NIS2 Risk Management Template: 10 Mandatory Measures Art. 21

Q: Must management approve the risk analysis?

Yes. Section 38(2) BSIG requires management to 'supervise' and 'implement' the risk-management measures. In practice this means: documented acknowledgement and approval of the risk register at least annually, ideally in a board/management meeting with minutes.

Q: Which residual risks are acceptable?

Risks in the 'low' and 'very low' bands of the risk matrix can typically be accepted. 'Medium' requires documented risk acceptance by management. 'High' and 'very high' must be treated immediately. Acceptance always written, with rationale and review date.

May 17, 2026· Category: NIS2· As of: 2026-05-17· Reading time: ~9 min

Practitioner note: This is not legal advice. For binding statements consult a qualified attorney or compliance officer.

Article 21 of the NIS2 Directive is the regulation's centrepiece. It requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems". The German BSIG transposes this almost verbatim in Section 30(2). This guide explains how an audit-grade risk management template must be structured, which methodologies are recognised, and which risks are typical per sector.

TL;DR

Article 21 NIS2 Directive requires a risk-based, all-hazards approach
10 minimum measure areas (points a–j) are the mandatory building blocks
Methodology: BSI 200-3 (for KRITIS) or ISO/IEC 27005 — both recognised, document the choice
Template building blocks: protection-needs analysis → threat analysis → risk matrix → action plan → residual-risk acceptance
Update: annually plus event-driven, with documented management approval

1. What does Article 21 NIS2 Directive actually require?

Article 21(1) establishes the principle: measures must be "appropriate and proportionate" — measured against risk exposure, entity size, implementation costs, and potential impact of an incident. That is a proportionality test, not a maximum standard.

Article 21(2) lists the 10 minimum measure areas that every risk management template must address. The list is exhaustive for the minimum standard but not for entities with elevated protection needs (e.g. KRITIS in energy, finance, healthcare).

Article 21(3) adds the obligation to take into account vulnerabilities of individual providers and service providers and the overall quality of products and cybersecurity practices of suppliers — the well-known supply-chain clause.

Article 21(4) requires "appropriate measures" where an entity determines that the measures taken do not meet the requirements. That is the legal basis for continuous improvement (PDCA).

2. The 10 measure areas (a) to (j) in detail

(a) Risk analysis and information-system security policies

The core: documented methodology (BSI 200-3 or ISO 27005), protection-needs classes, threat and vulnerability analysis, risk register with top risks, risk treatment plan. Reviewed at least annually.

(b) Incident handling

Incident response plan, escalation matrix, 24h/72h/1M reporting templates per Article 23 NIS2 Directive and Section 32 BSIG. Crisis team appointed and reachable (24/7 for essential entities). Details: NIS2 reporting channels and incident documentation.

(c) Business continuity

Business impact analysis, BCM plan, disaster recovery plan with RTO/RPO, backup concept (3-2-1 + immutable), crisis management, emergency communications. Details: NIS2 Disaster Recovery Plan Template.

(d) Supply chain security

Supplier inventory with criticality classification, audit plan, DPA security annexes, SLA building blocks, exit strategy. Prioritise top 20 suppliers. Deep dive: NIS2 supply chain security.

(e) Security in acquisition, development and maintenance

Procurement policy with security-requirements catalog, secure SDLC guideline, SBOM requirement for software procurement, regular penetration testing, patch-management standard.

(f) Effectiveness assessment of cybersecurity measures

Internal audit programme, effectiveness KPIs (e.g. patch compliance rate, MFA coverage, phishing click rate), annual effectiveness report, external audit at least every 3 years.

(g) Basic cyber hygiene practices and training

Awareness concept with quarterly phishing tests, mandatory annual training for all staff, special management training per Section 38(3) BSIG, training records with 10-year retention.

(h) Cryptography and encryption policies

Crypto concept (which methods where), key-management process, TLS configuration standard (minimum TLS 1.2, TLS 1.3 preferred), encryption at-rest for sensitive data, key-rotation plan.

(i) Personnel security, access control and asset management

Joiner/mover/leaver process, role-based access control concept, regular entitlement reviews (at least semi-annual for privileged accounts), asset inventory with classification. Cross-reference: Glossary: Asset Inventory.

(j) Use of multi-factor authentication

MFA mandatory for all privileged accounts, ideally for all accounts. FIDO2 keys for administrative access, authenticator apps as standard, SMS-2FA only as transitional solution. Secure voice/video/text communications for crisis team.

3. Risk analysis methodology: BSI 200-3 vs. ISO/IEC 27005

Criterion	BSI Standard 200-3	ISO/IEC 27005:2022
Scope	Supplement to IT-Grundschutz (200-1/2)	Supplement to ISO 27001
Methodology	Elementary threats + specific threats	Asset/threat/vulnerability based (free choice)
Scaling	3 protection-needs tiers (normal/high/very high)	Free choice (typically 3–5 tiers)
Recognised by	BSI as supervisor, KRITIS sectors	International, all EU supervisory authorities
Recommended for	KRITIS, public authorities, German Mittelstand	International groups, ISO 27001 adopters

Both methodologies are NIS2-compliant. What matters is the documented choice and consistent application. Hybrid approaches are possible but must be justified.

4. Template structure: protection-needs analysis → threat analysis → risk matrix → action plan

Step 1: protection-needs analysis

For every material asset (system, data, business process) the protection need is classified across the dimensions confidentiality, integrity and availability. BSI uses 3 tiers (normal/high/very high); ISO 27005 allows more flexibility.

Output: protection-needs matrix with one classification per dimension per asset.

Step 2: threat and vulnerability analysis

For every asset with high or very high protection need, threats are identified (e.g. ransomware, insider, supplier compromise, natural event) and existing vulnerabilities mapped (e.g. missing MFA, outdated software, inadequate backups).

Sources: BSI situation report, ENISA Threat Landscape, sector-specific CERT bulletins, internal incident history.

Step 3: risk assessment and risk matrix

For every threat-vulnerability combination, likelihood (5 tiers) and potential impact (5 tiers, with EUR amounts) are rated. The product yields the risk score.

Visualisation as a 5×5 risk matrix with colour-coded zones:

Green (low/very low): acceptance possible
Yellow (medium): documented management acceptance or treatment
Red (high/very high): treatment mandatory

Step 4: risk treatment plan (action plan)

Per identified risk: treatment option (mitigate / transfer / accept / avoid), concrete measures, responsible parties, deadline, residual risk after implementation, effectiveness indicator.

Step 5: residual-risk acceptance

For each risk after measure implementation, the residual risk is documented. Acceptable residual risks are accepted in writing by management with a review date.

5. Sample risks per sector

IT service providers and SaaS

Supply-chain attack via compromised open-source library (SolarWinds-type)
Account takeover through phishing of privileged accounts
Data exfiltration by insiders
Cloud misconfiguration (publicly exposed S3 bucket)
Availability loss through DDoS

Deep dive: NIS2 for cloud providers and SaaS.

Energy supply (utilities, grid operators)

Attacks on SCADA/control systems (BlackEnergy/Industroyer-type)
Manipulation of smart-meter communications
Insider risks at remote-maintenance access
Supply-chain risks (e.g. switchgear manufacturers)
Physical attacks on substations combined with cyber

Deep dive: NIS2 in energy supply.

Healthcare (hospitals, practices)

Ransomware encrypting patient records and imaging
Manipulation of medical devices
Exfiltration of special-category data (Article 9 GDPR)
Outage of telematics infrastructure
Phishing via fake health-insurance correspondence

Deep dive: NIS2 in healthcare.

Transport and logistics

Attacks on telematics and fleet management systems
Manipulation of traffic-control systems
GPS spoofing in logistics chains
Supply-chain disruption through ransomware at sub-suppliers
Insider attacks in port logistics

Deep dive: NIS2 transport and logistics 2026.

6. How often to update?

The risk analysis is a living document. Update triggers:

Annually: standard review as part of the ISMS management review (ISO 27001 clause 9.3)
Material IT changes: new systems, cloud migration, architecture redesign
New threats: BSI warnings, novel attack techniques, sector situation reports
Post-incident: integrate lessons-learned findings into the risk register
Personnel changes: especially for privileged roles, crisis team, management
Regulatory changes: new supervisory guidance, revised thresholds, sector-specific rules
Supplier changes: particularly for critical services (cloud, outsourcing, ICT)

Each update must be versioned, management-approved and archived. Document control is part of the ISMS and is reviewed in audits.

7. Evidence for the audit

In a supervisory audit under Section 31 BSIG the following evidence is expected:

Methodology document: which methodology (BSI 200-3 / ISO 27005), why chosen, who approves
Protection-needs analysis: current, covering all material assets
Threat/vulnerability analysis: current threat sources referenced
Risk register: versioned, linked to assessments and measures
Action plan: implementation status per measure
Residual-risk acceptance: management signature per medium residual risk
Management review minutes: annual management engagement documented
Effectiveness KPIs: measurable indicators, trend development

Gaps here are the most common audit findings and create fine exposure under Section 38 BSIG (up to EUR 10 million / 2% of group turnover).

Frequently Asked Questions

Which methodology is mandatory for the NIS2 risk analysis?

Article 21 NIS2 Directive requires a risk-based approach but does not prescribe a specific methodology. In Germany, BSI 200-3 (risk analysis based on IT-Grundschutz) and ISO/IEC 27005 are the two recognised standards. For KRITIS, the BSI explicitly recommends BSI 200-3.

How often must the risk analysis be updated?

At least annually (standard review cycle per ISO 27001 clause 9.3). Event-driven for: material IT architecture changes, new threats (BSI situation report), after reportable incidents, group restructurings or new supplier relationships.

Which rating scale should be used for likelihood and impact?

A 5-tier scale (very low / low / medium / high / very high) for both axes is standard. Impact is also expressed in EUR amounts (e.g. <50k / 50–500k / 500k–5M / 5–50M / >50M). Crucially, every tier must have a documented rationale.

Is an Excel spreadsheet sufficient as a risk register?

Yes, provided versioning, approval, change history and links to measures are in place. For >100 risks or >5 stakeholders a GRC tool is recommended. The BSI examines content and currency, not format.

Must management approve the risk analysis?

Yes. Section 38(2) BSIG requires management to "supervise" and "implement" the risk-management measures. In practice this means: documented acknowledgement and approval of the risk register at least annually, ideally in a board/management meeting with minutes.

What is the difference between threat and vulnerability analysis?

Threat analysis identifies external triggers (ransomware, DDoS, insider, natural event). Vulnerability analysis identifies internal weaknesses (unpatched systems, missing MFA, weak backup processes). Risk emerges when a threat meets a vulnerability at a protected asset.

Which residual risks are acceptable?

Risks in the "low" and "very low" bands of the risk matrix can typically be accepted. "Medium" requires documented risk acceptance by management. "High" and "very high" must be treated immediately. Acceptance always written, with rationale and review date.

Sources

Tools & self-assessments

NIS2 Readiness Check Assess your NIS2 readiness in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Am I in scope? Check thresholds and sector criteria. NIS2 Mandatory Measures Audit 10 mandatory measures from Section 30 BSIG with maturity rating.