← Frameworks / NIS2 Directive / Control Mappings

EU Directive 2022/2555 on Network and Information Security

EU-wide cybersecurity legislation requiring essential and important entities to implement risk-management measures, report significant incidents, and submit to supervisory oversight. Covers 10 mandatory security domains under Article 21 including incident handling, business continuity, supply chain security, and cryptography.

Controls: 105

Total Mappings: 120

Publisher: European Union Version: 2022/2555

NIS2 Directive → SP 800-53 SP 800-53 → NIS2 Directive Coverage Analysis

AC (25) AT (4) CA (3) CM (6) CP (9) IA (1) IR (9) PL (4) PM (7) PS (9) RA (5) SA (8) SC (8) SI (2) SR (5)

AC Access Control

Control	Name	NIS2 Directive References
AC-01	Access Control Policies and Procedures	Art. 21(2)(i)
AC-02	Account Management	Art. 21(2)(i)
AC-03	Access Enforcement	Art. 21(2)(i)
AC-04	Information Flow Enforcement	Art. 21(2)(i)
AC-05	Separation Of Duties	Art. 21(2)(i)
AC-06	Least Privilege	Art. 21(2)(i)
AC-07	Unsuccessful Login Attempts	Art. 21(2)(i)
AC-08	System Use Notification	Art. 21(2)(i)
AC-09	Previous Logon Notification	Art. 21(2)(i)
AC-10	Concurrent Session Control	Art. 21(2)(i)
AC-11	Session Lock	Art. 21(2)(i)
AC-12	Session Termination	Art. 21(2)(i)
AC-13	Supervision And Review -- Access Control	Art. 21(2)(i)
AC-14	Permitted Actions Without Identification Or Authentication	Art. 21(2)(i)
AC-15	Automated Marking	Art. 21(2)(i)
AC-16	Automated Labeling	Art. 21(2)(i)
AC-17	Remote Access	Art. 21(2)(i)
AC-18	Wireless Access Restrictions	Art. 21(2)(i)
AC-19	Access Control For Portable And Mobile Devices	Art. 21(2)(i)
AC-20	Use Of External Information Systems	Art. 21(2)(i)
AC-21	Information Sharing	Art. 21(2)(i)
AC-22	Publicly Accessible Content	Art. 21(2)(i)
AC-23	Data Mining Protection	Art. 21(2)(i)
AC-24	Access Control Decisions	Art. 21(2)(i)
AC-25	Reference Monitor	Art. 21(2)(i)

AT Awareness and Training

Control	Name	NIS2 Directive References
AT-01	Security Awareness And Training Policy And Procedures	Art. 21(2)(g)
AT-02	Security Awareness	Art. 21(2)(g)
AT-03	Security Training	Art. 21(2)(g)
AT-06	Training Feedback	Art. 21(2)(g)

CA Security Assessment and Authorization

Control	Name	NIS2 Directive References
CA-02	Security Assessments	Art. 21(2)(f)Art. 24Art. 32
CA-07	Continuous Monitoring	Art. 21(2)(f)Art. 32
CA-08	Penetration Testing	Art. 21(2)(f)

CM Configuration Management

Control	Name	NIS2 Directive References
CM-02	Baseline Configuration	Art. 21(2)(g)
CM-06	Configuration Settings	Art. 21(2)(g)
CM-07	Least Functionality	Art. 21(2)(g)
CM-08	Information System Component Inventory	Art. 21(2)(i)
CM-12	Information Location	Art. 21(2)(i)
CM-14	Signed Components	Art. 21(2)(e)

CP Contingency Planning

Control	Name	NIS2 Directive References
CP-01	Contingency Planning Policy And Procedures	Art. 21(2)(c)
CP-02	Contingency Plan	Art. 21(2)(c)
CP-03	Contingency Training	Art. 21(2)(c)
CP-04	Contingency Plan Testing And Exercises	Art. 21(2)(c)
CP-06	Alternate Storage Site	Art. 21(2)(c)
CP-07	Alternate Processing Site	Art. 21(2)(c)
CP-08	Telecommunications Services	Art. 21(2)(c)Art. 21(2)(j)
CP-09	Information System Backup	Art. 21(2)(c)
CP-10	Information System Recovery And Reconstitution	Art. 21(2)(c)

IA Identification and Authentication

Control	Name	NIS2 Directive References
IA-02	User Identification And Authentication	Art. 21(2)(j)

IR Incident Response

Control	Name	NIS2 Directive References
IR-01	Incident Response Policy And Procedures	Art. 21(2)(b)
IR-02	Incident Response Training	Art. 21(2)(b)
IR-03	Incident Response Testing And Exercises	Art. 21(2)(b)
IR-04	Incident Handling	Art. 21(2)(b)Art. 21(2)(j)
IR-05	Incident Monitoring	Art. 21(2)(b)
IR-06	Incident Reporting	Art. 21(2)(b)Art. 23Art. 29
IR-07	Incident Response Assistance	Art. 21(2)(b)Art. 23
IR-08	Incident Response Plan	Art. 21(2)(b)
IR-09	Information Spillage Response	Art. 21(2)(b)Art. 23

PL Planning

Control	Name	NIS2 Directive References
PL-01	Security Planning Policy And Procedures	Art. 21(2)(a)
PL-09	Central Management	Art. 21(2)(a)
PL-10	Baseline Selection	Art. 21(2)(a)
PL-11	Baseline Tailoring	Art. 21(2)(a)

PM Program Management

Control	Name	NIS2 Directive References
PM-01	Information Security Program Plan	Art. 21(2)(a)
PM-05	System Inventory	Art. 21(2)(i)
PM-06	Measures of Performance	Art. 21(2)(f)Art. 32
PM-09	Risk Management Strategy	Art. 21(2)(a)
PM-13	Security and Privacy Workforce	Art. 21(2)(g)
PM-15	Security and Privacy Groups and Associations	Art. 29
PM-16	Threat Awareness Program	Art. 29

PS Personnel Security

Control	Name	NIS2 Directive References
PS-01	Personnel Security Policy And Procedures	Art. 21(2)(i)
PS-02	Position Categorization	Art. 21(2)(i)
PS-03	Personnel Screening	Art. 21(2)(i)
PS-04	Personnel Termination	Art. 21(2)(i)
PS-05	Personnel Transfer	Art. 21(2)(i)
PS-06	Access Agreements	Art. 21(2)(i)
PS-07	Third-Party Personnel Security	Art. 21(2)(i)
PS-08	Personnel Sanctions	Art. 21(2)(i)
PS-09	Position Descriptions	Art. 21(2)(i)

RA Risk Assessment

Control	Name	NIS2 Directive References
RA-01	Risk Assessment Policy And Procedures	Art. 21(2)(a)
RA-03	Risk Assessment	Art. 21(2)(a)
RA-05	Vulnerability Scanning	Art. 21(2)(e)
RA-07	Risk Response	Art. 21(2)(a)
RA-09	Criticality Analysis	Art. 21(2)(f)

SA System and Services Acquisition

Control	Name	NIS2 Directive References
SA-03	Life Cycle Support	Art. 21(2)(e)
SA-04	Acquisitions	Art. 21(2)(d)Art. 21(2)(e)Art. 24
SA-08	Security Engineering Principles	Art. 21(2)(e)
SA-09	External Information System Services	Art. 21(2)(d)
SA-10	Developer Configuration Management	Art. 21(2)(e)
SA-11	Developer Security Testing	Art. 21(2)(e)
SA-20	Customized Development of Critical Components	Art. 21(2)(e)
SA-21	Developer Screening	Art. 21(2)(d)

SC System and Communications Protection

Control	Name	NIS2 Directive References
SC-08	Transmission Integrity	Art. 21(2)(h)Art. 21(2)(j)
SC-12	Cryptographic Key Establishment And Management	Art. 21(2)(h)
SC-13	Use Of Cryptography	Art. 21(2)(h)Art. 21(2)(j)
SC-24	Fail in Known State	Art. 21(2)(c)
SC-28	Protection of Information at Rest	Art. 21(2)(h)
SC-37	Out-of-band Channels	Art. 21(2)(j)
SC-40	Wireless Link Protection	Art. 21(2)(h)
SC-47	Alternate Communications Paths	Art. 21(2)(j)

SI System and Information Integrity

Control	Name	NIS2 Directive References
SI-02	Flaw Remediation	Art. 21(2)(e)Art. 21(2)(g)
SI-17	Fail-safe Procedures	Art. 21(2)(c)

SR Supply Chain Risk Management

Control	Name	NIS2 Directive References
SR-01	Policy and Procedures	Art. 21(2)(d)
SR-02	Supply Chain Risk Management Plan	Art. 21(2)(d)
SR-03	Supply Chain Controls and Processes	Art. 21(2)(d)
SR-05	Acquisition Strategies, Tools, and Methods	Art. 21(2)(d)
SR-06	Supplier Assessments and Reviews	Art. 21(2)(d)