← Frameworks / Regulatory

EU Directive 2022/2555 on Network and Information Security

EU-wide cybersecurity legislation requiring essential and important entities to implement risk-management measures, report significant incidents, and submit to supervisory oversight. Covers 10 mandatory security domains under Article 21 including incident handling, business continuity, supply chain security, and cryptography.

Clauses: 14

Avg Coverage: 79.6%

Publisher: European Union Version: 2022/2555

NIS2 Directive → SP 800-53 SP 800-53 → NIS2 Directive Coverage Analysis

Clause	Title	SP 800-53 Controls
Art. 21(2)(a)	Policies on risk analysis and information system security	PM-01 PM-09 RA-01 RA-03 PL-01 PL-09 PL-10 PL-11 RA-07
Art. 21(2)(b)	Incident handling	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
Art. 21(2)(c)	Business continuity, such as backup management and disaster recovery, and crisis management	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 SC-24 SI-17
Art. 21(2)(d)	Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers	SR-01 SR-02 SR-03 SR-05 SR-06 SA-04 SA-09 SA-21
Art. 21(2)(e)	Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure	SA-03 SA-04 SA-08 SA-10 SA-11 RA-05 SI-02 SA-20 CM-14
Art. 21(2)(f)	Policies and procedures to assess the effectiveness of cybersecurity risk-management measures	CA-02 CA-07 PM-06 CA-08 RA-09
Art. 21(2)(g)	Basic cyber hygiene practices and cybersecurity training	AT-01 AT-02 AT-03 PM-13 CM-02 CM-06 CM-07 SI-02 AT-06
Art. 21(2)(h)	Policies and procedures regarding the use of cryptography and, where appropriate, encryption	SC-12 SC-13 SC-28 SC-08 SC-40
Art. 21(2)(i)	Human resources security, access control policies and asset management	PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 CM-08 PM-05 PS-09 CM-12
Art. 21(2)(j)	The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate	CP-08 IA-02 IR-04 SC-08 SC-13 SC-37 SC-47
Art. 23	Reporting obligations (early warning within 24h, incident notification within 72h, final report within one month)	IR-06 IR-07 IR-09
Art. 24	Use of European cybersecurity certification schemes	SA-04 CA-02
Art. 29	Cybersecurity information-sharing arrangements	PM-15 PM-16 IR-06
Art. 32	Supervisory and enforcement measures for essential entities	CA-02 CA-07 PM-06