Eramba & NIS2 Article 21

Articles
1

Implementation of NIS2 Article 21 using eramba

The NIS2 Directive introduces stringent cybersecurity risk-management requirements for organizations operating within the European Union. This article outlines how eramba GRC software facilitates compliance with Article 21.

In this article:

  • We provide examples of who is subject to NIS2 Article 21
  • We explain which authorities will audit your organization
  • We detail how eramba helps meet each Article 21 requirement.

Who is Subject to NIS2?

The scope of NIS2 is determined by two factors: what you do (Sector) and how big you are (Size). If you are a medium or large enterprise (50+ employees OR €10M+ annual turnover) in a listed sector, you are in. If you are a small “mom-and-pop” shop with 5 employees, you are generally safe—unless you are so critical that the state decides you are essential anyway

Essential Entities (High-Criticality)

  • Energy: The local electric utility company that sends your monthly bill.

  • Transport: The regional bus or train line you take to work.

  • Banking: The high-street bank where you keep your savings.

  • Health: The private clinic or medical lab where you go for blood tests.

  • Water: The municipal utility providing your tap water and maintaining the sewers.

  • Digital Infrastructure: The local data center or the company hosting your business’s website.

  • Public Administration: Your regional or central government offices handling taxes or social security.

Important Entities (Other Critical Sectors)

  • Food: The large-scale food distributor or industrial bakery that stocks the shelves of your local shops (Purely local, small retail is often out, but large “distribution” hubs are in).

  • Postal & Courier: The delivery service (like DHL, FedEx, or your national post) bringing your online shopping.

  • Waste Management: The company that drives the trucks to collect your trash every Tuesday.

  • Manufacturing: The local factory producing medical devices, electronics, or car parts .

  • Chemicals: The plant on the edge of town manufacturing fertilizers or industrial cleaning agent s.

  • Digital Providers: The online marketplace where you sell your old bike or the search engine you use dai ly.

  • Research: The university-linked laboratory developing new technologies or medici nes.

Why Article 21? (The Core Requirement)

We focus on Article 21 because it is the “To-Do List” of the directive. While other articles discuss who is in charge or how to talk to authorities, Article 21 mandates the actual security measures you must have in place. It is the difference between talking about security and actually doing it. eramba is built to manage exactly these operational requirements—policies, risks, and controls.

How is Audited?

Auditing under NIS2 is overseen by National Competent Authorities (NCAs) and follows two distinct regimes based on your classifica tion:

  1. Essential Entities (Proactive Supervision): Authorities perform both ex-ante (proactive) and ex-post (reactive) supervision. This means they can conduct regular, planned audits and on-site inspections even if no incident has occu rred.

  2. Important Entities (Reactive Supervision): Supervision is primarily ex-post. Authorities typically only audit these entities if they have evidence or a “reasonable indication” of non-compliance, such as after a security incident or a report from a third party.

Examples of National Implementation:

  • Netherlands: The Dutch authority strictly separates “Essential” (proactive oversight) from “Important” (reactive). Important entities are not subject to direct oversight unless there is a cause, such as a major breach.

  • Germany: The BSI (Federal Office for Information Security) acts as the central auditor. They have integrated NIS2 into their existing “KRITIS” framework, requiring high-detail evidence for critical infrastructure.

  • Belgium: The Center for Cybersecurity Belgium (CCB) requires proactive registration and uses a portal-based approach for evidence submission.

  • France: Managed by ANSSI, the audit process is designed to be streamlined alongside other regulations like DORA (for finance) to avoid “audit fatigue.”

How eramba helps?

tem ID Organizational Expectation (Exact Article Text) Key eramba Feature (Link) How it Helps
Art. 21(2)(a) “policies on risk analysis and information system security;” Compliance / Policy You can use the Policy module to store and regularly review policies, including those specifically related to Risk.
Art. 21(2)(b) “incident handling;” Automation / Incidents You can use the Incident module to handle the entire lifecycle of cyber incidents.
Art. 21(2)(c) “business continuity, such as backup management and disaster recovery, and crisis management;” Risk Management eramba has a dedicated Risk module for business-related risks and the documentation of continuity plans and their associated testing (manual or automated).
Art. 21(2)(d) “supply chain security…” Online Assessments The online assessment module helps you contact and review your suppliers with any kind of questionnaire. The outcome can generate risks and findings.
Art. 21(2)(e) “security in network and information systems acquisition… including vulnerability handling…” Internal Controls (Partial) eramba is not a vulnerability management tool, but it helps you document and test (manually or automated) your internal controls related to vulnerability management.
Art. 21(2)(f) “policies and procedures to assess the effectiveness of cybersecurity risk-management measures;” Internal Controls, Notifications & Automation eramba has built-in automatic notifications and triggers that will notify stakeholders if the treatment of a risk fails to pass scheduled audits or policy reviews.
Art. 21(2)(g) “basic cyber hygiene practices and cybersecurity training;” Awareness eramba’s built-in Awareness module helps you regularly distribute awareness content tailored to each department in the organization.
Art. 21(2)(i) “human resources security, access control policies and asset management;” Account Review eramba has a built-in automated account review module that pulls accounts from systems and ensures accounts and roles are reviewed.
Art. 21(2)(j) “multi-factor authentication or continuous authentication solutions…” Account Reviews (Partial) eramba is not a provisioning or authentication service, but it can help test systems automatically to ensure security controls (such as MFA) are enabled.
Art. 21(4) “ensure that an entity that finds that it does not comply… takes, without undue delay… corrective measures.” Let’s hope that non-compliant entity is not yours! :slight_smile: