If your organization falls under the NIS2 Directive, Article 21 is where the work actually happens. It spells out the ten cybersecurity risk-management measures every essential or important entity must put in place — and failure to comply carries fines up to €10 million or 2% of global turnover.
Article 21 is not optional, not subject to interpretation, and not adequately covered by “we have a security policy” hand-waving. Each of the ten measures requires specific controls, documented evidence, and ongoing monitoring — especially around vendor and supply chain security.
This guide walks through Article 21’s ten measures with a practical compliance checklist focused on the vendor-security obligations most TPRM programs struggle with.
What is NIS2 Article 21?
Article 21 of the NIS2 Directive (Directive 2022/2555) defines the baseline cybersecurity risk-management measures that essential and important entities must implement. It replaces the narrower requirements of the original NIS1 Directive and applies to significantly more sectors — energy, transport, banking, health, digital infrastructure, public administration, space, and more.
The article requires entities to adopt “appropriate and proportionate technical, operational and organisational measures” to manage cybersecurity risks — and specifically addresses supply chain and vendor security in measure (d).
The 10 Article 21 measures (with checklist)
Every entity subject to NIS2 must implement all ten measures. Here’s what each one requires and the evidence you need to maintain:
1. Risk analysis and information system security policies
Documented risk analysis procedures and information security policies covering the entity’s scope, objectives, and governance.
Checklist:
- [ ] Information security policy approved by management
- [ ] Risk analysis methodology documented and followed
- [ ] Risk register maintained and reviewed at least annually
- [ ] Roles and responsibilities assigned (CISO, data owners, operators)
2. Incident handling
Documented processes for detecting, analysing, responding to, and recovering from cybersecurity incidents. Including notification obligations to authorities within 24 hours (early warning) and 72 hours (incident notification).
Checklist:
- [ ] Incident response plan documented and tested
- [ ] Incident detection tools deployed (SIEM, EDR)
- [ ] Notification procedures to CSIRT/competent authority defined
- [ ] Post-incident review process
3. Business continuity and crisis management
Includes backup management, disaster recovery, and crisis procedures. Must be tested regularly.
Checklist:
- [ ] BCP/DRP documented for critical systems
- [ ] Backup strategy with tested restoration procedures
- [ ] Annual DR test results documented
- [ ] Crisis management team and contacts
4. Supply chain security — including vendor relationships
This is the measure most TPRM programs focus on. Covers security aspects of relationships with direct suppliers and service providers, with particular attention to vulnerabilities specific to each supplier and the quality of their security practices.
Checklist:
- [ ] Complete vendor/supplier inventory with risk tiering
- [ ] Security due diligence procedures for new suppliers
- [ ] Contract clauses requiring security controls, audit rights, incident notification
- [ ] Ongoing monitoring of critical suppliers (not just annual)
- [ ] Supplier incident notification procedures in place
- [ ] Documented assessment of each critical supplier’s security posture
- [ ] Process for assessing sub-processors (fourth-party risk)
This is where platforms like CheckFirst provide direct value — automating the supplier security assessment workflow with audit-ready documentation.
5. Security in acquisition, development and maintenance of network and information systems
Secure development lifecycle, vulnerability management, and handling of vulnerability disclosure.
Checklist:
- [ ] Secure development practices documented
- [ ] Vulnerability scanning in place for production systems
- [ ] Patch management procedures with SLAs for severity levels
- [ ] Vulnerability disclosure policy published
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Metrics, reviews, and continuous improvement.
Checklist:
- [ ] Security KPIs defined and measured
- [ ] Regular management review meetings
- [ ] Internal or external audit schedule
- [ ] Findings tracked to remediation
7. Basic cyber hygiene practices and cybersecurity training
Training for all staff, enhanced training for technical roles.
Checklist:
- [ ] Mandatory annual training for all personnel
- [ ] Role-based training for technical/security staff
- [ ] Phishing simulation program
- [ ] Training completion records maintained
8. Policies and procedures regarding the use of cryptography and encryption
Covers cryptographic algorithms, key management, and encryption in transit and at rest.
Checklist:
- [ ] Cryptography policy with approved algorithms
- [ ] Key management procedures documented
- [ ] Encryption at rest enabled for sensitive data
- [ ] Encryption in transit for all external communications
9. Human resources security, access control policies and asset management
Covers personnel security, access controls, and asset inventory.
Checklist:
- [ ] Background check procedures for personnel
- [ ] Joiner/mover/leaver access management process
- [ ] Multi-factor authentication on critical systems
- [ ] Complete asset inventory (hardware, software, data)
- [ ] Privileged access management
10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems
Strong authentication across critical systems.
Checklist:
- [ ] MFA enforced on privileged accounts
- [ ] MFA enforced on remote access
- [ ] Secured communications for incident response
- [ ] Emergency communication procedures
Where Article 21 vendor compliance most often fails
In practice, audits of NIS2 Article 21 compliance find the same gaps repeatedly:
Incomplete vendor inventories. Teams track critical suppliers but miss the long tail — marketing tools, HR SaaS, observability services. All of them qualify as “suppliers” under NIS2 if they process or access entity data.
Contracts without audit rights. Many pre-NIS2 vendor contracts don’t include right-to-audit clauses or incident notification SLAs. These need renegotiation.
No fourth-party visibility. NIS2 doesn’t explicitly define sub-processor responsibility, but effective compliance requires tracking sub-processors of critical vendors. If your cloud provider uses a sub-processor in a non-EU region, that’s your concentration risk.
Point-in-time assessments. Article 21 requires “ongoing” supply chain security. Annual reviews don’t satisfy this — you need continuous monitoring with trigger-based reassessment.
No documented methodology. Having assessments isn’t enough. You need to document your risk methodology, scoring criteria, and decision rationale. Auditors will ask.
Evidence you must be able to produce
For a NIS2 Article 21 compliance audit, be prepared to show:
- Documented information security policy (and approval trail)
- Risk assessment methodology and current risk register
- Complete vendor inventory with tiering
- Sample of vendor security assessments from the last 12 months
- Contract templates showing security clauses
- Incident response plan and test records
- Training records for all personnel
- Access control matrix and MFA coverage
- Evidence of ongoing monitoring (not just onboarding reviews)
- Post-incident review records
How CheckFirst supports Article 21 compliance
For the supply chain security measure specifically, CheckFirst’s vendor security assessment workflow automates:
- Centralized vendor inventory with risk tiering
- Evidence-based assessments mapped to NIS2, DORA, ISO 27001, and SOC 2
- Contract clause templates aligned with Article 21 requirements
- Continuous monitoring via external security signals
- Audit-ready documentation with complete decision trails
For teams still using spreadsheets, this is the Level 2→3 transition in the TPRM maturity framework — and it’s the transition most NIS2 auditors expect to see completed by now.
FAQ
When does NIS2 Article 21 apply?
NIS2 came into force on 16 January 2023 and member states had until 17 October 2024 to transpose it into national law. Most EU countries have now done so, though implementation timelines vary. If your organization falls under NIS2 scope, Article 21 compliance is expected today.
What happens if you don’t comply with Article 21?
Fines can reach €10 million or 2% of global annual turnover (whichever is higher) for essential entities, and €7 million or 1.4% for important entities. Member state competent authorities can also issue public warnings, impose temporary management bans, or require corrective actions.
Does Article 21 apply to non-EU suppliers?
Yes — if you’re subject to NIS2 and you use non-EU suppliers, your Article 21 obligations extend to those supplier relationships. You must assess their security posture and include appropriate security clauses in contracts.
Is a SOC 2 Type II report sufficient evidence for Article 21 vendor assessment?
SOC 2 Type II is strong evidence but not sufficient on its own. Article 21 requires assessment of vendor-specific vulnerabilities and monitoring beyond point-in-time reports. Use SOC 2 as one input alongside continuous monitoring and targeted due diligence.
How often do vendor assessments need to be repeated under NIS2?
NIS2 doesn’t prescribe a specific frequency but requires “ongoing” supply chain security. In practice, critical vendors should be reassessed continuously with trigger-based deep reviews. Less critical vendors can follow annual or biennial cycles, but monitoring should never pause.
Who is responsible for NIS2 Article 21 compliance?
Management bodies of essential and important entities are personally accountable. Article 20 specifically requires management to approve cybersecurity risk-management measures and oversee their implementation. Delegation to security teams doesn’t transfer liability.
Next steps
Article 21 compliance is a structured exercise, not a mystery. Work through the ten measures one at a time, document what you have, identify the gaps, and close them in order of risk.
The supply chain security measure (measure 4) is where most programs have the most work. If your vendor security assessment process is still running on spreadsheets, start there — it’s both the biggest audit risk and the highest-leverage improvement.
Read more on NIS2 supplier assessment methodology or see managed TPRM support for teams without in-house capacity.
Related reading
- TPRM Maturity Model: 5-Level Framework — benchmark whether your program is ready for NIS2 expectations
- Vendor Security Assessment Guide — the process that satisfies Article 21 measure 4
- CSA CCM for TPRM — control framework that provides evidence for Article 21 compliance
- Fourth-Party Risk Management — NIS2 extends supply chain security to sub-processors
- DORA Supplier Assessment — companion regulation for financial entities