NIS2 Article 21 lists ten sub-articles of cybersecurity risk-management measures
essential and important entities must implement. The mapping below shows which of the
16 typed controls in nixfleet-compliance
satisfy each sub-article.
| Article | Requirement | Controls |
|---|---|---|
| 21(a) | Risk analysis & info security policy | _baseline-hardening, _network-segmentation, _secure-boot |
| 21(b) | Incident handling | _incident-response |
| 21(c) | Business continuity, backup, DR | _backup-retention, _disaster-recovery |
| 21(d) | Supply chain security | _supply-chain |
| 21(e) | Vulnerability handling | _vulnerability-mgmt, _change-management |
| 21(f) | Effectiveness assessment | _audit-logging |
| 21(g) | Cyber hygiene & training | _baseline-hardening |
| 21(h) | Cryptography | _encryption-at-rest, _encryption-in-transit, _key-management |
| 21(i) | Access control & asset management | _access-control, _asset-inventory |
| 21(j) | MFA & secure comms | _authentication |
Canonical control source: docs/nis2-mapping.md in the compliance repo.
Operator declares the entity classification via compliance.frameworks.nis2.entityType = "essential" | "important" — see NIS2 entity classification.