Overview
Document management body accountability and cybersecurity risk management measures under NIS2 Directive (EU) 2022/2555, Articles 20 and 21. Article 20 makes management body members personally accountable — they must approve cybersecurity risk-management measures, oversee implementation, undergo cybersecurity training, and can face personal liability for infringements. Article 21 defines 11 mandatory cybersecurity risk-management measures (a)-(k) that essential and important entities must implement proportionate to their risk exposure, size, and the likelihood and severity of incidents.
The skill scans existing governance documentation, validates coverage across all 11 measures at three compliance layers (policy, procedure, evidence), and produces a comprehensive governance and risk management report with a completeness matrix and remediation roadmap.
What It Covers
- Art. 20 management body accountability — approval records, cybersecurity training for board members, personal liability framework, and review schedules
- 11 mandatory measures (a)-(k) — measure-by-measure validation covering risk analysis, incident handling, business continuity, supply chain security, vulnerability handling, effectiveness assessment, cyber hygiene, cryptography, HR/access control, MFA, and emergency communications
- Three-layer completeness analysis — checks each measure for policy documents, operational procedures, and implementation evidence; flags shallow compliance where only policies exist
- Completeness matrix — visual summary of coverage depth across all measures and compliance layers
- Remediation roadmap — prioritized gap closure recommendations with severity ratings and suggested timelines
Example Conversation
You: We need to prepare our NIS2 Art. 20-21 governance documentation. We’re a managed IT services provider classified as an important entity under NIS2, about 200 employees. I’ve uploaded our existing policies and security documentation to the workspace.
Agent: I’ll assess your governance framework against both Art. 20 (management body accountability) and Art. 21 (the 11 mandatory cybersecurity measures). Let me start by checking your Art. 20 management accountability requirements. Running
management_accountability_checker…Results — 2/4 requirements found:
Requirement Status Management body approval of cybersecurity risk-management measures FOUND Cybersecurity training for management body members MISSING Personal liability and accountability framework MISSING Regular review schedule for risk-management measures FOUND Your board approval records and annual review schedule are in place, but I could not find any cybersecurity training records or plans for management body members, and there is no documented personal liability framework. Under Art. 20, management body members can be held personally liable for infringements — this is a significant gap. Let me now check coverage of the 11 Art. 21 measures. Running
governance_measure_validator…Results — 7 covered, 2 partial, 2 not covered:
Measure Status Topics Found Topics Missing (a) Risk analysis and IS security policies COVERED 4/4 — (b) Incident handling COVERED 4/4 — (c) Business continuity, backup, DR, crisis COVERED 4/4 — (d) Supply chain security PARTIAL 1/4 supplier assessments, supplier contracts, supplier monitoring (e) Vulnerability handling COVERED 4/4 — (f) Effectiveness assessment COVERED 4/4 — (g) Cyber hygiene and training COVERED 4/4 — (h) Cryptography and encryption PARTIAL 2/4 key management, data protection transit/rest (i) HR security, access control, assets COVERED 4/4 — (j) MFA and secured communications COVERED 3/3 — (k) Secured voice/video/text and emergency comms NOT COVERED 0/4 all topics missing Two areas need attention. For measure (d), you mention supply chain risks generally but have no formal supplier assessment process, contract security clauses, or vendor monitoring program. For measure (h), you reference encryption and TLS but have no documented key management procedures or data-at-rest/in-transit protection policies.
You: That matches what I suspected. Can you check how deep our coverage actually goes? I’m worried we have policies but no real procedures or evidence behind them.
Agent: Running
risk_measure_completeness_checker…Completeness Matrix:
Measure Policy Procedure Evidence Depth (a) Risk analysis FOUND FOUND FOUND Full (b) Incident handling FOUND FOUND FOUND Full (c) Business continuity FOUND FOUND MISSING Partial (d) Supply chain security FOUND MISSING MISSING SHALLOW (e) Vulnerability handling FOUND FOUND FOUND Full (f) Effectiveness assessment FOUND MISSING MISSING SHALLOW (g) Cyber hygiene and training FOUND FOUND FOUND Full (h) Cryptography FOUND MISSING MISSING SHALLOW (i) HR security, access control FOUND FOUND FOUND Full (j) MFA and communications FOUND FOUND MISSING Partial (k) Emergency communications MISSING MISSING MISSING None Shallow Compliance Warnings:
- (d) Supply chain security: policy exists but no procedures or evidence
- (f) Effectiveness assessment: policy exists but no procedures or evidence
- (h) Cryptography: policy exists but no procedures or evidence
Three measures show shallow compliance — you have written policies but no operational procedures or evidence of implementation. Auditors will flag these as paper compliance. I’ll now draft the full governance and risk management report with remediation priorities for each gap…
Sample Output Excerpt
Below is a representative excerpt from a generated governance and risk management report showing the Art. 21 measure assessment and completeness matrix sections.
Art. 21(2) Measure Assessment (excerpt)
| # | Measure | Coverage | Topics Found | Topics Missing | Severity |
|---|---|---|---|---|---|
| (a) | Risk analysis and IS security policies | COVERED (4/4) | risk analysis, info system security, security policies, risk treatment | — | — |
| (b) | Incident handling | COVERED (4/4) | incident detection, incident response, incident reporting, incident classification | — | — |
| (c) | Business continuity, backup, DR, crisis | COVERED (4/4) | business continuity, backup management, disaster recovery, crisis management | — | — |
| (d) | Supply chain security | PARTIAL (1/4) | supply chain security | supplier assessments, supplier contracts, supplier monitoring | High |
| (e) | Network/IS acquisition; vulnerability handling | COVERED (4/4) | secure development, vulnerability handling, vulnerability disclosure, acquisition security | — | — |
| (f) | Effectiveness assessment | COVERED (4/4) | effectiveness assessment, security auditing, security testing, security metrics | — | — |
| (g) | Cyber hygiene and training | COVERED (4/4) | cyber hygiene, cybersecurity training, phishing awareness, acceptable use | — | — |
| (h) | Cryptography and encryption | PARTIAL (2/4) | cryptography policies, encryption | key management, data protection transit/rest | High |
| (i) | HR security, access control, assets | COVERED (4/4) | HR security, access control, asset management, onboarding/offboarding | — | — |
| (j) | MFA, continuous auth, secured communications | COVERED (3/3) | multi-factor auth, continuous auth, secured communications | — | — |
| (k) | Secured voice/video/text, emergency comms | NOT COVERED (0/4) | — | secured voice, secured video, secured text, emergency comms | Critical |
Completeness Matrix (excerpt)
| Measure | Policy | Procedure | Evidence | Depth |
|---|---|---|---|---|
| (a) Risk analysis and IS security | FOUND | FOUND | FOUND | Full |
| (b) Incident handling | FOUND | FOUND | FOUND | Full |
| (c) Business continuity, backup, DR | FOUND | FOUND | MISSING | Partial |
| (d) Supply chain security | FOUND | MISSING | MISSING | SHALLOW |
| (e) Vulnerability handling | FOUND | FOUND | FOUND | Full |
| (f) Effectiveness assessment | FOUND | MISSING | MISSING | SHALLOW |
| (g) Cyber hygiene and training | FOUND | FOUND | FOUND | Full |
| (h) Cryptography and encryption | FOUND | MISSING | MISSING | SHALLOW |
| (i) HR security, access control, assets | FOUND | FOUND | FOUND | Full |
| (j) MFA and secured communications | FOUND | FOUND | MISSING | Partial |
| (k) Emergency communications | MISSING | MISSING | MISSING | None |
Summary: Full depth 5/11 | Partial 2/11 | Shallow 3/11 | No documentation 1/11
Gap Summary (excerpt)
| Priority | Measure | Gap Description | Recommended Action |
|---|---|---|---|
| Critical | (k) Emergency comms | No documentation for secured voice, video, text, or emergency communication systems | Evaluate current communication platforms; document security properties; establish out-of-band emergency communication procedures |
| High | (d) Supply chain | Policy-only — no supplier assessment process, contract security clauses, or monitoring program | Create supplier risk assessment questionnaire; add security clauses to vendor contracts; establish annual vendor review cycle |
| High | (h) Cryptography | Policy-only — no key management procedures or data-at-rest/in-transit protection documentation | Document key management lifecycle; inventory certificates and keys; define encryption requirements for data at rest and in transit |
| High | (f) Effectiveness | Policy-only — no testing schedule, audit procedures, or security metrics framework | Establish annual security testing schedule; define security KPIs; implement internal audit program for cybersecurity measures |
Extension Tools
management_accountability_checker
Scans workspace files for NIS2 Art. 20 management body governance requirements. Checks four areas:
| Requirement | What It Checks |
|---|---|
| Management body approval | Board or management approval records for cybersecurity risk-management measures |
| Cybersecurity training | Training records, plans, or schedules for management body members |
| Personal liability framework | Documented accountability and personal liability framework referencing Art. 20 |
| Regular review schedule | Periodic, annual, or quarterly review schedule for risk-management measures |
Reports found or missing per requirement with file references. Flags that missing governance documentation exposes management body members to personal liability under national transposition law.
governance_measure_validator
Scans workspace files for content relevant to each of the 11 NIS2 Art. 21(2) mandatory cybersecurity measures (a)-(k). Each measure is checked against multiple topic areas using keyword analysis:
| Measure | Topics Checked |
|---|---|
| (a) Risk analysis and IS security | risk analysis, info system security, security policies, risk treatment |
| (b) Incident handling | incident detection, response, reporting, classification |
| (c) Business continuity | business continuity, backup management, disaster recovery, crisis management |
| (d) Supply chain security | supply chain security, supplier assessments, supplier contracts, supplier monitoring |
| (e) Vulnerability handling | secure development, vulnerability handling, vulnerability disclosure, acquisition security |
| (f) Effectiveness assessment | effectiveness assessment, security auditing, security testing, security metrics |
| (g) Cyber hygiene and training | cyber hygiene, cybersecurity training, phishing awareness, acceptable use |
| (h) Cryptography and encryption | cryptography policies, encryption, key management, data protection transit/rest |
| (i) HR security and access control | HR security, access control, asset management, onboarding/offboarding |
| (j) MFA and communications | multi-factor auth, continuous auth, secured communications |
| (k) Emergency communications | secured voice, secured video, secured text, emergency comms |
Reports coverage status (covered, partial, or not covered) per measure with topics found, topics missing, and matched files.
risk_measure_completeness_checker
Checks three compliance layers per Art. 21(2) measure to identify shallow compliance:
| Layer | What It Looks For |
|---|---|
| Policy | Formal policy documents (e.g., risk management policy, incident response policy, cryptography policy) |
| Procedure | Operational procedures and processes (e.g., risk assessment procedure, patch management procedure, key management procedure) |
| Evidence | Implementation evidence such as logs, reports, test results, registers, and audit findings |
Returns a completeness matrix showing depth per measure (Full, Partial, Shallow, None). Measures with policy-only coverage are flagged as shallow compliance — a common audit finding where organisations write policies but lack the operational procedures and implementation evidence to back them up.
Getting Started
Install the NIS2 Governance & Risk Management skill from the skill library. If you have completed the Organization Profile skill, load it first so the agent can use your entity classification, sector, and organisational context.
Have this information ready before starting:
- Entity classification — whether your organisation is essential or important under NIS2, and the sector it falls under
- Governance documentation — board minutes, management body approval records, cybersecurity training records for directors and executives
- Existing security policies — risk management policy, incident response plan, business continuity plan, access control policy, and any other cybersecurity policies
- Operational procedures — documented processes for risk assessment, vulnerability management, backup, supplier assessment, and similar
- Implementation evidence — risk registers, audit reports, incident logs, training completion records, penetration test reports, backup test results
- Certifications — any existing certifications such as ISO 27001 or SOC 2 that may already address parts of Art. 21
Upload your documentation to the workspace and tell the agent about your organisation. The agent walks through a structured workflow: gathering context, assessing Art. 20 management body accountability, validating all 11 Art. 21 measures, checking completeness depth across policy/procedure/evidence layers, and producing a full governance and risk management report with a remediation roadmap.