Art.21.4 NIS2

NIS2 Art.21.4: European Cybersecurity Certification Schemes

What This Control Requires

Member States shall ensure that, where an entity finds that it does not comply with the measures provided for in paragraph 2, it takes, without undue delay, all necessary, appropriate and proportionate corrective measures. The Commission may adopt implementing acts in order to lay down technical and methodological requirements of the measures referred to in paragraph 2, with regard to essential entities.

In Plain Language

When you find a gap in your NIS2 compliance, you cannot sit on it. The directive requires corrective action "without undue delay" - meaning you need a process that moves from identification to remediation quickly and demonstrably.

The EU is also building European cybersecurity certification schemes through ENISA and the European Cybersecurity Certification Framework (ECCF). These will offer standardised ways to prove that your products, services, and processes meet defined security requirements. Not all schemes are mandatory, but they provide a credible path to demonstrating compliance.

Importantly, the Commission can adopt implementing acts that set specific technical and methodological requirements for the measures in Art.21.2, particularly for essential entities. This means the compliance bar may rise over time. Organisations should keep a close eye on regulatory developments and be ready to adjust.

How to Implement

Set up a non-compliance management process. This should include regular self-assessments against NIS2 requirements, a gap register tracking all identified issues, remediation plans with assigned owners and target dates, and escalation procedures for significant gaps.

Define what "without undue delay" means in practical terms for your organisation. Take a risk-based approach: critical gaps affecting essential services should be addressed within days, while lower-risk issues can be remediated over weeks. Document and justify your timelines.

Track the development of European cybersecurity certification schemes relevant to your sector. Key ones to watch include EUCC (European Common Criteria), EUCS (Cloud Services), and sector-specific schemes as they emerge. Assess whether certification under these schemes would strengthen your compliance position.

Leverage existing internationally recognised certifications as a foundation. ISO 27001, SOC 2 Type II, and sector-specific standards provide substantial evidence of compliance with Art.21 measures, though they will not cover every NIS2-specific requirement on their own.

Establish a regulatory monitoring function that tracks NIS2 implementing acts, ENISA guidance, your Member State's national transposition legislation, and sector-specific requirements and codes of conduct.

Engage proactively with your national competent authority and join sector-specific information sharing groups. This demonstrates good faith and gives you early visibility of where requirements are heading.

Document every corrective action from identification through to resolution, with timestamps. This evidence trail is what proves you can respond without undue delay.

Evidence Your Auditor Will Request

Non-compliance gap register with remediation plans and status tracking
Self-assessment records against NIS2 requirements
Corrective action records with timestamps showing timely remediation
Relevant cybersecurity certifications (ISO 27001, SOC 2, etc.)
Evidence of regulatory monitoring and response to new requirements

Common Mistakes

Non-compliance issues identified but remediation deferred indefinitely due to resource constraints
No systematic process for identifying compliance gaps; reliance on ad-hoc discovery
Failure to monitor evolving NIS2 implementing acts and adjust programmes accordingly
Certification pursued as a checkbox exercise without genuine security improvement
No engagement with national competent authority or sector-specific guidance

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.36	Related
SOC 2	CC4.2	Related

Frequently Asked Questions

Is ISO 27001 certification sufficient for NIS2 compliance?

It is a strong foundation with significant overlap, but not automatically sufficient. NIS2 has specific requirements around incident reporting, supply chain security, and governance that may go beyond ISO 27001's scope. That said, holding the certification demonstrates a mature security management system and regulators will view it favourably.

What happens if we identify a compliance gap?

You need to act promptly. Develop a remediation plan, allocate resources, and implement the fix. Document the gap, the plan, and the timeline clearly. If the gap creates an immediate risk, put interim compensating controls in place while you work on the permanent solution. The key is showing that you moved quickly and deliberately rather than letting the issue linger.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment