Skip to content
SafeHabits

NIS2 Article 21 Explained: Cybersecurity Risk Management and What "Effective" Really Means for Security Awareness

Vlastimil Sindelar
Vlastimil Sindelar

5 min read

NIS2 Article 21 is where cybersecurity becomes operational.

It moves beyond policy statements and into measurable, risk-based implementation. If Article 20 defines governance accountability, Article 21 defines what organisations must actually do.

This post breaks down what Article 21 requires, what it implies in practice, and what organisations should be prepared to demonstrate during supervisory review.

It also looks specifically at what Article 21 means for security awareness and training effectiveness - and why completion alone is not enough.

The short version

Article 21 requires organisations to implement appropriate and proportionate security measures, and to treat cybersecurity as a risk-managed system. That includes training and cyber hygiene, but also the ability to assess effectiveness and take corrective measures without undue delay when gaps are found.

What does NIS2 Article 21 require for security awareness?

NIS2 Article 21 requires organisations to implement cybersecurity training and to assess the effectiveness of their cybersecurity risk-management measures. Training must exist, and entities must have defined procedures to evaluate whether those measures actually work in practice.

Article 21(2)(g) mandates:

"basic cyber hygiene practices and cybersecurity training"

Article 21(2)(f) mandates:

"policies and procedures to assess the effectiveness of cybersecurity risk-management measures"

1. Appropriate and proportionate means risk-based and defensible

Article 21(1) requires essential and important entities to take:

"appropriate and proportionate technical, operational and organisational measures"

The proportionality assessment must consider:

  • State of the art
  • Relevant European and international standards
  • Cost of implementation
  • Entity size and exposure to risks
  • Likelihood of incidents
  • Severity and societal or economic impact

This is not a generic best-effort obligation. It is a risk-based calibration requirement.

The Directive explicitly allows organisations to consider cost. You do not need a bank-grade budget if you are not a bank.

But proportionality cuts both ways. You should be able to justify:

  • Why your controls are sufficient for your risk exposure
  • Why your security maturity matches your operational footprint

Minimal compliance without risk reasoning is not proportionality. It is negligence disguised as efficiency.

2. The all-hazards approach is broader than IT

Article 21(2) requires an all-hazards approach protecting:

  • Network and information systems
  • The physical environment of those systems

It includes, at minimum, measures across:

  • Risk analysis policies
  • Incident handling
  • Business continuity and crisis management
  • Supply chain security
  • Secure development and vulnerability handling
  • Effectiveness assessment procedures
  • Basic cyber hygiene practices and cybersecurity training
  • Cryptography controls
  • Human resources security
  • MFA and secure communications

This is broader than "IT controls". It explicitly includes supply chain risk and human resources security.

A useful detail most people miss:

"Human resources security" is a specific legal line item.

Human risk is not optional or implied. It is written into the Directive.

3. The effectiveness requirement is the part that changes the game

Article 21(2)(f) requires:

"policies and procedures to assess the effectiveness of cybersecurity risk-management measures"

The Directive does not define "effectiveness". But it does require that you have a way to assess it.

In a supervisory context, effectiveness must be demonstrable. If your only metric is a completion log, it may be difficult to show that the measure reduced risk or improved capability.

Completion shows activity. Effectiveness shows impact.

In practice, "assessing effectiveness" often means being able to show:

  • Whether staff understood the material
  • Whether behaviour changed
  • Whether risk exposure decreased
  • Whether weaknesses were identified and addressed

The Directive does not explicitly mandate “improvement over time”. However, if you assess effectiveness and you see it degrade without reinforcement, a supervisor may reasonably question whether the measure remains proportionate.

Effectiveness is not a checkbox. It is a defensibility standard.

4. Cyber hygiene and training is a line item, not a nice-to-have

Article 21(2)(g) requires:

"basic cyber hygiene practices and cybersecurity training"

This appears simple. It is not.

Cyber hygiene is behavioural. It includes topics like:

  • Phishing awareness
  • Password discipline
  • MFA usage
  • Incident reporting behaviour
  • Secure use of AI tools (practically relevant now, even if not named explicitly here)

The Directive does not prescribe frequency in Article 21. But maintaining effectiveness in a changing threat landscape implies reinforcement. A one-time session is unlikely to remain proportionate in a dynamic risk environment.

5. Corrective measures without undue delay

Article 21(4) provides:

An entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures

This has direct implications for training and human risk:

  • If your assessment reveals weak phishing recognition, lack of reporting, or misunderstanding of key practices, the organisation must act.

Assessment without remediation is not compliance.

6. Measures vs evidence

Article 21 requires measures. The obligation to provide documentation and demonstrate compliance is exercised through supervisory mechanisms (for example, supervisory review powers).

In practical terms: to demonstrate compliance with Article 21 during supervisory review, you should be able to evidence:

  • What measures were implemented
  • How effectiveness was assessed
  • What weaknesses were identified
  • What corrective actions were taken

If you cannot demonstrate it, you cannot defend it.

Evidence is not explicitly written into Article 21. But it is operationally inseparable from supervision.

What Article 21 really changes

Before NIS2, security awareness was frequently implemented as a documentation exercise:

  • Training delivered once per year
  • Completion tracked
  • Evidence archived for audit purposes

The existence of training was documented. Its effectiveness was rarely scrutinised.

Under Article 21:

  • Measures must be risk-based and proportionate
  • Effectiveness must be assessed
  • Human resources security is explicitly mandated
  • Corrective action is mandatory when gaps are found

The focus therefore shifts from documenting activities to demonstrating the effectiveness of cybersecurity risk-management measures.

That is a structural change.

Practical checklist you can use tomorrow

If you want a pragmatic starting point, you should be able to answer these:

  1. What training did we deliver, to whom, and when?
  2. How did we assess understanding, not just completion?
  3. What did we learn from the results?
  4. What did we change as a consequence (without undue delay)?
  5. How do we justify that our approach is proportionate to our risk and cost constraints?