NIS 2 internal audit with ISMS Copilot
Self-audit your Article 21 cybersecurity risk-management measures against the directive.
Article 21 verification support
Walk each of the Article 21(2) measure categories from risk analysis to cryptography
Verify incident-handling and business-continuity arrangements are evidenced
Check supply-chain security measures against documented practice
Test the all-hazards risk-management approach Article 21 requires
Assemble self-assessment evidence where Article 24 schemes are transposed
Map gaps to the management-body oversight duties under Article 20
Self-auditing the Art. 21 risk-management measures
NIS 2 Article 21 requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures across ten named areas, from risk analysis and incident handling to supply-chain security and cryptography. ISMS Copilot helps you self-audit each Article 21(2) category against what your organisation actually does, testing the all-hazards approach the directive demands rather than treating it as a checkbox. Where a member state has transposed Article 24 conformity-assessment or certification schemes, it helps you assemble the self-assessment evidence the competent authority will expect. It also ties findings back to the Article 20 management-body accountability duties. The AI drafts the working papers and gap list; your auditor judges proportionality and concludes.
Explore the NIS 2 Copilot →Why teams use it for NIS 2 self-audits
- Concrete coverage of all ten Article 21(2) measure areas
- Self-assessment evidence ready where Article 24 is transposed
- Findings linked to Article 20 management-body duties
Frequently Asked Questions
Which NIS 2 article does the audit focus on?
Primarily Article 21, which lists the cybersecurity risk-management measures essential and important entities must take, with cross-references to the Article 20 management-body duties and Article 24 schemes where transposed.
Does NIS 2 require a formal certification?
NIS 2 itself does not mandate certification. Article 24 lets member states require specific schemes when transposed nationally; ISMS Copilot helps you prepare self-assessment evidence either way.
Can it map NIS 2 to ISO 27001?
Yes. ISMS Copilot cross-maps Article 21 measures to ISO 27001 controls so an existing ISMS can be reused as evidence rather than audited twice.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.