NIS2 Art.21.2f: Cybersecurity Measures Effectiveness Assessment
What This Control Requires
The measures referred to in paragraph 1 shall include at least the following: (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
In Plain Language
Having security controls on paper means nothing if you never check whether they actually work. This control demands a structured approach to proving your defences are genuinely reducing risk, not just ticking boxes.
Effectiveness assessment takes many forms: internal and external audits, penetration testing, red team exercises, security metrics and KPI tracking, compliance reviews, and management reviews. What matters is that the process is repeatable and evidence-based.
Think of it as a feedback loop for continuous improvement. When an assessment reveals a control is underperforming, you fix it. Results feed back into your risk management framework, updating risk assessments, control priorities, and resource allocation. Without this cycle, you are operating on assumptions - and assumptions are where breaches happen.
How to Implement
Write a cybersecurity effectiveness assessment policy that spells out which assessments you will run, how often, what they cover, and who is responsible. Get senior management sign-off.
Build an internal audit programme covering all major control areas over a one-to-three year cycle. Auditors need both cybersecurity competence and independence from the teams they are reviewing.
Schedule penetration testing of critical systems and applications at least annually. Internet-facing systems warrant more frequent tests, especially after significant changes. Consider red team exercises too - they test your detection and response capabilities, not just technical vulnerabilities.
Define cybersecurity KPIs that genuinely tell you something useful. Good examples include mean time to detect (MTTD) and mean time to respond (MTTR), vulnerability remediation rates against your SLAs, phishing simulation click rates, percentage of systems meeting security baselines, and audit finding closure rates.
Run management reviews at least annually. These should pull together audit results, pen test findings, incident trends, metric performance, regulatory changes, and emerging threats into a single picture of programme health.
Put a corrective action process in place for every assessment finding. Assign an owner, a remediation plan, and a target date. Track each action to completion and verify it actually worked.
External certifications like ISO 27001 or SOC 2 provide independent assurance and can simplify your NIS2 compliance story considerably.
Evidence Your Auditor Will Request
- Cybersecurity effectiveness assessment policy and schedule
- Internal and external audit reports with findings and corrective actions
- Penetration testing reports and remediation evidence
- Cybersecurity metrics dashboard or KPI reports
- Management review minutes showing assessment of security programme effectiveness
Common Mistakes
- Assessments are conducted but findings are not tracked through to remediation
- Penetration tests only cover a narrow scope, missing critical systems
- Metrics are collected but not analysed or used to drive improvements
- Internal auditors lack cybersecurity expertise or independence
- Management reviews do not consider the full range of assessment inputs
Related Controls Across Frameworks
Frequently Asked Questions
How often should penetration tests be conducted?
Can we use automated tools instead of manual assessments?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment