NIS2 Directive · Article 21

NIS2 Article 21 — the ten cybersecurity risk-management measures

Article 21 is the operational heart of NIS2. It lists ten cybersecurity risk-management measures every in-scope entity must implement, "appropriate and proportionate" to the risks they face. The list is the auditor's checklist — and your customers' security questionnaire will mirror it. The first five measures are organisational; the last five are largely technical and externally observable, which is where SaaSFort's external scan produces evidence.

Scan your domain free (60s) See the auditor-handoff pack

Who Article 21 applies to

Every NIS2 in-scope entity. Proportionality clause means a 50-person SaaS is not held to the same maturity as a 5,000-person bank — but every measure must be addressed.

What Article 21 obliges you to do

(a) policies on risk analysis and information system security
(b) incident handling
(c) business continuity, backup management and crisis management
(d) supply-chain security (assess your direct suppliers and service providers)
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures
(g) basic cyber hygiene practices and cybersecurity training
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption
(i) human resources security, access-control policies and asset management
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and emergency communication systems

Common misconception

"Art. 21 only matters if my customer asks for it."

False. Art. 21 is the law; the customer questionnaire is downstream of it. The auditor will check Art. 21 directly, the customer questionnaire is the same content in plain English. Treating one as a subset of the other is the source of most documentation gaps we see.

Get the external-posture evidence in 60 seconds

An auditor reviewing Article 21 compliance will ask for evidence. SaaSFort produces the externally-observable portion (TLS, headers, DNS, certs, exposed surfaces) in 60 seconds — mapped to Art. 21 sub-clauses and ISO 27001 Annex A.

Run my free scan See plans from €9/mo

Frequently asked questions

How do I prove Art. 21(2)(h) cryptography compliance to an auditor?

Combine external evidence (TLS 1.3 enforcement, valid certificate chains, modern cipher suites — observable from outside the perimeter) with internal evidence (encryption-at-rest policy, key-management procedures, deprecation schedule for weak algorithms). SaaSFort produces the external posture portion in 60 seconds.

Does Art. 21(2)(d) supply-chain security require a SOC 2 from every vendor?

No. The measure requires risk-assessment of suppliers proportionate to their criticality, NOT a specific certification. A documented vendor-risk process plus posture-evidence on key vendors (e.g. a SaaSFort scan of their public domain) satisfies the obligation for most SMB-tier suppliers.

Which Art. 21 measures does SaaSFort directly help with?

External-posture portions of (e) acquisition/development security, (h) cryptography (TLS, certificates), (i) access control (via exposed-panel discovery + DNS hygiene), and supply-chain evidence collection for (d). The 60-check engine maps each finding to a specific Art. 21 sub-clause.

→ NIS2 Art. 21 self-audit template walkthrough