Reference · Article 21Last revised 05 May 2026
The 21 measures, explained simply.
Article 21 of Directive (EU) 2022/2555 lists ten categories of cybersecurity risk-management measures. We have unpacked them into 21 concrete checkpoints, grouped by what your team actually has to deliver.
§ 01
Governance
- M.01Information security policies — approved at board level
- M.02Roles, responsibilities & accountability formally documented
- M.03Director training on cybersecurity risk
- M.04Annual independent review of the security programme
§ 02
Risk management
- M.05Risk analysis methodology and live risk register
- M.06Asset inventory: information systems and data
- M.07Business continuity & crisis management plans
- M.08Backups: tested restore procedures
§ 03
Technical measures
- M.09Multi-factor authentication on all critical access
- M.10Cryptography and encryption policy
- M.11Network segmentation and zero-trust principles
- M.12Vulnerability management and patching cadence
- M.13Endpoint detection and response
- M.14Secure software development lifecycle
§ 04
Supply chain
- M.15Supplier security assessments
- M.16Contractual security clauses for critical vendors
- M.17Continuous monitoring of third-party exposure
§ 05
Incident handling
- M.18Detection, classification and escalation playbooks
- M.1924h early warning to CSIRT
- M.2072h incident notification with severity assessment
- M.21Final report within one month
Action · Run the checklist§ Action
Ready to put numbers on this?
Take the 21-point assessment. Score in two minutes. Walk away with a prioritised action plan ready to share with your board.