The 10 Mandatory Security Measures

These are the minimum measures every in-scope entity must implement:

1. Risk analysis and information system security policies Formal, documented policies covering how the organisation identifies, assesses, and manages cybersecurity risks.

2. Incident handling Procedures for prevention, detection, analysis, containment, response, and recovery from incidents.

3. Business continuity, backup management, and disaster recovery Ensuring operations can continue or be restored after an incident. Covers backups, DR plans, and crisis management.

4. Supply chain security Managing cybersecurity risks from direct suppliers and service providers — including assessing their security practices. This is one of the most expanded areas compared to NIS 1.

5. Security in network and information systems acquisition, development, and maintenance Security built into procurement and development processes, including vulnerability handling and disclosure policies.

6. Policies to assess the effectiveness of cybersecurity measures Regular testing, auditing, and review of the security measures in place — not just implementing them, but verifying they actually work.

7. Basic cyber hygiene and cybersecurity training Foundational practices (patching, password policies, phishing awareness etc.) and ensuring staff are trained. Applies across the organisation, including senior management.

8. Policies on cryptography and encryption Defined approach to when and how encryption is used to protect data in transit and at rest.

9. Human resources security, access control, and asset management Background checks, clear access rights policies, asset inventories, and procedures for onboarding/offboarding staff.

10. Multi-factor authentication (MFA), continuous authentication, and secure communications MFA must be used where appropriate. Secure channels for voice, video, and text communications — including emergency communications.