Security check

NIS2 technical security requirements: art. 21, concretely

NIS2 art. 21 lists ten risk-management measures β€” but what do they mean technically? We break them down into measurable controls and a review that shows where you stand.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 a–j ISO 27001 Β· Annex A SE Cybersecurity Act Β· 2026

What we check

We map the ten measures in art. 21 (risk analysis, incident handling, continuity, supply chain, vulnerability handling, cryptography, access control, etc.) to concrete technical controls we can measure in your environment.

Why it matters

Since the Cybersecurity Act implemented NIS2 in Sweden (Jan 2026), the requirements are enforced. But the law is principle-based β€” the key is translating 'appropriate and proportionate measures' into specific, provable controls.

How Security Guru tests it

Common mistakes

  • Reading art. 21 as policy only, not technology
  • No measurable status per measure
  • Vulnerability handling without prioritisation (all or nothing)
  • Supply-chain requirements with no view of actual dependencies

What you get in the report

  • Status per art. 21 measure (a–j) with technical evidence
  • Gaps prioritised by risk
  • Concrete 30/60/90-day plan
  • Management summary for board reporting

FAQ

Does NIS2 apply to us?

NIS2 applies to essential and important entities in designated sectors β€” and their suppliers via the requirements. We help you address the technical side regardless.

How does it differ from ISO 27001?

ISO 27001 is a certifiable management system; NIS2 is law. They overlap technically β€” our review serves both.

Do you give legal advice?

No β€” we deliver the technical evidence. The legal interpretation rests with you or your advisor.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan