NIS2 Risk Assessment: A Structured Framework to Identify and Prioritise Your Cyber Gaps

NIS2 Article 21 mandates that essential and important entities adopt a risk-based approach to cybersecurity. But the directive does not prescribe a specific methodology. Organisations must select and implement a framework that is appropriate to their size, exposure, and sector. This guide presents a structured six-step methodology aligned with ISO 27005:2022 (Information Security Risk Management) and ENISA guidance, tailored for organisations subject to NIS2.

Why a Structured Framework Matters

Ad hoc security measures, however well-intentioned, do not meet the NIS2 standard. Article 21 requires measures that are appropriate and proportionate, which implies a documented rationale for every security decision. A structured risk assessment framework provides that rationale. It ensures that resources are allocated to the highest-impact risks, that residual risks are consciously accepted by management, and that compliance can be demonstrated to supervisory authorities.

The framework presented here follows six sequential steps. Each step produces documented outputs that feed into the next, creating a comprehensive and auditable risk management process.

Step 1: Asset Identification and Valuation

Before you can assess risk, you must know what you are protecting. Asset identification creates a comprehensive inventory of the information assets, network and information systems, and supporting infrastructure within your NIS2 scope.

Categories of assets to inventory:

• Information assets: customer databases, intellectual property, employee records, financial data, operational data
• Hardware assets: servers, workstations, network equipment, IoT devices, mobile devices
• Software assets: operating systems, applications, middleware, firmware
• Network assets: LAN/WAN infrastructure, firewalls, VPNs, cloud connectivity
• Service assets: cloud services, SaaS platforms, managed services, third-party APIs
• Personnel: key roles and their access levels

Each asset should be valued based on its criticality to your operations and the sensitivity of the data it holds. ISO 27005 recommends assigning a business impact value (e.g., low, medium, high, critical) based on the potential consequences of compromise to confidentiality, integrity, and availability.

Step 2: Threat Analysis

Threat analysis identifies the potential sources and events that could compromise your assets. Threats can be categorised as:

• Deliberate: targeted cyber attacks, ransomware, insider threats, espionage, hacktivism
• Accidental: human error, misconfigurations, software bugs, hardware failures
• Environmental: natural disasters, power outages, supply chain disruptions

Use threat intelligence sources to calibrate your analysis. ENISA publishes an annual Threat Landscape report that identifies the top threats facing European organisations. Sector-specific ISACs (Information Sharing and Analysis Centres) provide industry-relevant intelligence. Your analysis should consider both the likelihood of each threat and the capabilities of relevant threat actors.

Step 3: Vulnerability Assessment

Vulnerability assessment identifies the weaknesses in your systems, processes, and controls that could be exploited by the threats identified in Step 2. This includes:

• Technical vulnerabilities: unpatched software, weak configurations, open ports, missing encryption
• Organisational vulnerabilities: inadequate security policies, insufficient training, unclear responsibilities
• Physical vulnerabilities: inadequate access controls, lack of environmental protection
• Supply chain vulnerabilities: unvetted third-party software, insecure APIs, weak vendor security practices

Automated vulnerability scanning tools provide a baseline, but they must be complemented by manual testing (penetration testing) and process reviews. NIS2 Article 21(2)(e) specifically requires vulnerability handling and disclosure capabilities.

Step 4: Impact Analysis

For each plausible threat-vulnerability pair, assess the potential impact if the risk materialises. Impact should be evaluated across multiple dimensions:

• Operational impact: service disruption, recovery time, loss of critical capabilities
• Financial impact: direct costs (incident response, remediation), indirect costs (lost revenue, contractual penalties)
• Regulatory impact: NIS2 penalties (up to EUR 10M or 2% turnover for essential entities), GDPR fines if personal data is involved
• Reputational impact: customer trust, media exposure, competitive positioning
• Safety impact: physical harm (relevant for healthcare, energy, transport sectors)

Use a consistent impact scale (e.g., negligible, minor, moderate, major, catastrophic) with defined criteria for each level. This ensures comparability across risks and supports prioritisation.

Step 5: Risk Evaluation and Prioritisation

Risk is the combination of the likelihood that a threat will exploit a vulnerability and the impact if it does. Use a risk matrix to plot each identified risk:

Risk Level = Likelihood x Impact. Categorise risks as: Critical (immediate action required), High (action required within defined timeframe), Medium (monitor and schedule remediation), Low (accept or monitor).

The risk evaluation step is where management accountability under NIS2 Article 20 becomes concrete. The management body must review and formally approve the risk assessment, accepting residual risks with full awareness of their potential consequences.

Step 6: Risk Treatment Planning

For each risk above your organisation defined risk appetite, select a treatment option:

• Mitigate: Implement controls to reduce the likelihood or impact (the most common treatment)
• Transfer: Shift the risk to a third party, typically through cyber insurance or outsourcing to a specialist provider
• Avoid: Eliminate the risk by discontinuing the activity that generates it
• Accept: Consciously accept the risk where treatment costs exceed the potential impact (must be documented and approved by management)

For each mitigation control, document the expected risk reduction, implementation timeline, responsible owner, and resource requirements. This becomes your risk treatment plan, a living document that drives your cybersecurity investment and prioritisation.

Risk Register Structure

The risk register is the central artefact of your risk assessment. It should contain the following fields for each identified risk:

• Risk ID: Unique identifier
• Asset: The asset(s) at risk
• Threat: The threat source and event
• Vulnerability: The weakness being exploited
• Existing controls: Current measures already in place
• Likelihood: Assessed probability (e.g., 1-5 scale)
• Impact: Assessed consequence (e.g., 1-5 scale)
• Inherent risk level: Before additional treatment
• Treatment option: Mitigate, transfer, avoid, or accept
• Planned controls: Additional measures to be implemented
• Residual risk level: After planned treatment
• Risk owner: Person accountable for managing this risk
• Review date: Next scheduled reassessment

Alignment with ISO 27005 and ENISA Guidance

This six-step methodology aligns closely with ISO 27005:2022, which provides the reference framework for information security risk management within an ISO 27001 management system. Organisations pursuing ISO 27001 certification will find that a well-executed risk assessment under this methodology satisfies the ISO 27001 Clause 6.1.2 requirements.

ENISA has published several supporting resources, including the NIS2 Implementing Guidance and the Interoperable Risk Management Framework. These resources provide sector-specific risk scenarios, threat catalogues, and control mappings that can be used to accelerate your risk assessment.

Continuous Improvement

A risk assessment is not a point-in-time exercise. NIS2 Article 21(2)(f) requires policies and procedures to assess the effectiveness of cybersecurity risk management measures. This means:

• Reassess risks at least annually and after any significant change (new systems, organisational changes, emerging threats)
• Monitor the effectiveness of implemented controls through KPIs and security metrics
• Conduct tabletop exercises and simulations to test your risk scenarios
• Update threat intelligence inputs regularly
• Report risk assessment outcomes to management as part of the NIS2 governance cycle

A structured, documented, and regularly updated risk assessment is not merely a compliance exercise. It is the foundation of an effective cybersecurity programme that protects your organisation, your customers, and your competitive position in an increasingly hostile threat landscape.