Framework · NIS2

Manage your NIS2 risk measures.
Prove their effectiveness.

01GRC helps essential and important entities operate the cybersecurity risk-management measures NIS2 (Directive (EU) 2022/2555) requires — risk analysis, incident handling, supply-chain security, business continuity and effectiveness assessment — and evidence them to your management body and supervisory authority.

Request a demo See the dependency graph Back to platform

Article 21 measures · effectiveness assessment · built by GRC practitioners

app.01grc.com/frameworks/nis2

88% ▲ 5.0% this quarter

Risk analysis · 21(2)(a) 90%

Incident handling · 21(2)(b) 85%

Supply chain · 21(2)(d) 87%

Effectiveness · 21(2)(f) 86%

NIS2 gap analysis run · findings tracked to closure

3 supplier reviews due against criticality this quarter

Why 01GRC for NIS2

Run the measures. Prove they work.

Every claim here maps to a real feature, with an honest line between the measures 01GRC performs and those it assures while you implement them.

The Article 21 measures that are processes

Risk, incidents, suppliers, continuity, training and asset management — as live workflows, not documents.

Built for Article 21(2)(f)

Control tests, KPIs, compliance reviews, internal audits and a posture dashboard are exactly the effectiveness proof a supervisor asks for.

Self-assess out of the box

A seeded NIS2 criteria set drives gap analysis and compliance reviews, with findings, corrective actions and evidence.

Governance you can show

Immutable management-review sign-offs and full activity logging give your management body a defensible oversight record.

Honest about scope

We tell you plainly which measures the platform performs and which it assures while you implement them in your environment.

Article 21(2)

Run the measures that are processes.

Where NIS2 asks for a cybersecurity risk-management process, 01GRC gives you a working feature.

NIS2 measure

What 01GRC delivers

Risk analysis & security policies Art. 21(2)(a)

A repeatable risk process — threats, vulnerabilities, inherent vs residual scoring, named risk levels, tied to the assets and processes affected — plus full policy management (versioning, approval, acknowledgement).

Incident handling Art. 21(2)(b)

State-machine incident lifecycle with a typed activity timeline, asset and data linkage, evidence, and MTTD/MTTR dashboards.

Business continuity & disaster recovery Art. 21(2)(c)

Business Impact Analysis (criticality, MTD/RPO) and resilience exercises — tabletop, simulation, failover and functional — including restoration testing.

Supply-chain security Art. 21(2)(d)

Vendor and third-party management: register, arrangements, derived criticality, supplier questionnaires with evidence, and subcontractor mapping.

Vulnerability handling Art. 21(2)(e)

A vulnerability register linking weaknesses to the risks and assets they affect, feeding treatment.

Assessing effectiveness of measures Art. 21(2)(f)

Control tests with steps and KPIs, control-effectiveness history, compliance reviews, internal audits, gap analysis, and a live compliance dashboard.

Cyber hygiene & training Art. 21(2)(g)

A built-in Learning module — courses, quizzes, schedules, completion tracking — plus policy acknowledgement campaigns.

Asset management Art. 21(2)(i)

A first-class asset inventory with classification, ownership, CIA values and RTO/RPO.

Article 20

Govern and evidence.

The oversight and accountability duties NIS2 places on your management body — on record.

Management oversight

Periodic management review with snapshotted metrics and an immutable attestation sign-off, so leadership's review is on record.

Training for management & staff

Assign, deliver and evidence cybersecurity training across the organisation.

Accountability

Activity logging on every entity and role-based approvals throughout.

Self-assessment

Self-assess against NIS2.

A seeded NIS2 criteria set lets you run a gap analysis and compliance reviews against the directive's measures — capturing findings, corrective actions and evidence, and tracking your posture over time. It is the audit-readiness workspace for supervisory engagement.

Honest scope

What you implement, what 01GRC assures.

We are explicit about this, because your auditor and your CSIRT will be too.

You implement in your environment

01GRC gives you

Cryptography & encryption Art. 21(2)(h)

Policy management, control assurance, testing and evidence.

Organisation-wide MFA & secure communications Art. 21(2)(j)

Control register, applicability, effectiveness testing and evidence (the platform enforces MFA for its own access).

Secure development & maintenance Art. 21(2)(e)

The control framework, vulnerability register and assurance lifecycle.

HR and access-control processes Art. 21(2)(i)

Policy management, awareness training and evidence tracking.

Regulatory incident notification to the CSIRT/authority Art. 23

Incident handling and the inputs to classify significance — the 24h/72h/final notification itself is performed outside the platform today.

01GRC is the system of record and assurance for your NIS2 risk-management measures. It proves your controls are in place, applicable, tested and effective — it does not replace your security stack or file your statutory incident reports.

Platform

Strengths that make NIS2 easier.

Business-first model

Department → Process → Asset → Data Flow → Vendor, with dependency mapping and derived process/vendor criticality, so an incident's blast radius is visible.

Immutable evidence

Activity logs, snapshotted sign-offs, encrypted and virus-scanned attachments, soft deletes by default.

Role-based access & multi-tenancy

Granular permissions, organisation-scoped data, MFA, session controls, IP blocklisting.

Deploy anywhere

Self-contained with no external dependencies — deploy on-premises, in your private cloud, or fully air-gapped.

Who it's for

One programme, every stakeholder.

CISO / Security lead

Risk posture, supplier risk, continuity and an effectiveness-of-measures dashboard mapped to Article 21.

Compliance / Risk Manager

NIS2 gap analysis, compliance reviews, corrective actions and audit programs.

Management body

Oversight dashboard and immutable sign-off to evidence Article 20 duties.

01GRC helps essential and important entities operate and evidence their NIS2 cybersecurity risk-management measures, including risk analysis, incident handling, supply-chain security, business continuity and assessment of effectiveness. Technical and operational controls such as cryptography, multi-factor authentication and secure development are implemented in your own environment, 01GRC is where you manage, assess, test and prove them. Statutory incident notification to your CSIRT or competent authority is carried out through your regulator's channels. NIS2 obligations are determined by the national transposition that applies to your entity.

More frameworks

One platform, every standard you answer to.

NIS2 is one of several frameworks built in — and you can add your own. More framework guides are on the way.

See your NIS2 programme
the way it should look.

Book a personalised walkthrough — we'll demo the Article 21 measures, supplier risk, continuity and the effectiveness dashboard on data shaped like yours.

Request a demo