NIS2 Requirements: The 10 Most Important Rules

NIS2 introduces comprehensive cybersecurity requirements for organizations across Europe. But what exactly do you need to do? We break down the 10 most important rules from Article 21 of the directive, explained in plain language for Belgian SMEs.

Professional reviewing NIS2 requirements checklist
The 10 NIS2 requirements: legal rules that protect your business

Why These 10 Rules Matter

Article 21 of the NIS2 directive lists specific cybersecurity measures that organizations must implement. These are not suggestions—they are legal requirements. The good news? They represent solid security practices that will genuinely protect your business, not just bureaucratic checkboxes.

1

Risk Management Policies and Procedures

You need a systematic approach to identifying, analyzing, and addressing cybersecurity risks. This means documenting what assets you have, what threats they face, and how you protect them.

The CCB CyberFundamentals framework provides a structured approach to risk management that aligns with NIS2.

2

Incident Handling (Detection, Response, Reporting)

You must be able to detect security incidents, respond to them effectively, and report significant incidents to authorities within strict timeframes.

24 hours Early warning to authorities (CCB)
72 hours Full incident notification
1 month Final report with root cause analysis
3

Business Continuity and Crisis Management

Your organization must be able to continue operating during and after a cyber incident. This includes backup strategies, disaster recovery plans, and crisis management procedures.

The 3-2-1 backup rule is a good starting point: 3 copies, 2 different media, 1 offsite.

4

Supply Chain Security

You are responsible for managing cybersecurity risks from your suppliers and service providers. A weakness in your supply chain is a weakness in your security.

Ask your suppliers these questions:

  • What security certifications do they have?
  • How do they handle your data?
  • What is their incident response process?
  • Do they have cyber insurance?
5

Security in Network and Systems Acquisition

Security must be considered when acquiring, developing, or maintaining IT systems. This means building security in from the start, not adding it as an afterthought.

Include security requirements in your procurement checklist and vendor evaluation criteria.

6

Assessing Effectiveness of Security Measures

You need to regularly test and evaluate whether your security measures actually work. Compliance on paper is not enough—you need to verify in practice.

Vulnerability assessments Penetration testing Security audits Tabletop exercises Policy compliance reviews
7

Basic Cyber Hygiene and Training

All employees must understand basic cybersecurity practices and receive appropriate training. Human error remains the leading cause of security incidents.

Recognizing phishing emails
Strong password practices
Safe use of removable media
Reporting suspicious activity
Clean desk policy
8

Cryptography and Encryption

You must have policies and procedures for the use of cryptography and encryption to protect sensitive data, both in transit and at rest.

Encrypt laptop and mobile device storage
Use TLS/HTTPS for all web traffic
Encrypt sensitive emails
Secure backup encryption
Proper key management
9

Human Resources Security and Access Control

Security must be integrated into HR processes. This includes background checks where appropriate, security responsibilities in job descriptions, and proper access management.

Onboarding Grant minimum necessary access
Role change Review and adjust access rights
Offboarding Immediately revoke all access
10

Multi-Factor Authentication (MFA)

NIS2 explicitly requires multi-factor authentication or continuous authentication solutions where appropriate. Passwords alone are no longer sufficient.

MFA priority:

  1. Email accounts (highest priority)
  2. Cloud services (Microsoft 365, Google Workspace)
  3. Remote access / VPN
  4. Administrative accounts
  5. Financial systems
Layered shield representing comprehensive NIS2 security
All requirements work together for complete security

Getting Started: One Step at a Time

These 10 requirements might seem overwhelming, but remember: NIS2 calls for "appropriate and proportionate" measures. You do not need to implement everything at once. Start with the basics, document your progress, and improve continuously.

1 Assess your current state against these 10 requirements
2 Prioritize based on your biggest risks
3 Start with quick wins (MFA, backups, basic training)
4 Document everything as you go
5 Build up to full compliance over time

How Easy Cyber Protection Helps

Our platform breaks down these requirements into manageable tasks, guides you through implementation step by step, and helps you document evidence of compliance.

Structured approach — Requirements mapped to CyberFundamentals controls
One task at a time — No overwhelm—just clear next steps
Evidence collection — Document compliance as you implement
Progress tracking — See where you stand on each requirement
Free to start — Begin with our free Small tier (7 controls)

Frequently Asked Questions

Do I need to implement all 10 requirements?

Yes, if you are in scope for NIS2. However, the implementation should be "appropriate and proportionate" to your risk level, size, and the criticality of your services. A small company will have simpler implementations than a large enterprise.

What is the 24-hour incident reporting requirement?

Within 24 hours of becoming aware of a significant incident, you must send an "early warning" to the competent authority (CCB in Belgium). This is just an initial notification—you have 72 hours for a full incident notification and 1 month for a final report.

Is multi-factor authentication mandatory?

NIS2 Article 21 specifically mentions "multi-factor authentication or continuous authentication solutions, secured voice, video and text communications." While not every system needs MFA, it should be used for critical systems and where sensitive data is accessed.

How do I assess my supply chain security?

Start by identifying your critical suppliers and service providers. Review their security certifications, ask about their security practices, include security requirements in contracts, and monitor their compliance. The CyberFundamentals framework includes specific controls for supply chain security.

What counts as "appropriate and proportionate" measures?

This depends on your risk exposure, organization size, likelihood of incidents, severity of potential impact, and the state of the art in security. A hospital handling patient data needs stronger measures than a small logistics company. When in doubt, follow the CyberFundamentals level recommended for your sector.

Related Articles

Sources

  1. NIS2 Directive (EU) 2022/2555, Article 21 — Cybersecurity risk-management measures
  2. ENISA NIS2 Resources — Implementation guidance from the EU Agency for Cybersecurity
  3. CCB CyberFundamentals Framework — Belgian implementation of NIS2 requirements
  4. European Commission NIS2 Overview — Official EU policy document