Is this a legal certification?

No. This tool provides readiness guidance only. It is not legal advice, certification, or a formal compliance audit. Always consult with a qualified legal professional for definitive compliance status.

How long does the assessment take?

Most users complete the assessment in under 10 minutes, depending on the complexity of your organization.

Yes. All answers are processed locally in your browser. We do not store your responses on any server.

Do I need to be an expert to answer these questions?

No. The questions are designed for business owners and managers. If you don't know an answer, you can indicate your confidence level.

Back to blog

NIS210 min readJanuary 30, 2026

NIS2 Risk Assessment: A Structured Framework to Identify and Prioritise Your Cyber Gaps

By Anna Bergström

NIS2 Article 21 mandates comprehensive cybersecurity risk management for organisations in scope. This is not a one-time exercise — it requires an ongoing, documented framework that identifies threats, assesses vulnerabilities, and implements proportionate controls. This guide provides a structured six-step methodology aligned with ISO 27005 and ENISA guidance.

Step 1: Asset Inventory

Begin by identifying all information systems, networks, and data that support your essential or important services. This includes cloud services, third-party tools, IoT devices, and operational technology. You cannot protect what you do not know exists.

Step 2: Threat Identification

Map the threat landscape relevant to your sector and organization. Consider nation-state actors, cybercriminal groups, insider threats, supply chain compromises, and natural disasters. The ENISA Threat Landscape report is an excellent starting point.

Step 3: Vulnerability Assessment

Identify weaknesses in your systems, processes, and people. This includes technical vulnerabilities (unpatched systems, misconfigurations), procedural gaps (lack of MFA, weak password policies), and human factors (insufficient training, social engineering susceptibility).

Step 4: Risk Evaluation

Combine threat likelihood with vulnerability exploitability and potential impact to calculate risk levels. Use a consistent methodology such as ISO 27005 or the NIST Risk Management Framework. Prioritize risks that could affect the continuity of your essential or important services.

Step 5: Risk Treatment

For each identified risk, choose an appropriate treatment: mitigate (implement controls), accept (if within appetite), transfer (insurance or outsourcing), or avoid (eliminate the risk source). Document your decisions and ensure management approval.

Step 6: Monitoring and Review

Risk assessment is not a one-time exercise. Establish a regular review cycle and trigger reassessment when significant changes occur to your IT environment, threat landscape, or business operations.

NIS2-Specific Considerations

Your framework must specifically address the Article 21 minimum measures: policies on risk analysis and information system security, incident handling, business continuity, supply chain security, network security, vulnerability disclosure, and assessment of cybersecurity measure effectiveness.

Get Started

Once your internal framework is established, benchmark it against regulatory expectations. Our assessment evaluates your cybersecurity risk management practices against NIS2 Article 21 requirements and generates a prioritised remediation plan.

Ready to check your compliance?

Run our free GDPR & NIS2 readiness assessment and get personalized recommendations in minutes.

Start Free Assessment