Art.21.3 NIS2

NIS2 Art.21.3: Proportionality of Security Measures

What This Control Requires

When considering which measures referred to in paragraph 2 are appropriate, entities shall take account of their degree of exposure to risks, their size, the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

In Plain Language

Not every organisation needs the same level of security investment. NIS2 builds in a proportionality principle: you calibrate your controls based on your risk exposure, size, incident likelihood and severity, and the potential societal and economic impact if things go wrong.

This works in both directions. A smaller entity with limited risk exposure can implement lighter-weight versions of the required measures. A critical infrastructure operator whose failure could affect millions needs significantly more rigorous controls. But proportionality is not a loophole - it is a framework for making rational, defensible decisions about how much security is enough.

The catch is that you must be able to justify your choices. That means documenting why you implemented each measure at a particular level, what alternatives you considered, and how you evaluated the risk factors. Expect national authorities to challenge your reasoning during supervisory activities.

How to Implement

Start with a formal proportionality assessment that explicitly evaluates each factor from Art.21.3 for your organisation: risk exposure (sector, internet-facing services, threat landscape), organisational size (headcount, revenue, infrastructure scale), incident likelihood (historical data, threat intelligence, sector-specific risk profiles), incident severity (service disruption, data compromise, cascading effects), and societal and economic impact (effect on essential services, number of affected users, economic consequences).

Use this assessment to set your overall security posture requirements. Map each NIS2 control area to a proportionate implementation level. A small essential entity might manage risk through a streamlined process with quarterly reviews, while a large critical infrastructure operator needs a dedicated risk team with continuous monitoring.

For each major control area, document the proportionality decision: which risk factors you considered, which control options you evaluated, the implementation level you chose and why, and any compensating controls where you opted for a lighter approach.

Benchmark against sector-specific guidance from ENISA and your national competent authority. Many sectors are developing codes of conduct and baseline requirements that help define what proportionate looks like in your context.

Revisit proportionality assessments annually or whenever your risk profile, size, or the threat landscape shifts significantly. What was proportionate last year may not hold if you have grown, taken on new critical services, or the threat environment has changed.

Keep your assessments grounded in current, accurate information. A static assessment built on outdated assumptions will not withstand scrutiny.

Evidence Your Auditor Will Request

Documented proportionality assessment covering all required factors
Risk exposure analysis specific to the organisation's sector and operations
Rationale documentation for the chosen implementation level of each control area
Benchmarking against sector-specific guidance or peer organisations
Annual review records of proportionality assessments

Common Mistakes

Proportionality used as justification for minimal security investment without proper analysis
No documented rationale for proportionality decisions, making them indefensible during audits
Assessment does not consider societal and economic impact, only direct organisational impact
Proportionality assessment performed once and never updated as the organisation evolves
Failure to consider sector-specific guidance when determining proportionate measures

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
SOC 2	CC3.1	Related

Frequently Asked Questions

Can a small organisation use proportionality to avoid implementing certain controls entirely?

No. Article 21.2 sets out minimum measures that every in-scope entity must implement. Proportionality governs the depth and rigour of implementation, not whether a control area is addressed. You must cover all listed areas but can scale the effort to match your size and risk profile.

How do we know if our proportionality assessment will satisfy regulators?

Document your reasoning thoroughly, use recognised risk assessment methodologies, reference sector-specific guidance, and benchmark against industry peers. Regulators want to see evidence of a thoughtful, risk-based approach rather than a specific checkbox list. Engaging with your national competent authority or industry groups early on can help you calibrate expectations.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment