← Frameworks / NIS2 Directive / Coverage Analysis

EU Directive 2022/2555 on Network and Information Security — SP 800-53 Coverage

How well do NIST SP 800-53 Rev 5 controls address each NIS2 Directive requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.

Clauses: 14
Avg Coverage: 79.6%
Publisher: European Union
Coverage Distribution
Full (85-100%): 9 Substantial (65-84%): 2 Partial (40-64%): 3 Weak (1-39%): 0
NIS2 Directive → SP 800-53 SP 800-53 → NIS2 Directive Coverage Analysis

Clause-by-Clause Analysis

Sorted by clause
Art. 21(2)(a) Policies on risk analysis and information system security
PM-01 PM-09 RA-01 RA-03 +5
88%

Rationale

PM-01 security program; PM-09 risk management strategy; RA-01/RA-03 risk assessment; PL-01 security planning. PL-09 (new in Rev 5) central management enables unified policy governance. PL-10 (new in Rev 5) baseline selection and PL-11 (new in Rev 5) baseline tailoring provide systematic control selection aligned with risk analysis. RA-07 (new in Rev 5) risk response ensures risk analysis leads to structured treatment actions.

Gaps

Minor: PL-09/PL-10/PL-11/RA-07 significantly strengthen the governance-risk-treatment cycle. NIS2 requires policies at both entity and system level, now well addressed.

Mapped Controls

PM-01 PM-09 RA-01 RA-03 PL-01 PL-09 PL-10 PL-11 RA-07
Art. 21(2)(b) Incident handling
IR-01 IR-02 IR-03 IR-04 +5
92%

Rationale

IR family comprehensively covers incident handling. IR-09 (new in Rev 5) information spillage response adds specific procedures for data exposure incidents, strengthening NIS2 incident handling for data breach scenarios.

Gaps

Minor: IR-09 adds spillage-specific response. NIS2 requires specific notification timelines (24h early warning, 72h notification) which are EU regulatory requirements supplementing SP 800-53.

Mapped Controls

IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
Art. 21(2)(c) Business continuity, such as backup management and disaster recovery, and crisis management
CP-01 CP-02 CP-03 CP-04 +7
87%

Rationale

CP family comprehensive for business continuity and disaster recovery. SC-24 (new in Rev 5) fail in known state ensures systems preserve security during failures, supporting crisis scenarios. SI-17 (new in Rev 5) fail-safe procedures provide additional failure handling for critical infrastructure.

Gaps

Minor: SC-24/SI-17 strengthen crisis management by addressing failure modes. NIS2 'crisis management' extends beyond IT recovery to organizational crisis response; SP 800-53 focuses on IT contingency.

Mapped Controls

CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 SC-24 SI-17
Art. 21(2)(d) Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
SR-01 SR-02 SR-03 SR-05 +4
87%

Rationale

SR family supply chain risk management; SA-04 acquisition; SA-09 external services. SA-21 (new in Rev 5) developer screening adds personnel vetting for supplier development teams, strengthening supply chain human risk management.

Gaps

Minor: SA-21 improves supplier personnel assurance. NIS2 requires supply chain risk assessment considering each supplier; SP 800-53 SR family covers supply chain comprehensively.

Mapped Controls

SR-01 SR-02 SR-03 SR-05 SR-06 SA-04 SA-09 SA-21
Art. 21(2)(e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
SA-03 SA-04 SA-08 SA-10 +5
92%

Rationale

SA family development security; RA-05 vulnerability management; SI-02 flaw remediation. SA-20 (new in Rev 5) customized critical component development addresses high-assurance development. CM-14 (new in Rev 5) signed components ensures software integrity through cryptographic verification.

Gaps

Minimal gap. SA-20/CM-14 strengthen development integrity. SP 800-53 is comprehensive for acquisition, development, maintenance, and vulnerability management.

Mapped Controls

SA-03 SA-04 SA-08 SA-10 SA-11 RA-05 SI-02 SA-20 CM-14
Art. 21(2)(f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
CA-02 CA-07 PM-06 CA-08 +1
87%

Rationale

CA-02 security assessments; CA-07 continuous monitoring; PM-06 performance; CA-08 penetration testing. RA-09 (new in Rev 5) criticality analysis enables risk-prioritized effectiveness assessment of critical components.

Gaps

Minor: RA-09 enables prioritized assessment based on component criticality. NIS2 effectiveness assessment requirements are well addressed.

Mapped Controls

CA-02 CA-07 PM-06 CA-08 RA-09
Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity training
AT-01 AT-02 AT-03 PM-13 +5
92%

Rationale

AT family training; CM family configuration hygiene; SI-02 patching. AT-06 (new in Rev 5) training feedback measures training effectiveness and enables continuous improvement of cyber hygiene training programs.

Gaps

Minimal gap. AT-06 strengthens training measurement. SP 800-53 covers both training and cyber hygiene practices comprehensively.

Mapped Controls

AT-01 AT-02 AT-03 PM-13 CM-02 CM-06 CM-07 SI-02 AT-06
Art. 21(2)(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption
SC-12 SC-13 SC-28 SC-08 +1
92%

Rationale

SC-12 key management; SC-13 cryptographic protection; SC-28 encryption at rest; SC-08 encryption in transit. SC-40 (new in Rev 5) wireless link protection adds cryptographic protection for wireless communications.

Gaps

Minimal gap. SC-40 extends cryptographic coverage to wireless links.

Mapped Controls

SC-12 SC-13 SC-28 SC-08 SC-40
Art. 21(2)(i) Human resources security, access control policies and asset management
PS-01 PS-02 PS-03 PS-04 +33
92%

Rationale

PS family personnel security; AC family access control; CM-08/PM-05 asset management. PS-09 (new in Rev 5) position descriptions formalizes security in roles. CM-12 (new in Rev 5) information location strengthens asset management by tracking where information resides.

Gaps

Minimal gap. PS-09/CM-12 improve role definition and asset tracking. SP 800-53 comprehensively covers HR security, access control, and asset management.

Mapped Controls

PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 CM-08 PM-05 PS-09 CM-12
Art. 21(2)(j) The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
CP-08 IA-02 IR-04 SC-08 +3
83%

Rationale

IA-02(1)/(2) MFA; SC-08 secure communications; CP-08 telecommunications; IR-04 incident communications. SC-37 (new in Rev 5) out-of-band channels provides alternative secure communication paths for emergency use. SC-47 (new in Rev 5) alternate communications protocols provides backup communication methods.

Gaps

SC-37/SC-47 significantly improve emergency communication coverage by providing out-of-band and alternate communication capabilities. NIS2 secured voice/video/text requirements are now better addressed but integrated secure communications platform requirements remain partially covered.

Mapped Controls

CP-08 IA-02 IR-04 SC-08 SC-13 SC-37 SC-47
Art. 23 Reporting obligations (early warning within 24h, incident notification within 72h, final report within one month)
IR-06 IR-07 IR-09
62%

Rationale

IR-06 incident reporting; IR-07 reporting assistance. IR-09 (new in Rev 5) information spillage response adds reporting procedures for data exposure events that trigger NIS2 reporting obligations.

Gaps

IR-09 adds spillage-specific reporting. NIS2 has very specific reporting timelines (24h/72h/1 month) and reporting content requirements. SP 800-53 requires reporting but doesn't specify EU NIS2 timelines. These are regulatory requirements.

Mapped Controls

IR-06 IR-07 IR-09
Art. 24 Use of European cybersecurity certification schemes
SA-04 CA-02
40%

Rationale

SA-04 acquisition with certification requirements; CA-02 assessments.

Gaps

Significant gap. NIS2 may require use of EU-specific certification schemes (EU Cybersecurity Act). SP 800-53 supports certification concepts but EU-specific schemes not addressed. No new Rev 5 controls improve this gap.

Mapped Controls

SA-04 CA-02
Art. 29 Cybersecurity information-sharing arrangements
PM-15 PM-16 IR-06
70%

Rationale

PM-15 information sharing contacts; PM-16 threat awareness; IR-06 incident reporting.

Gaps

NIS2 encourages voluntary information sharing between entities. SP 800-53 covers information sharing but EU-specific sharing arrangements and platforms not addressed. No new Rev 5 controls materially improve this.

Mapped Controls

PM-15 PM-16 IR-06
Art. 32 Supervisory and enforcement measures for essential entities
CA-02 CA-07 PM-06
50%

Rationale

CA-02 assessments; CA-07 monitoring; PM-06 measures.

Gaps

NIS2 enforcement measures (audits, fines up to EUR 10M or 2% turnover, management liability) are regulatory. SP 800-53 supports assessment but enforcement/penalty framework is regulatory, not control-based. No new Rev 5 controls address this.

Mapped Controls

CA-02 CA-07 PM-06

Methodology and Disclaimer

This coverage analysis maps from NIS2 Directive clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.

Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.

This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.