Directive (EU) 2022/2555

NIS2 turns cybersecurity into a board-level duty. Rizzqo turns it into running evidence.

NIS2 teams need to show management accountability, the ten Article 21 risk-management measures, and incident readiness across real systems. Rizzqo turns those obligations into running evidence that stays current and audit-ready — so a 24-hour clock never catches you cold.

10risk-management measures under Article 21
24hearly warning after a significant incident
18sectors in scope across the EU
Who is in scope

Essential and important entities

The first need is scope: NIS2 applies to medium-sized and larger organisations in eighteen sectors, split into two classes. Both carry the same risk-management duties; supervision and penalties are heavier for essential entities. Select a class to see what it means for you.

Highest oversight

Essential entities

Proactive supervision

Larger operators in the most critical sectors. Regulators may inspect, audit and act before any incident, not only after one.

What this class means
  • Energy, transport, banking, health, water and digital infrastructure
  • Generally large enterprises, plus designated critical operators of any size
  • Subject to proactive supervision: audits, inspections and scans
  • Fines up to 10 million euro or 2 percent of global annual turnover

Sectors covered

NIS2 scope is easier to read in two buckets. Essential sectors face proactive supervision; important sectors follow the same risk-management measures, with supervision usually triggered by evidence of non-compliance.

Essential sectors

Critical services where disruption can hit society quickly.

EnergyTransportBankingFinancial market infrastructureHealthDrinking waterWaste waterDigital infrastructureICT service managementPublic administrationSpace

Important sectors

Other covered services and supply chains with the same Article 21 baseline.

Postal and courierWaste managementChemicalsFoodManufacturingDigital providersResearch
Article 21 measures

The ten minimum risk-management measures

Article 21 sets a baseline that every entity in scope must implement on an all-hazards basis. Rizzqo makes that baseline something you can see and prove, not something you assert.

Art. 21(2)(a)

Risk analysis & infosec policies

Policies on risk analysis and the security of information systems that set the rules everything else is measured against.

Art. 21(2)(b)

Incident handling

A defined process to detect, respond to and recover from incidents, with reporting wired in from the start.

Art. 21(2)(c)

Business continuity

Backups, disaster recovery and crisis management so essential services keep running through disruption.

Art. 21(2)(d)

Supply-chain security

Security in relationships with direct suppliers and service providers, including their handling of your data.

Art. 21(2)(e)

Secure acquisition & development

Security in the acquisition, development and maintenance of systems, including vulnerability handling.

Art. 21(2)(f)

Effectiveness assessment

Policies and procedures to assess whether the risk-management measures actually work.

Art. 21(2)(g)

Cyber hygiene & training

Basic cyber-hygiene practices and regular security awareness training across the workforce.

Art. 21(2)(h)

Cryptography & encryption

Policies and procedures on the use of cryptography and, where appropriate, encryption.

Art. 21(2)(i)

Access control & assets

Human-resources security, access-control policies and asset management across the estate.

Art. 21(2)(j)

MFA & secure comms

Multi-factor authentication, secured voice, video and text, and secured emergency communications.

Article 23 reporting

A significant incident starts a staged clock

For any significant incident, NIS2 sets a staged reporting timeline to the national CSIRT or competent authority. Rizzqo keeps you ready to meet each stage on time, with the proof already in hand.

24 hoursFirst
Early warning

Early warning

Within 24 hours of becoming aware, an early warning flagging whether the incident may be unlawful or cross-border.

72 hoursThen
Incident notification

Incident notification

Within 72 hours, a fuller notification with an initial assessment of severity, impact and any indicators of compromise.

On requestFinally
Intermediate update

Progress report

On request from the authority, an intermediate status update on how handling and recovery are progressing.

1 monthFinally
Final report

Final report

Within one month of the notification, a final report with root cause, mitigation taken and cross-border impact.

NIS2 as an operating model

The baseline, live on the systems it governs

The ten measures stop being a policy document and become live work on the systems they govern — owned, kept on track, and backed by real evidence rather than asserted on paper.

01

Measures linked to real assets

Your NIS2 program is grounded in the systems you actually depend on, not a generic checklist. Each of the ten measures is tied to the real thing it protects, so scope reflects how you truly run.

  • Grounded in the systems you actually run
  • Each measure tied to what it protects
  • Risk priced in real money, not a heat-map colour
02

Clear ownership, evidence that stays current

Every measure has a clear owner, and the proof builds up as your teams do the work — so you stay audit-ready instead of scrambling to reconstruct it before an inspection.

  • A clear owner on every measure
  • Proof that stays current, not rebuilt in a rush
  • Audit-ready for proactive supervision at any time
03

Ready the moment the clock starts

When an incident is significant, you are ready for the 24-hour, 72-hour and one-month deadlines — the context you need is already in hand, so each report is assembled, not improvised.

  • Ready for the 24h, 72h and one-month deadlines
  • The context you need already in hand
  • Early warning, notification and final report on tap

NIS2 rides on the ISMS you already run

Most of the Article 21 measures already live in an ISO 27001 ISMS — risk analysis, incident handling, access control, cryptography, supplier security. Run both on one set of assets in Rizzqo and a control proven for ISO 27001 counts for NIS2 the moment you add it, with no parallel project.

Be audit-ready before the 24-hour clock starts.

See where you stand against the Article 21 measures, and be ready for every Article 23 deadline before the clock starts.

Aligned to the Article 21 measuresGrounded in your real systemsArticle 23 reporting ready

NIS2 questions, answered