Blog

NIS2 Article 21.2 a:

When risk assessment becomes fire safety, not just a folder.

I have come across many risk documents as neat as the fire instructions in a stairwell. You know, the ones framed, always pristine, but nobody reads until there's a smell of smoke. Fundamentally, NIS2 aims for the same as effective fire safety. Not more paperwork. It wants us to understand where fires can start, why they might start, and to be able to extinguish them in time. Article 21.2 a is the key starting point in this work.

In Sweden, the Cybersecurity Act applies from 15 January 2026, replacing the previous NIS1 legislation (Swedish Parliament, 2025a; Government, 2026). NIS2 no longer uses the NIS1 terms for operators of essential and digital services. Instead, the directive refers directly to essential and important entities (European Union, 2022).

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

What Article 21 actually requires

Article 21.1 sets out the basic principle. Measures must be appropriate and proportionate. They should address risks in networks and information systems and reduce the impact of incidents. The directive also states that technical development, relevant standards, and implementation costs should be taken into account (European Union, 2022).

Article 21.2 lists ten areas from a to j. Point a covers policies for risk assessment and information system security. In other words, it is the foundation of fire safety. Without this policy, you risk either overreaction—making everything costly and cumbersome—or underreaction—discovering risks only once the fire has started (European Union, 2022).

What Article 21.2 a means in practice

My interpretation of Article 21.2 a is a simple but uncomfortable expectation. You should be able to demonstrate that you have a working method for risk management in everyday practice. Not just a document that exists, but a way of working that is actually used. It should be possible to trace from risk to decision, and from decision to evidence.

For certain types of entities, the EU has further specified technical and methodological requirements in an implementing regulation. This points out that a policy for risk assessment alone is insufficient. Policies for information system security and an up-to-date, actively used framework are also needed (European Commission, 2024).

Who is covered and what size means

A common misconception is that NIS2 applies to everyone. It does not. NIS2 follows a size logic where micro and small businesses are generally excluded, but exceptions exist if an entity is deemed particularly critical or meets specific criteria (European Union, 2022). In Sweden, the starting point is to determine whether you are an operator covered by the Cybersecurity Act and which sector and supervision apply (Swedish Parliament, 2025a; Swedish Parliament, 2025b).

How to avoid compliance theatre

Here comes my visionary yet down-to-earth part. I believe Article 21.2 a can become a lever for competitiveness if we stop treating risk as just a text genre. Risk is really a matter of judgement, speed, and capability. What we need is fire safety that makes it easier to make good decisions quickly. Not a folder that requires another folder.

It becomes especially clear to me when I see how modern regulation is evolving. The Cybersecurity Act increases leadership accountability for risk and follow-up (Swedish Civil Defence Authority, 2026). In finance, the Digital Operational Resilience Act may take precedence for incident reporting in certain areas, showing that we must understand how regulations interact in practice (Financial Supervisory Authority, 2026).

Three proposals that stay within the law

I promise not to sell more documents here. But I dare to suggest three things that often have an effect and fit within Article 21.2 a without inventing new requirements.

Measure risk as decision speed.
Practice risk as behaviour.
Demonstrate risk as evidence.

Measuring risk as decision speed means tracking how quickly you move from observation to decision when something changes. Practising risk as behaviour means testing your assumptions through small exercises, not only during annual reviews. Demonstrating risk as evidence means showing concrete traces of the work—for example, that risk assessments lead to prioritisation, prioritisation leads to actions, and actions lead to measurable improvements.

Conclusion

I believe digital resilience in Europe is not built with more words. It is built with capability. Article 21.2 a is an opportunity to make risk management a practical form of fire safety. When that policy works, everything else becomes easier. Then you can also speak the same language with suppliers, management, and regulators. Not legalese for legalese's sake, but control for the sake of the business.

References

European Commission. (2024). Commission Implementing Regulation (EU) 2024/2690 laying down technical and methodological requirements… (Annex). EUR Lex.

European Union. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union, L 333.

Financial Supervisory Authority. (2026). What applies under the new Cybersecurity Act. https://www.fi.se/

Swedish Civil Defence Authority. (2026). The Cybersecurity Act for management. https://www.mcf.se/

Government. (2026). Stricter requirements on Swedish cybersecurity (press release 15 January 2026). https://www.government.se/

Swedish Parliament. (2025a). Cybersecurity Act (2025:1506). Swedish Code of Statutes.

Swedish Parliament. (2025b). Cybersecurity Ordinance (2025:1507). Swedish Code of Statutes.