Art. 21(2)(a)Last updated: May 2026
NIS2 Risk Register Builder
Score your assets and threats by likelihood and impact. The tool calculates risk scores, colour-codes by severity, and prioritises actions for your NIS2 Article 21(2)(a) documentation.
Add up to 12 risks. Score each by Likelihood (L) and Impact (I) on a 1–5 scale. Score = L × I.
Risk 1
Medium (9)
Likelihood (1 = rare, 5 = almost certain)
Impact (1 = minimal, 5 = critical)
📊 Quick Test
Check NIS2 Scope →Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
NIS2 Article 21(2)(a): What is Required?
Article 21(2)(a) of the NIS2 Directive requires all covered entities to maintain a documented risk analysis methodology and written information security policies covering all information systems.
The risk analysis must be updated at least annually and after any significant infrastructure change or security incident. Results must be approved at board or management level.
Risk Matrix: Scoring Reference
| Score | Level | Action |
|---|---|---|
| 17–25 | Critical | Immediate treatment required; escalate to management |
| 10–16 | High | Plan treatment within 30 days; assign owner |
| 5–9 | Medium | Schedule treatment in next quarterly cycle |
| 1–4 | Low | Accept or treat as part of regular maintenance |