A plain-language breakdown of NIS2 Article 21 — the ten risk-management measures, Article 20 board accountability, CIR 2024/2690, enforcement, and penalties.
← Back to hub · Next: Access control →
TL;DR (👔 Leadership): NIS2 raises cybersecurity to a board obligation. Your management body must approve the risk-management measures, oversee them, can be held personally liable for failures, and must complete training (Art. 20). The substantive controls — including all of access control and identity lifecycle — are the ten measures in Art. 21(2). For named digital-sector entities, Implementing Regulation (EU) 2024/2690 makes those measures concrete and directly binding. Penalties reach €10m or 2% of global turnover for essential entities.
1. What NIS2 is 📋 👔
The NIS2 Directive — Directive (EU) 2022/2555 — is the EU's framework for "a high common level of cybersecurity across the Union." It replaced the original 2016 NIS Directive, widening the range of organisations in scope and standardising the security and incident-reporting obligations.
Key dates:
- Entered into force: 16 January 2023.
- Transposition deadline: 17 October 2024 — by which member states had to turn it into national law.
- Applicable from: 18 October 2024; the old NIS1 Directive (2016/1148) was repealed from the same date.
Because NIS2 is a directive, it is not directly binding on organisations. It binds member states, who transpose it into national law. Your concrete obligations therefore come from your national statute, which must meet — and may exceed — the directive's floor. Transposition has been uneven: some member states were on time, many were late through 2025, and national enforcement dates are staggered by country (Germany: 17 March 2026; Netherlands: approximately Q2 2026; Czech Republic: 1 November 2025; Austria: 1 October 2026). Confirm the status and detail of the law in each country where you operate.
2. Who is in scope: essential vs. important entities 📋
NIS2 applies to medium and large organisations operating in the sectors listed in its annexes, split into two tiers:
- Sectors of high criticality (Annex I): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space.
- Other critical sectors (Annex II): postal/courier, waste management, chemicals, food, manufacturing, digital providers (online marketplaces, search engines, social platforms), research.
This produces two classes of regulated entity:
| Essential entities | Important entities | |
|---|---|---|
| Typically | Large entities in high-criticality sectors (and certain entities regardless of size, e.g., qualified trust service providers, TLD/DNS, top-level public admin) | Medium entities in high-criticality sectors, and medium/large entities in other critical sectors |
| Supervision | Proactive — ex-ante and ex-post (audits, inspections, on-site) | Reactive — ex-post (when there is evidence/indication of an issue) |
| Max administrative fine (Art. 34) | At least €10,000,000 or 2% of total worldwide annual turnover, whichever is higher | At least €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher |
The classification affects how hard you will be supervised and how large the fines can be — but the access-control and lifecycle obligations themselves are the same for both tiers. The size-cap mechanism and a few "regardless of size" cases mean you should confirm your own classification with counsel.
3. Article 20 — Governance: the accountability layer 👔 📋
Article 20 is short but consequential. It has two limbs:
20(1) — Approval, oversight, liability. Member states must ensure that the management bodies of essential and important entities:
- approve the cybersecurity risk-management measures taken to comply with Art. 21,
- oversee their implementation, and
- can be held liable for the entity's infringements of Art. 21.
In plain terms: cybersecurity is now a named board responsibility. "We delegated it to IT" is not a defence. For access control specifically, this means the management body is on the hook for whether the organisation actually runs least privilege, MFA, joiner-mover-leaver, and privileged-access controls — and whether it can prove it.
20(2) — Training. Members of the management body must follow training to gain enough knowledge to identify risks and assess cybersecurity risk-management practices, and entities are encouraged to extend similar training to employees.
What this requires you to operationalise:
- A documented record that the management body formally approved the access-control and identity policies (the CIR even asks the security policy to record the date of management approval — see CIR 1.1).
- A reporting line so that at least one person reports to the management body on network-and-information-system security (CIR 1.2).
- Evidence of board-level training (attendance, dates, content).
- Regular management review of the measures (at least annually and after significant incidents or changes).
4. Article 21 — the ten risk-management measures 📋 🔧
Article 21(1) sets the standard: essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage risks to their network and information systems, on an all-hazards approach, taking into account the state of the art, relevant standards, and cost of implementation, proportionate to the entity's risk exposure, size, and the likelihood and severity of incidents.
Article 21(2) lists the minimum measures. Verbatim, they are:
(a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security …; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; (g) basic cyber hygiene practices and cybersecurity training; (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; (i) human resources security, access control policies and asset management; (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Points (i) and (j) are the heart of this guide. Point (i) anchors access control, HR security, and asset management; point (j) anchors authentication, MFA, and secured communications.
Two more sub-articles matter operationally:
- 21(4): an entity that finds it does not comply must take corrective measures without undue delay — so a gap, once known, starts a clock. Your access reviews and audits are how you "find" gaps; your remediation tracking is how you show you acted.
- 21(5): the legal basis for the Commission to adopt the implementing acts that became CIR 2024/2690.
5. Implementing Regulation (EU) 2024/2690 — the technical baseline 📋 🔧
NIS2 deliberately stays outcome-based. To remove ambiguity for the most critical digital sectors, the Commission adopted CIR (EU) 2024/2690 (17 October 2024, in force since late 2024). It does two things:
- Sets out technical and methodological requirements for the Art. 21(2) measures, in a 13-section Annex (~150 controls).
- Specifies when an incident is "significant" (reporting trigger) for the covered sectors.
Who it binds directly: DNS service providers, TLD name registries, cloud computing providers, data centre providers, content delivery network providers, managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, online search engines, social networking platforms, and trust service providers.
Everyone else: the CIR is not directly binding, but it is the most authoritative published statement of what Art. 21(2) means in practice. Regulators and auditors will reason from it. Treating the CIR Annex as your control baseline is the safe, defensible choice — which is what this guide does.
The Annex sections relevant here:
| Section | Title | This guide |
|---|---|---|
| 10 | Human resources security (10.1 verification of background · 10.2 terms & conditions of employment · 10.3 disciplinary process · 10.4 responsibilities after termination or change) | 03 Lifecycle |
| 11 | Access control (11.1 policy · 11.2 management of access rights · 11.3 privileged & system-admin accounts · 11.4 administration systems · 11.5 identification · 11.6 authentication · 11.7 MFA) | 02, 04, 05 |
| 12 | Asset management (12.1 classification · 12.2 handling · 12.3 removable media · 12.4 inventory · 12.5 deposit, return or deletion of assets on termination) | 03 Lifecycle |
| 13 | Environmental & physical security (incl. perimeter & physical access control) | Referenced only |
A recurring CIR pattern worth internalising: almost every control must be (a) documented in a policy, (b) implemented, and (c) reviewed at planned intervals and after significant incidents or changes. That document-implement-review triad is what turns a control into evidence.
6. Enforcement & penalties 📋 👔
NIS2 gives competent authorities real teeth (Articles 31–34):
- Supervision (Art. 32–33): on-site inspections, off-site supervision, security audits, requests for information and evidence of policies. Essential entities face both proactive and reactive supervision; important entities face reactive supervision.
- Enforcement powers: binding instructions, orders to remediate, and — for essential entities — the ability to temporarily suspend a certification/authorisation and to temporarily prohibit individuals (including management-level) from exercising managerial functions, in serious cases.
- Administrative fines (Art. 34): essential entities — at least €10m or 2% of global annual turnover (whichever higher); important entities — at least €7m or 1.4% (whichever higher). Exact ceilings are set in national law.
- Personal accountability: via Art. 20(1), the management body can be held liable for Art. 21 infringements.
The practical message for access control: the cheapest path is demonstrable controls. The pages that follow are written so that each control comes with the evidence an auditor will ask for.
Where to go next
- Build the controls: 02 — Access control
- Lifecycle and HR security: 03 — Identity lifecycle
- Prove it: 06 — Mapping & audit-readiness
- Back to the full guide: NIS2 access control hub
Sources
- Directive (EU) 2022/2555 — EUR-Lex · Art. 20 · Art. 21
- Commission Implementing Regulation (EU) 2024/2690 — EUR-Lex
FAQ
What does NIS2 Article 21 require? Article 21 sets out ten minimum cybersecurity risk-management measures that essential and important entities must implement. The measures are outcome-based and proportionate to the entity's size and risk exposure. For access control specifically, points (i) and (j) are the operative ones: (i) covers human resources security, access control policies, and asset management; (j) covers multi-factor authentication, continuous authentication, and secured communications.
Who must comply with NIS2 Article 21? All essential and important entities as classified under NIS2. This includes medium and large organisations across sectors listed in Annexes I and II of the directive — energy, transport, banking, health, digital infrastructure, cloud providers, managed service providers, online platforms, and others. Micro and small enterprises are generally out of scope unless they hold a specific critical role in digital infrastructure.
What is the difference between Article 20 and Article 21? Article 20 governs the governance layer: it requires the management body to approve, oversee, and take liability for the cybersecurity measures. Article 21 governs the substantive security measures themselves — the ten minimum technical, operational, and organisational controls. In practice, Article 20 means the board is personally accountable for whether Article 21 controls exist and work.
What are the penalties under NIS2 Article 34? For essential entities: administrative fines of at least €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities: at least €7 million or 1.4% of global turnover, whichever is higher. National law sets the exact ceilings and may exceed these floors. In serious cases, competent authorities can also temporarily suspend certifications and prohibit management-level individuals from exercising their functions.
Is the CIR 2024/2690 mandatory for my organisation? The CIR is directly binding on named digital-sector entities (DNS providers, cloud providers, MSPs, MSSPs, and others listed in its scope). For other essential and important entities it provides the most authoritative statement of what Article 21 means in practice; regulators and auditors will use it as the reference baseline. Treating the CIR Annex as your control standard is the defensible approach even when it is not strictly mandatory.
When do NIS2 obligations begin? NIS2 entered into force on 16 January 2023 with a transposition deadline of 17 October 2024. National enforcement is staggered: Germany from 17 March 2026; Netherlands approximately Q2 2026; Czech Republic from 1 November 2025; Austria from 1 October 2026. There is no single EU-wide enforcement date. Check the specific national statute for each jurisdiction where you operate.
How KINT helps: KINT automates the joiner, mover, and leaver access lifecycle across your SaaS apps and produces signed, timestamped access-review evidence mapped to SOC 2 CC6 — the kind of evidence NIS2 Article 21 expects you to be able to show. It is early-stage and self-serve, and runs without an identity provider. See how KINT handles the lifecycle or book a 15-minute walkthrough.
Gowtham Palanisamy
Founder of Kingsley Integrators, building KINT in public. Writes about identity lifecycle, SaaS access, and audit evidence.