Blog

NIS2 Article 21.2 f:

The test button on the smoke alarm: when security must be proven, not assumed.

There's a feature in almost every home that's both clever and a little embarrassing: the test button on the smoke alarm. It takes just a second to press. Yet many never do. Not out of neglect, but because life simply carries on.

Article 21.2 f in NIS2 is that test button. It concerns policies and procedures to assess whether your cybersecurity measures actually work. Not whether you have them. Not whether you plan to implement them. But whether they are effective when it really matters.

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

What Article 21.2 f actually says

NIS2 Article 21.1 requires that measures be appropriate and proportionate, manage risks in networks and information systems, and reduce the impact of incidents. Article 21.2 lists areas that must be covered. Point f concerns policies and procedures to assess the effectiveness of cybersecurity measures (European Union, 2022).

Swedish implementation: no longer just an EU exercise

In Sweden, the Cybersecurity Act (2025:1506) and Cybersecurity Ordinance (2025:1507) came into force on 15 January 2026. This means that NIS2 is now a genuine supervisory and follow-up track, not a future project (Swedish Parliament, 2025a; Swedish Parliament, 2025b; Government, 2026).

The most common misconception: that 21.2 f means 'conduct penetration tests'

I want to be clear here. 21.2 f does not say everyone must perform penetration tests, establish a Security Operations Centre, or purchase a specific type of tool. It says you must be able to assess whether your measures are effective.

Penetration testing, vulnerability scanning, exercises, log reviews, and recovery tests can be good ways to do this. But what is reasonable depends on risk, size, sector and impact. Proportionality is a consistent requirement in NIS2 (European Union, 2022).

Why point f represents a major cultural shift

Here's the uncomfortable truth: security that isn't monitored quickly becomes a story. It's easy to produce documents. It's harder to produce evidence.

21.2 f is a demand for maturity in governance. It forces a shift from 'we have implemented' to 'we know it works'. And once you start measuring impact, you also begin to see the real costs: friction, unclear ownership, and actions that never happened.

How 21.2 f connects with the rest of Article 21

Effectiveness assessment is the glue between ambition and reality. It ties together risk analysis (21.2 a), incident management (21.2 b), continuity (21.2 c), supply chain (21.2 d) and lifecycle vulnerability management (21.2 e). Without point f, you can do the 'right things' on paper and still be powerless when it matters (European Union, 2022; ENISA, 2025).

Three ways to press the test button without creating a paperwork factory

I'll stick to three suggestions that are easy to explain, hard to fudge, and fully compliant with 21.2 f.

· Measure outcomes with a few key metrics.

· Test the most important things regularly.

· Make ownership visible.

Measuring outcomes with a few key metrics means choosing robust measures that endure budget cycles and organisational changes. Examples include time to detection and recovery, patch latency on critical vulnerabilities, and verified rollback.

Testing the most important things regularly means prioritising what has the greatest impact. Small, recurring tests beat large one-off projects. Exercises build muscle memory.

Making ownership visible means every deviation leads to a clear owner, a set deadline for action, and follow-up. This is where control moves from concept to everyday practice.

A brief note on small businesses

NIS2 does not cover everyone. Micro and small enterprises are often exempt, with some exceptions if they are particularly critical. But even those not formally covered often face requirements indirectly through customers and suppliers. In such cases, point f remains relevant: being able to show that what you do actually works.

Final thoughts

Article 21.2 f is fundamentally a call for honesty. Not moral honesty, but operational. Either the measures work, or they don't. The test button reveals the truth.

Once you establish a habit of measuring and testing, something positive happens. Security stops being a cost to justify. It becomes a capability to demonstrate. And that's exactly where NIS2 wants us to be.