How to conduct an NIS 2 risk assessment
Three steps the EU asks for: identify, analyse, evaluate and treat. A written method. A management sign-off. Reviewed at planned intervals and on significant changes. This page shows you what each piece looks like in practice.
The short version
Article 21(2)(a) NIS 2 says every essential and important entity must run a risk-analysis-based policy. CIR (EU) 2024/2690 Annex §2 makes that concrete. You set up an information security risk management framework. You use it to identify, analyse, evaluate and treat risks to your network and information systems. You write down the criteria you use, and the management body signs them off.
The method is not invented by you. You can use BSI Standard 200-3 (Germany), ISO/IEC 27005:2022 (the international equivalent), or any other recognised method. What matters is that it is documented, that it covers the assets you actually run, and that you review it at planned intervals, at least annually, and whenever something significant changes.
The trap most operators fall into: they pick one threat scenario, score it, and stop. A risk assessment is a method applied to your asset inventory, not a single workshop. We walk through identification, analysis and evaluation below, then show the principles that hold the whole thing together.
Article 21(2)(a) NIS 2 Directive (2022/2555)
Policies on risk analysis and information system security.
Point (a) on the list of ten cybersecurity measures every essential and important entity has to put in place. The directive does not prescribe a method. It prescribes the duty.
CIR (EU) 2024/2690, Annex §2
For the purposes of Article 21(2)(a) of Directive (EU) 2022/2555, the relevant entities shall establish an appropriate information security risk management framework to identify, analyse, evaluate and treat information security risks. The relevant entities shall review and, where appropriate, update the framework at planned intervals and at least annually, as well as when significant changes occur.
Because this is a regulation (not a directive), it is directly binding EU law. CIR Annex §2 also ties the framework to the asset inventory under §12 CIR. The four verbs identify, analyse, evaluate, treat come straight from the EU text.
§30(2)(1) BSIG (Germany)
Policies on risk analysis and on information technology security.
Germany copies the EU text almost word for word. The BSI Standards 200-2 (ISMS) and 200-3 (risk analysis) tell you in detail how to satisfy the duty under §30 BSIG. The same Article 21(2)(a) duty applies in every other member state through its national transposition law.
Identify
Take your asset inventory from §12 CIR. For each asset (or grouped class of identical assets), list the threats and vulnerabilities that apply. Use a reference catalogue so you do not start from a blank page. The BSI Elementare Gefährdungen catalogue has 47 entries covering fire, theft, social engineering, malware, supply chain, key person loss and the rest. ISO/IEC 27005:2022 Annex A lists comparable threat and vulnerability types. The output is an asset, threat and vulnerability triple for each risk.
Analyse
For each triple, score how bad the impact would be and how likely it is to happen. A 3x3 matrix (low / medium / high) is enough for most Mittelstand entities. A 5x5 matrix gives you more resolution if you need to compare similar risks. Impact covers confidentiality, integrity and availability, plus any business or safety effect that follows. Likelihood is a judgement call informed by what you have already seen, sector data and the state of your controls. Write the score down with a one-line rationale.
Evaluate and treat
Compare each scored risk to your acceptance criteria, which you set before you started scoring. Above the threshold, you treat: reduce (apply controls), avoid (stop doing the activity), share (insurance or contract, with limits, see below), or accept (with a documented reason). Below the threshold, you note that you accept it. Every treatment decision has a named owner and a date. The management body signs off the residual risks they are willing to live with.
Written method with management sign-off
CIR §2 talks about a framework, not a workshop. The method (how you score, what the matrix looks like, who decides, what your acceptance thresholds are) has to be on paper. The management body signs it off. You do not need a fancy method. You need a documented one. Article 21(1) lets you keep the depth proportional to your risk and your size, but the method itself is not optional.
Review at planned intervals and on significant changes
CIR §2(2) is explicit: you review the framework and the assessment at planned intervals, at least annually, and when significant changes occur. A new line of business, a new key supplier, a major incident, a regulatory change, all count as significant. The annual review is the floor, not the ceiling. Treat the assessment as a living artefact tied to your asset inventory, not a binder you write once.
BSI Standards 200-2 and 200-3
The BSI publishes two standards that cover the §30 BSIG risk-analysis duty end to end. BSI 200-2 sets out the ISMS lifecycle. BSI 200-3 is the risk analysis itself, with the Elementare Gefährdungen as the threat catalogue. The BSI is explicit in its Infopakete: a blanket risk transfer or general risk acceptance is excluded. Insurance is something you add on top, never a substitute for treatment.
ENISA Technical Implementation Guidance
ENISA, the EU cybersecurity agency, publishes a Technical Implementation Guidance (TIG) for CIR (EU) 2024/2690. It is not law. It is the practical reference that maps the CIR text to recognised standards, including ISO/IEC 27005:2022 for risk management. National authorities and auditors cite it as a reasonable interpretation of the CIR.
ISO/IEC 27005:2022
ISO/IEC 27005:2022 is the international standard for information security risk management. It is named in the ENISA TIG as a recognised method for satisfying CIR §2. If you already run an ISO 27001 ISMS, ISO 27005 is the risk-analysis method that sits inside it. Use whichever recognised method fits your context. The CIR does not pick one.
We did the risk assessment last year, so we are done.
CIR §2(2) requires review at planned intervals, at least annually, and on significant changes. A one-shot assessment from last year does not satisfy the duty if a major supplier changed, a new system went live, or a significant incident happened in the meantime. Treat the assessment as a living artefact tied to your asset inventory.
We need a separate risk entry for every CVE and every threat.
You do not. Risk assessment is asset-by-asset (or by grouped class of identical assets), not vulnerability-by-vulnerability. The BSI lets you bundle 45 office laptops into one entry. You assess threats and vulnerabilities at the asset level. Patch management is a separate continuous obligation under Article 21(2)(e), not part of the annual assessment.
We have cyber insurance, so we can accept the rest.
The BSI is blunt: a blanket risk transfer or general risk acceptance is excluded. Insurance sits on top of treatment, never replaces it. The same applies to acceptance: you cannot accept every risk you do not want to deal with. Acceptance has to be reasoned, named, signed, and within criteria you set in advance.
What we see in 60 to 250-person Mittelstand entities: ten to fifteen grouped assets, an Elementare Gefährdungen subset of around twenty threats, a 3x3 matrix, and somewhere between forty and eighty risk entries in total. The first pass takes a few working days with the right people in the room. Done once, the annual review is hours, not days.
The two pieces that take longest the first time are the asset inventory and the acceptance criteria. Both pay back: every later requirement (suppliers, incidents, business continuity, training) reuses the same asset list, and the criteria stop you re-arguing every individual treatment decision. Practitioners with thirty Mittelstand customers say the same thing: do the method properly once, and the annual review is the cheapest hour you spend on NIS 2.
Risk methodology, asset inventory, threats and vulnerabilities, scored risks, treatment plans and acceptance criteria live in one module on the platform. You record the method once, the management body signs it off, and every later assessment uses the same scoring. The audit trail is the evidence.
Annual review and review on significant changes fall out of using the platform: due dates, sign-offs, status. Nothing to maintain on the side. When the assessment binds to your asset inventory directly (as CIR §2(3) asks), every change to an asset surfaces in the next review. Free and open source. No lock-in.
- Directive (EU) 2022/2555 (NIS 2), Article 21(2)(a) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §2 and §12 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §30 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI Standard 200-2: IT-Grundschutz methodology — bsi.bund.de
- BSI Standard 200-3: Risk analysis based on IT-Grundschutz — bsi.bund.de
- BSI Infopakete 'NIS 2 Pflichten' — bsi.bund.de/dok/nis-2-infopakete
- ISO/IEC 27005:2022 — Information security, cybersecurity and privacy protection: Guidance on managing information security risks
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)