidance replace the NIS2 Directive or national implementation law?

No. ENISA guidance is useful for implementation and evidence examples, but the binding source remains the NIS2 Directive, applicable implementing regulation, and the relevant Member State implementation or supervisory requirements.

  • Summarise open Article 21 gaps by risk, impacted service, owner, and remediation status.
  • Escalate residual-risk acceptance to the management body or accountable risk owner identified in the governance process.
  • Track corrective measures separately from evidence-cleanup tasks so implementation risk is visible.
  • Keep the final assessment pack with source citations, control mapping, evidence links, exceptions, approvals, and next review triggers.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 connects Article 21 measures to management-body approval, oversight, training, and liability rules.
ENISA - NIS2 technical implementation guidance
Describes risk treatment plans, residual-risk acceptance, and evidence examples useful for management review.
Recommended next step

Use this NIS2 Article 21 workflow to build a cited gap register

Sorena can help convert Article 21 requirements, implementing-regulation annex points, and ENISA evidence examples into control mappings, evidence requests, and management-ready remediation tracking.

Research workflow
Open Research Copilot for NIS2 Article 21

Ask source-linked questions about Article 21 controls, evidence examples, implementing-regulation scope, and remediation planning using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through NIS2 gap assessment

Review your Article 21 control map, evidence gaps, and management review package with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Article 20 connects Article 21 measures to management-body approval, oversight, training, and liability rules.
"approve the cybersecurity risk-management measures"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.