What does NIS-2 Article 21 require?

Article 21 requires entities to take appropriate technical, operational, and organisational measures to manage cybersecurity risks covering ten specific areas: risk analysis, incident handling, business continuity, supply chain security, vulnerability handling, effectiveness assessment, cyber hygiene and training, cryptography, access control and HR security, and multi-factor authentication.

What are the NIS-2 penalties?

Essential entities face fines up to 10 million euros or 2 percent of global annual turnover. Important entities face fines up to 7 million euros or 1.4 percent of turnover. NIS-2 also includes management accountability provisions that can hold senior leaders personally responsible.

How does CYFAX map controls to NIS-2 Article 21?

The CYFAX Compliance Cockpit provides an interactive governance heatmap mapping controls to each Article 21(2) requirement. Auto-verification covers approximately 40-50 percent externally, increasing to 85 percent with the optional PREVENT agent.

Can CYFAX handle NIS-2 and other frameworks simultaneously?

Yes. The Compliance Cockpit maps controls across 350+ global directives simultaneously including NIS-2, DORA, GDPR, ISO 27001, and NIST CSF through a single governance heatmap with framework dropdown selector.

NIS-2 Directive Compliance | CYFAX Compliance Cockpit

Q: Who qualifies as an important entity under NIS-2?

Important entities include organizations in postal and courier services, waste management, manufacturing of critical products, chemicals, food production, digital providers, and research organizations.

Q: How does CYFAX address NIS-2 supply chain requirements?

The CYFAX TPRM module automates Article 21(2)(d) supply chain security. Upload vendor domains via CSV, receive risk scorecards within hours with continuous monitoring and alert-driven status changes.

Background

What Is the NIS-2 Directive?

The NIS-2 Directive (Directive 2022/2555) is the European Union's updated framework for cybersecurity risk management. Replacing the original NIS Directive from 2016, NIS-2 significantly expands the scope of regulated entities, strengthens security requirements, and introduces stricter enforcement with substantial penalties including personal liability for management.

NIS-2 applies to essential entities (energy, transport, banking, healthcare, digital infrastructure, public administration) and important entities (postal services, waste management, manufacturing, chemicals, food, digital providers, research). Both categories must implement the cybersecurity risk management measures defined in Article 21.

Article 21(2) — Control Mapping

All 10 NIS-2 Requirements Mapped to CYFAX + PREVENT

Article 21(2) defines ten mandatory cybersecurity measures. The table below maps each requirement to specific CYFAX and PREVENT capabilities with verification method.

Art. 21(2)	Requirement	CYFAX + PREVENT Capability	Verification
(a)	Risk analysis and information system security policies	Compliance Cockpit maps risk posture to governance heatmap. AI reviews uploaded security policies for fitness-for-purpose.	CYFAX + Upload
(b)	Incident handling	PREVENT NDR detects incidents in real time. CYFAX tracks Article 23 reporting timelines (24h/72h/1mo). AI reviews incident response plans.	PREVENT Auto
(c)	Business continuity and crisis management	PREVENT validates backup configs, encryption status, and recovery readiness. Compliance Cockpit tracks BCP documentation.	PREVENT Auto
(d)	Supply chain security	TPRM module scores every vendor. Tier 1–3 supply chain visibility. No vendor cooperation required.	CYFAX Auto
(e)	Network and information systems security, including vulnerability handling	PREVENT scans vulnerabilities with CVSS/KEV. CYFAX EASM identifies exposed infrastructure, misconfigs, and DNS vulnerabilities.	PREVENT Auto
(f)	Policies to assess effectiveness of risk management measures	Continuous BAS testing validates controls work. Governance heatmap provides real-time effectiveness scoring.	PREVENT Auto
(g)	Basic cyber hygiene practices and cybersecurity training	PREVENT validates endpoint hygiene across 60+ controls. Upload training records for AI compliance review.	PREVENT + Upload
(h)	Policies regarding cryptography and encryption	PREVENT validates encryption enforcement: TLS config, certificate management, disk encryption status.	PREVENT Auto
(i)	Human resources security, access control, and asset management	PREVENT tests access controls and credential hygiene. CYFAX monitors credential exposure across 20,000+ criminal sources.	CYFAX + PREVENT
(j)	Multi-factor authentication and secured communications	PREVENT validates MFA enforcement. CYFAX validates email security (SPF, DKIM, DMARC).	CYFAX + PREVENT

Article 23 — Incident Reporting

NIS-2 Incident Reporting Timeline

Article 23 establishes a three-stage incident reporting obligation. CYFAX tracks these timelines automatically, and PREVENT's detection capabilities ensure significant incidents are identified quickly enough to meet the 24-hour early warning requirement.

24 Hours

Early warning to competent authority. Indicate whether caused by unlawful acts and whether cross-border impact.

72 Hours

Incident notification with initial assessment of severity and impact, including indicators of compromise.

1 Month

Final report with detailed description, root cause analysis, mitigation measures, and cross-border assessment.

Enforcement

NIS-2 Penalties and Personal Liability

Essential Entities

€10,000,000

2% Global Turnover

Whichever is higher. Energy, transport, banking, financial infrastructure, healthcare, drinking water, digital infrastructure, ICT, public admin, and space sectors.

Important Entities

€7,000,000

1.4% Global Turnover

Whichever is higher. Postal services, waste management, manufacturing, chemicals, food, digital providers, and research organizations.

Personal Liability for Management

NIS-2 Article 20 requires management bodies to approve and oversee cybersecurity risk management measures. Member states must ensure management bodies can be held personally liable for infringements. Board members and senior executives face personal consequences for inadequate cybersecurity governance — a significant escalation from the original NIS Directive.

Platform Capabilities

How CYFAX Delivers NIS-2 Compliance

Governance Heatmap

Interactive compliance heatmap with control-level status mapped to Article 21 requirements. Framework dropdown supports NIS-2, NIST CSF, and 350+ directives simultaneously in a single view.

AI Attestation Engine

Upload evidence documents (PDF, DOC, XLSX, PNG, JPG — up to 10 files per attestation). AI reviews each artifact for fitness-for-purpose against NIS-2 requirements.

TPRM for Supply Chain

Article 21(2)(d) compliance through automated vendor risk scoring. Upload vendor domains via CSV, receive scorecards within hours. Continuous monitoring with alert-driven status changes.

PREVENT Control Validation

Optional endpoint agent validates 60+ internal controls against CIS/MITRE. Continuous BAS providing ongoing proof controls work — satisfying Article 21(2)(f).

Predictive Intelligence (ARETE)

AI predicts breach probability 6–21 weeks in advance. For NIS-2 entities, this transforms incident handling from reactive to proactive.

Continuous Monitoring Evidence

All platform activity produces timestamped, immutable evidence. When the competent authority requests proof, documentation is available on demand.

Frequently Asked Questions

NIS-2 Directive — Key Questions Answered

The NIS-2 Directive (Directive 2022/2555) is the European Union's updated cybersecurity risk management framework replacing the original NIS Directive from 2016. It significantly expands regulated entities, strengthens requirements, and introduces stricter enforcement with substantial penalties. NIS-2 requires essential and important entities to implement comprehensive measures as defined in Article 21.

Essential entities include organizations in energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space sectors. These face the strictest requirements and highest penalties — up to €10 million or 2% of global turnover.

Important entities include postal and courier services, waste management, manufacturing of critical products, chemicals, food production and distribution, digital providers (online marketplaces, search engines, social platforms), and research organizations. Same security obligations, lower penalty thresholds — up to €7 million or 1.4% of turnover.

Article 21 requires entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks covering ten areas: risk analysis policies, incident handling, business continuity, supply chain security, vulnerability handling, effectiveness assessment, cyber hygiene and training, cryptography, access control and HR security, and multi-factor authentication.

Article 23 establishes three stages: 24-hour early warning to the competent authority, 72-hour incident notification with initial severity assessment, and one-month final report with root cause analysis and mitigation measures. CYFAX tracks these timelines automatically.

Essential entities face fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face fines up to €7 million or 1.4% of turnover. NIS-2 also includes management accountability under Article 20 that can hold senior leaders personally responsible.

Yes. Article 20 requires management bodies to approve and oversee cybersecurity risk management measures. Member states must ensure management bodies can be held personally liable for infringements. Board members and senior executives face personal consequences for inadequate cybersecurity governance.

The Compliance Cockpit provides an interactive governance heatmap mapping controls to each Article 21(2) requirement. Each control shows Compliant, Review, or Critical status. Auto-verification covers approximately 40–50% externally, increasing to 85%+ with PREVENT. Framework dropdown supports NIS-2, NIST CSF, and 350+ directives simultaneously.

Article 21(2)(d) requires managing supply chain security. The CYFAX TPRM module automates this: upload vendor domains via CSV, receive risk scorecards within hours showing external exposures, credential status, and email vulnerabilities. Continuous monitoring triggers alerts when vendor posture degrades. No vendor cooperation required.

Yes. The Compliance Cockpit maps controls across 350+ global directives simultaneously. Entities subject to NIS-2, DORA, GDPR, ISO 27001, and NIST CSF can view compliance across all frameworks through a single heatmap. A single control validation can satisfy requirements across multiple frameworks, eliminating redundant effort.

Pure GRC platforms automate documentation but do not provide underlying security operations. CYFAX is a cybersecurity platform producing compliance evidence as a byproduct of actual threat intelligence, dark web monitoring, predictive analytics, and continuous control validation. The compliance heatmap reflects real security status because the operations are real.

NIS-2 Directive Compliance — From Directive to Dashboard