ENISA NIS2 Technical Guidelines: Implementing Article 21 Security Measures — Baseline Controls, Risk Tiers, and Compliance Checklist (2026)

Post #401 in the sota.io EU Cyber Compliance Series

NIS2 Article 21 mandates that Essential and Important Entities implement "appropriate and proportionate technical, operational, and organisational measures" to manage cybersecurity risks across 10 specific domains. But what does "appropriate and proportionate" actually mean in practice?

ENISA — the EU Agency for Cybersecurity — has answered this question with formal Technical Guidelines for the implementation of the minimum cybersecurity measures under NIS2 Article 21. These guidelines, first published in 2023 and updated in 2024, provide the most authoritative interpretation of what supervisory authorities across the EU will look for during NIS2 audits.

This guide translates those ENISA guidelines into a developer-actionable framework: what baseline controls look like per security domain, how to apply the risk-proportionate security level matrix, and how to demonstrate compliance.

What Are the ENISA NIS2 Technical Guidelines?

ENISA's Technical Guidelines for NIS2 Art.21 are a soft-law instrument — they do not have binding legal force in themselves, but they represent the EU-level consensus on minimum security standards. Key characteristics:

Authority and Status:

• Published by ENISA under its NIS2 mandate (Art.21(5) authorises ENISA to issue guidelines)
• Developed in cooperation with the NIS Cooperation Group (all 27 EU member states)
• Referenced by multiple national competent authorities (Germany's BSI, France's ANSSI, Netherlands' NCSC-NL) as the baseline expectation
• Courts and supervisory authorities will look to these guidelines when assessing whether an entity met the Art.21 "appropriate measures" standard

Scope:

• Applies to all entities within NIS2 scope (Essential + Important Entities across 18 sectors)
• Covers all 10 Art.21(2) security domains (a)–(j)
• Organised around a three-tier security level matrix: Basic, Standard, Advanced

Relationship to NIS2: The guidelines do not replace national transposition law. Each EU member state has transposed NIS2 into national law (deadline October 2024), and some have added sector-specific technical requirements. The ENISA guidelines represent the baseline floor — national law may require more.

The Three-Tier Security Level Matrix

The ENISA guidelines organise requirements around three security levels, applied proportionately based on entity type and risk profile:

Level 1 — Basic

• Target entities: Important Entities (Annex II sectors) with lower risk profile
• Approach: Foundational controls addressing the most common threat vectors
• Audit expectation: Documented policies exist; basic controls implemented; regular review cycle established
• Examples: Password policies, basic patch management cadence, documented incident response procedure

Level 2 — Standard

• Target entities: Essential Entities (Annex I sectors) and Important Entities with elevated risk
• Approach: Systematic security programme with defined processes, tooling, and accountability
• Audit expectation: Controls tested and evidenced; metrics tracked; third-party dependencies managed
• Examples: Automated vulnerability scanning, MFA enforcement across all privileged accounts, defined RTO/RPO for critical systems, active supply chain questionnaire process

Level 3 — Advanced

• Target entities: Essential Entities in critical sectors (energy, water, digital infrastructure, banking) or entities with systemic importance
• Approach: Defence-in-depth with continuous monitoring, threat intelligence integration, and formal assurance programmes
• Audit expectation: Continuous monitoring, regular penetration testing, formal third-party audits, red team exercises
• Examples: SIEM with 24/7 SOC coverage, zero-trust network segmentation, hardware security modules, formal threat intelligence feeds, annual red team exercises

Determining Your Tier

The ENISA guidelines provide a risk-based tier determination methodology:

Most SaaS providers serving EU businesses will fall into Standard tier minimum.

Domain-by-Domain ENISA Baseline Controls

Domain (a) — Policies on the Analysis and Management of Cybersecurity Risks (Art.21(2)(a))

ENISA Baseline — Standard Level:

Policy Requirements:

• Written Information Security Policy (ISP) covering all 10 NIS2 domains
• Risk assessment methodology documented (e.g., ENISA-aligned risk matrix or ISO 27005 approach)
• Risk register maintained with formal review cycle (minimum annual, triggered by material changes)
• Risk owner assigned for each risk category
• Accepted residual risk documented and approved by management body (Art.20 obligation)

Technical Controls:

• Asset inventory covering all systems in scope (CMDB or equivalent)
• Threat landscape assessment aligned to entity's sector (ENISA publishes annual sector threat landscapes)
• Risk assessment tooling (even spreadsheet-based is acceptable at Basic level; GRC tool expected at Advanced)

Evidence for Auditors:

• Dated version-controlled ISP document
• Risk register with last-review timestamp
• Minutes showing management body approval of risk acceptance decisions

Domain (b) — Incident Handling (Art.21(2)(b))

ENISA Baseline — Standard Level:

Policy Requirements:

• Incident Response Plan (IRP) with defined severity classification matrix
• Roles and responsibilities matrix (RACI for incident response)
• Communication plan: internal escalation + external notification (NIS2 Art.23 timelines: 24h early warning, 72h incident notification, 1 month final report)
• Post-incident review process (lessons-learned documentation)

Technical Controls:

• Centralised log aggregation (minimum 12-month retention for Essential Entities)
• Alert rules for common indicators of compromise (IOCs)
• Incident ticketing system with severity workflow
• Out-of-band communication channel for major incidents (encrypted, separate from primary infrastructure)

NIS2 Art.23 Notification Timelines (ENISA clarification):

Domain (c) — Business Continuity: Backup, Disaster Recovery, and Crisis Management (Art.21(2)(c))

ENISA Baseline — Standard Level:

RTO/RPO Matrix by System Criticality:

Backup Requirements:

• 3-2-1 rule minimum at Standard level (3 copies, 2 media types, 1 offsite)
• Backup encryption at rest (AES-256 or equivalent)
• Regular restoration tests (minimum quarterly for critical systems)
• Immutable backups for critical systems (ransomware protection — ENISA explicitly highlights this)
• Air-gapped backups for Advanced tier

Crisis Management:

• Named crisis management team with authority to invoke BCP
• Crisis communication plan (internal + external stakeholders + regulators)
• Annual tabletop exercise minimum for Standard tier; live exercise for Advanced

Domain (d) — Supply Chain Security (Art.21(2)(d))

The ENISA guidelines treat supply chain security as one of the highest-priority domains given its systemic risk profile.

ENISA Baseline — Standard Level:

Supplier Assessment:

• Written security requirements in all supplier contracts for ICT-relevant suppliers
• Tier-1 supplier security questionnaire (minimum annual review for critical suppliers)
• Contractual right-to-audit clause for suppliers with access to sensitive systems
• Incident notification SLA clause (suppliers must notify within 24h of security incident affecting your systems)

Software Supply Chain (particularly relevant for SaaS/cloud providers):

• SBOM maintained for all production software components (see CRA Art.13 if CRA-scoped)
• Dependency vulnerability scanning in CI/CD pipeline
• Signed container images / code signing for deployment artefacts
• Open source component policy: approved licence list + security review threshold

Third-Party Access Controls:

• Just-in-time access for supplier personnel (not persistent credentials)
• Separate access management track for third parties (LAPS or equivalent)
• Activity logging for all third-party sessions

Domain (e) — Security in Network and Information Systems Acquisition, Development, and Maintenance (Art.21(2)(e))

ENISA Baseline — Standard Level:

Secure Development Lifecycle (SDL):

• Security requirements specified at project initiation
• Threat modelling for new features and architectures (STRIDE or equivalent)
• Security-focused code review process (SAST + peer review for security-relevant code)
• DAST testing before production deployment
• Dependency scanning in CI/CD (SCA tool)

Vulnerability Management:

• Defined SLA for patching: Critical ≤24h, High ≤7 days, Medium ≤30 days, Low ≤90 days
• Vulnerability tracking system (not just scanner output — managed remediation workflow)
• Patch management policy covering OS, application frameworks, and third-party libraries

Change Management:

• All production changes via defined change management process
• Security review gate for significant changes (new auth flows, data access patterns, network changes)
• Rollback capability for all production deployments

Domain (f) — Policies and Procedures to Assess the Effectiveness of Cybersecurity Risk Management (Art.21(2)(f))

ENISA Baseline — Standard Level:

Testing Programme:

• Annual vulnerability assessment (authenticated scan of internal systems)
• Annual penetration test for Essential Entities (biennial minimum for Important Entities)
• Pen test scope must cover primary attack surfaces (web applications, APIs, network perimeter)
• Red team exercise every 2 years for Advanced tier entities

Audit and Review:

• Annual internal audit of cybersecurity controls (can be self-assessment at Basic level, independent internal audit at Standard+)
• External audit at Advanced level (ISO 27001 certification or equivalent sector standard)
• KPI tracking: mean time to detect (MTTD), mean time to respond (MTTR), patch compliance rate

ENISA Note on Penetration Testing Standards: ENISA recommends that penetration tests follow recognised methodologies (OWASP WSTG for web, PTES or OSSTMM for infrastructure) and produce a written report with remediation guidance. The report must be retained and presented to auditors on request.

Domain (g) — Basic Cyber Hygiene Practices and Cybersecurity Training (Art.21(2)(g))

ENISA Baseline — Standard Level:

Technical Hygiene Controls:

• MFA enforced for all remote access and privileged accounts (no exceptions)
• Passwordless or phishing-resistant MFA (FIDO2/WebAuthn) for Advanced tier
• Privileged Access Management (PAM) solution for admin accounts
• Email security: SPF, DKIM, DMARC with reject policy
• Endpoint protection: EDR on all managed endpoints
• Secure DNS (DoH/DoT) for DNS query privacy

Training Requirements:

• Annual cybersecurity awareness training for all staff
• Role-specific training: developers (OWASP Top 10 + secure coding), sysadmins (hardening, incident response), executives (social engineering, strategic risk)
• Phishing simulation programme (minimum quarterly for Standard tier)
• New employee security orientation within 30 days of joining

Cyber Hygiene Metrics:

• Phishing simulation click rate tracked (target: <5% at Standard tier)
• Training completion rate tracked (target: >95%)
• MFA adoption rate tracked (target: 100% for privileged, >90% all staff)

Domain (h) — Cybersecurity Policies and Procedures Regarding the Use of Cryptography and Encryption (Art.21(2)(h))

ENISA Baseline — Standard Level:

Encryption Requirements:

• Data at rest: AES-256 or ChaCha20-Poly1305 for sensitive/personal data
• Data in transit: TLS 1.2 minimum (TLS 1.3 preferred), HSTS enforced
• No deprecated protocols: TLS 1.0/1.1, SSL 3.0, RC4, 3DES, MD5 signatures prohibited
• Key management policy: key rotation schedule, split knowledge for critical keys

Certificate Management:

• Certificate inventory (CT log monitoring or equivalent)
• Automated certificate renewal (Let's Encrypt ACME, AWS ACM, or equivalent)
• Short certificate lifetimes: max 90 days for internet-facing (post-2025 Apple/Chrome requirement)
• Pinning policy for mobile apps (only if justified — avoid HPKP for web)

Advanced Cryptography (Advanced Tier):

• Hardware Security Module (HSM) or cloud KMS for key material
• Post-quantum cryptography roadmap (ENISA strongly recommends preparing for PQC transition per ETSI/NIST standards)
• Crypto inventory: catalogue all cryptographic algorithms in use + planned migration timeline

Domain (i) — Human Resources Security, Access Control Policies, and Asset Management (Art.21(2)(i))

ENISA Baseline — Standard Level:

Human Resources Security:

• Pre-employment screening proportionate to role sensitivity
• Privileged access role review: minimum annual recertification
• Off-boarding checklist: access revocation within 24h of termination (same-day for involuntary)
• Non-disclosure agreements for roles with access to sensitive systems

Access Control:

• Role-Based Access Control (RBAC) with defined permission sets
• Principle of least privilege: no broader access than required for role
• Privileged access review: quarterly for critical systems
• Service account inventory: all non-human credentials documented, rotated annually minimum
• No shared accounts for privileged access

Asset Management:

• Asset inventory: all hardware, software, and data assets classified
• Data classification scheme (minimum: Public / Internal / Confidential / Restricted)
• Asset ownership assigned and documented
• End-of-life hardware/software policy: decommission or compensating controls documented

Domain (j) — Use of Multi-Factor Authentication and Secured Communication Solutions (Art.21(2)(j))

ENISA Baseline — Standard Level:

MFA Requirements (NIS2 Art.21(2)(j) is explicit):

• MFA mandatory for: remote access (VPN, jump servers), cloud infrastructure console, code repositories, production deployment pipelines, all admin interfaces
• MFA strongly recommended for: internal SaaS tools, email (particularly Exchange/M365), CI/CD systems
• OTP (TOTP) acceptable at Basic level; FIDO2/WebAuthn required at Advanced level
• SMS-based OTP discouraged (SIM-swap risk) — ENISA explicitly flags this

Secure Communication:

• End-to-end encrypted channels for crisis communication (Signal, Matrix/Element, or equivalent)
• Encrypted email for sensitive external communications (S/MIME or PGP where supported)
• No unencrypted protocols for internal communication containing sensitive data (no plain HTTP, FTP, Telnet, plain LDAP)
• Secure video conferencing for board/executive discussions of security matters

Python: NIS2TechnicalChecker Implementation

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import json

class SecurityLevel(Enum):
    BASIC = "basic"
    STANDARD = "standard"
    ADVANCED = "advanced"

class EntityType(Enum):
    ESSENTIAL = "essential"  # Annex I
    IMPORTANT = "important"  # Annex II

class ComplianceStatus(Enum):
    COMPLIANT = "compliant"
    PARTIAL = "partial"
    NON_COMPLIANT = "non_compliant"
    NOT_ASSESSED = "not_assessed"

@dataclass
class DomainControl:
    domain: str
    domain_letter: str  # a-j
    control_name: str
    required_level: SecurityLevel
    status: ComplianceStatus = ComplianceStatus.NOT_ASSESSED
    evidence: Optional[str] = None
    remediation: Optional[str] = None

@dataclass
class NIS2TechnicalAssessment:
    entity_name: str
    entity_type: EntityType
    security_level: SecurityLevel
    controls: list[DomainControl] = field(default_factory=list)
    assessment_date: str = ""

    def compliance_score(self) -> float:
        assessed = [c for c in self.controls if c.status != ComplianceStatus.NOT_ASSESSED]
        if not assessed:
            return 0.0
        compliant = sum(1 for c in assessed if c.status == ComplianceStatus.COMPLIANT)
        partial = sum(0.5 for c in assessed if c.status == ComplianceStatus.PARTIAL)
        return (compliant + partial) / len(assessed) * 100

    def gaps(self) -> list[DomainControl]:
        return [
            c for c in self.controls
            if c.status in (ComplianceStatus.NON_COMPLIANT, ComplianceStatus.PARTIAL)
        ]

    def to_report(self) -> dict:
        return {
            "entity": self.entity_name,
            "entity_type": self.entity_type.value,
            "security_level": self.security_level.value,
            "assessment_date": self.assessment_date,
            "compliance_score": round(self.compliance_score(), 1),
            "total_controls": len(self.controls),
            "compliant": sum(1 for c in self.controls if c.status == ComplianceStatus.COMPLIANT),
            "partial": sum(1 for c in self.controls if c.status == ComplianceStatus.PARTIAL),
            "non_compliant": sum(1 for c in self.controls if c.status == ComplianceStatus.NON_COMPLIANT),
            "gaps": [
                {
                    "domain": g.domain,
                    "control": g.control_name,
                    "status": g.status.value,
                    "remediation": g.remediation,
                }
                for g in self.gaps()
            ],
        }

def build_standard_controls(entity_type: EntityType) -> list[DomainControl]:
    controls = [
        # Domain (a) — Risk Management
        DomainControl("Risk Management", "a", "Written Information Security Policy", SecurityLevel.BASIC),
        DomainControl("Risk Management", "a", "Risk Register with annual review", SecurityLevel.STANDARD),
        DomainControl("Risk Management", "a", "Risk owner assignments documented", SecurityLevel.STANDARD),
        DomainControl("Risk Management", "a", "Management body risk approval minutes", SecurityLevel.STANDARD),
        # Domain (b) — Incident Handling
        DomainControl("Incident Handling", "b", "Incident Response Plan documented", SecurityLevel.BASIC),
        DomainControl("Incident Handling", "b", "24/72h NIS2 Art.23 notification workflow", SecurityLevel.STANDARD),
        DomainControl("Incident Handling", "b", "Centralised log aggregation ≥12 months", SecurityLevel.STANDARD),
        DomainControl("Incident Handling", "b", "Out-of-band incident communication channel", SecurityLevel.STANDARD),
        # Domain (c) — Business Continuity
        DomainControl("Business Continuity", "c", "3-2-1 backup policy implemented", SecurityLevel.BASIC),
        DomainControl("Business Continuity", "c", "RTO/RPO defined for critical systems", SecurityLevel.STANDARD),
        DomainControl("Business Continuity", "c", "Quarterly backup restoration tests", SecurityLevel.STANDARD),
        DomainControl("Business Continuity", "c", "Immutable backups for critical systems", SecurityLevel.STANDARD),
        # Domain (d) — Supply Chain
        DomainControl("Supply Chain", "d", "Security requirements in supplier contracts", SecurityLevel.STANDARD),
        DomainControl("Supply Chain", "d", "Annual Tier-1 supplier security questionnaire", SecurityLevel.STANDARD),
        DomainControl("Supply Chain", "d", "SBOM maintained for production software", SecurityLevel.STANDARD),
        DomainControl("Supply Chain", "d", "Dependency vulnerability scanning in CI/CD", SecurityLevel.STANDARD),
        # Domain (e) — Secure Development
        DomainControl("Secure Development", "e", "Threat modelling process for new features", SecurityLevel.STANDARD),
        DomainControl("Secure Development", "e", "SAST + DAST in CI/CD pipeline", SecurityLevel.STANDARD),
        DomainControl("Secure Development", "e", "Patch SLA: Critical ≤24h, High ≤7d", SecurityLevel.STANDARD),
        DomainControl("Secure Development", "e", "Vulnerability tracking workflow (not just scanner)", SecurityLevel.STANDARD),
        # Domain (f) — Effectiveness Assessment
        DomainControl("Effectiveness Assessment", "f", "Annual vulnerability assessment", SecurityLevel.STANDARD),
        DomainControl("Effectiveness Assessment", "f", "Annual pen test (biennial for Important)", SecurityLevel.STANDARD if entity_type == EntityType.ESSENTIAL else SecurityLevel.STANDARD),
        DomainControl("Effectiveness Assessment", "f", "MTTD/MTTR metrics tracked", SecurityLevel.STANDARD),
        # Domain (g) — Cyber Hygiene and Training
        DomainControl("Cyber Hygiene", "g", "Annual security awareness training all staff", SecurityLevel.BASIC),
        DomainControl("Cyber Hygiene", "g", "MFA enforced on all remote access", SecurityLevel.STANDARD),
        DomainControl("Cyber Hygiene", "g", "Email: SPF + DKIM + DMARC reject policy", SecurityLevel.STANDARD),
        DomainControl("Cyber Hygiene", "g", "Quarterly phishing simulation programme", SecurityLevel.STANDARD),
        # Domain (h) — Cryptography
        DomainControl("Cryptography", "h", "AES-256 encryption at rest for sensitive data", SecurityLevel.STANDARD),
        DomainControl("Cryptography", "h", "TLS 1.2+ enforced, deprecated protocols disabled", SecurityLevel.STANDARD),
        DomainControl("Cryptography", "h", "Certificate inventory + automated renewal", SecurityLevel.STANDARD),
        # Domain (i) — HR Security and Access Control
        DomainControl("HR / Access Control", "i", "RBAC with least privilege principle", SecurityLevel.STANDARD),
        DomainControl("HR / Access Control", "i", "Off-boarding: access revocation within 24h", SecurityLevel.STANDARD),
        DomainControl("HR / Access Control", "i", "Annual privileged access recertification", SecurityLevel.STANDARD),
        DomainControl("HR / Access Control", "i", "Data classification scheme implemented", SecurityLevel.STANDARD),
        # Domain (j) — MFA and Secure Communication
        DomainControl("MFA / Secure Comms", "j", "MFA mandatory: remote access + admin interfaces", SecurityLevel.STANDARD),
        DomainControl("MFA / Secure Comms", "j", "No SMS-OTP for privileged accounts", SecurityLevel.STANDARD),
        DomainControl("MFA / Secure Comms", "j", "Encrypted crisis communication channel", SecurityLevel.STANDARD),
    ]
    return controls

# Usage example
assessment = NIS2TechnicalAssessment(
    entity_name="Acme SaaS GmbH",
    entity_type=EntityType.ESSENTIAL,
    security_level=SecurityLevel.STANDARD,
    controls=build_standard_controls(EntityType.ESSENTIAL),
    assessment_date="2026-04-17",
)

# Mark a few controls as assessed
assessment.controls[0].status = ComplianceStatus.COMPLIANT
assessment.controls[0].evidence = "ISP v2.3 approved 2026-01-15"
assessment.controls[4].status = ComplianceStatus.PARTIAL
assessment.controls[4].remediation = "IRP exists but NIS2 Art.23 notification workflow not yet documented — assign owner by Q2 2026"
assessment.controls[24].status = ComplianceStatus.NON_COMPLIANT
assessment.controls[24].remediation = "MFA not enforced on VPN — implement FIDO2 by 2026-06-30"

report = assessment.to_report()
print(json.dumps(report, indent=2))

The ENISA Gap Analysis Methodology

The ENISA guidelines recommend a structured gap analysis process before building a remediation roadmap:

Step 1: Scope Determination Map your systems to NIS2 scope: which services are in scope, which are supporting? Scope defines what the controls need to protect.

Step 2: Tier Assignment Apply the risk factor matrix above to determine Basic/Standard/Advanced for each domain. Note: different domains may warrant different levels (e.g., Standard for most domains but Advanced for incident handling if you process payment data).

Step 3: Current State Assessment For each control in the ENISA framework, rate current status: Compliant / Partial / Non-Compliant. Gather evidence for each rating.

Step 4: Gap Prioritisation ENISA recommends prioritising gaps by:

1. Regulatory risk first: Gaps in domains with explicit Art.23 notification obligations (domains b, d) carry highest regulatory exposure
2. Operational risk second: Gaps that increase breach likelihood or impact
3. Audit visibility third: Controls that auditors will specifically check

Step 5: Remediation Roadmap Map each gap to a remediation action with:

• Owner (team/role)
• Target date
• Investment required (headcount or tooling)
• Risk acceptance if gap cannot be closed by deadline

NIS2 Art.21 × ENISA Guidelines: Supervisory Authority Expectations

Based on how national competent authorities across the EU have applied NIS2 in their first wave of audits (2024–2025), the following patterns have emerged:

What auditors consistently check first:

1. Does a written ISP exist and has it been approved by management?
2. Was the last risk assessment conducted within 12 months?
3. Does an Incident Response Plan exist with clear Art.23 timelines?
4. Are MFA controls documented and enforced (not just policy, but technically enforced)?
5. Are supplier security requirements in contracts?

Common audit findings (ENISA published in 2024 audit experience report):

• 73% of entities had gaps in supply chain security documentation
• 61% had MFA policies but inconsistent technical enforcement
• 54% had no defined RTO/RPO for critical systems
• 47% had no cryptographic inventory

What earns immediate enforcement action:

• No incident notification procedure → direct violation of Art.23
• Failure to notify a qualifying incident → administrative fines up to €10M / 2% global turnover (Essential) or €7M / 1.4% global turnover (Important)
• No management body involvement in cybersecurity oversight (Art.20 liability)

35-Item NIS2 Technical Compliance Checklist

Domain (a) — Risk Management

• Written Information Security Policy approved by management body
• Risk assessment conducted within past 12 months
• Risk register maintained with named risk owners
• Formal risk acceptance process documented
• Asset inventory complete and current

Domain (b) — Incident Handling

• Incident Response Plan with severity classification matrix
• NIS2 Art.23 notification workflow: 24h / 72h / 1-month
• Log aggregation with ≥12 months retention
• Post-incident review process documented
• Out-of-band crisis communication channel operational

Domain (c) — Business Continuity

• 3-2-1 backup policy implemented
• RTO/RPO defined for all critical systems
• Backup restoration tested within past 90 days
• Immutable backups for critical data

Domain (d) — Supply Chain Security

• Security clauses in all Tier-1 supplier contracts
• Annual supplier security questionnaire completed
• SBOM maintained for production software components
• Third-party access via just-in-time provisioning

Domain (e) — Secure Development

• SAST + DAST integrated in CI/CD pipeline
• Patch SLA defined and enforced (Critical ≤24h)
• Threat modelling performed for new architectures
• Vulnerability tracking system in use

Domain (f) — Effectiveness Assessment

• Annual vulnerability assessment completed
• Penetration test within past 12 months (24 months for Important)
• Security metrics (MTTD/MTTR) tracked and reported

Domain (g) — Cyber Hygiene + Training

• Annual security awareness training completed >95% of staff
• MFA technically enforced on all remote access
• DMARC reject policy active on all sending domains
• Phishing simulation programme active

Domain (h) — Cryptography

• All sensitive data at rest encrypted (AES-256 or equivalent)
• TLS 1.3 preferred, 1.0/1.1/SSL disabled
• Certificate inventory with automated renewal

Domain (i) — HR / Access Control

• RBAC implemented with quarterly access reviews
• Off-boarding access revocation within 24h
• Data classification scheme enforced in tooling

Domain (j) — MFA and Secure Communication

• FIDO2/WebAuthn deployed for privileged access (or TOTP at minimum)
• Crisis communication on separate encrypted channel
• No persistent SMS-OTP for admin access

Implementation Timeline Recommendation

See Also

• NIS2 Art.21 Security Measures Overview — All 10 Domains
• NIS2 Art.21(2)(a) Risk Analysis and Information Security Policies
• NIS2 Art.21(2)(b) Incident Handling — Developer Implementation Guide
• NIS2 Art.21(2)(j) MFA and Secure Communications Implementation Guide
• NIS2 Art.20 Management Body Cybersecurity Obligations
• DORA Art.11 ICT Business Continuity — Financial Sector Requirements