What NIS2 Article 21 actually requires for cybersecurity exercises
If you've read anything about NIS2, it was probably about incident reporting deadlines or fines. But the article that determines your day-to-day obligations is Article 21 — the list of cybersecurity risk-management measures every essential and important entity must implement. And buried in that list is something many organizations still treat as optional: you have to test whether your organization can actually respond, not just write down that it should.
This article walks through what Article 21 expects around exercises and training, what supervisors will ask for as evidence, and how to set up an exercise program that satisfies both — without it becoming a yearly theater production.
What Article 21(2) actually lists
Article 21(2) requires "appropriate and proportionate technical, operational and organisational measures" across ten areas. Three of them are directly relevant for exercises:
- (c) Business continuity — backup management, disaster recovery, and crisis management. A crisis-management capability that has never been rehearsed is a plan, not a capability.
- (f) Policies and procedures to assess the effectiveness of your cybersecurity risk-management measures. This is the clause auditors lean on: you must be able to show that you verify your measures work — and for organizational measures like incident response, an exercise is the standard verification method.
- (g) Basic cyber hygiene practices and cybersecurity training. Training is not limited to phishing-awareness videos; for the people with a role in incident response, realistic practice is the training.
On top of that, Article 20(2) makes management bodies personally responsible: they must follow training themselves and are expected to ensure equivalent training for employees. A board that has never sat in a crisis exercise will struggle to demonstrate that.
Where exercises fit: three obligations, one instrument
Notice the pattern: NIS2 never says the word "tabletop". It says crisis management, effectiveness assessment, and training. A well-run exercise happens to be the one instrument that produces evidence for all three at once:
- It rehearses crisis management — roles, escalation, decision-making under time pressure.
- It assesses effectiveness — you find out whether the incident response plan survives contact with a realistic scenario, and where it's silent or wrong.
- It trains people — not abstractly, but in the exact decisions their role owns.
That's why exercises punch far above their weight in a NIS2 program: one afternoon produces evidence across multiple Article 21 measures.
Who is in scope
NIS2 covers essential entities (energy, transport, banking, health, water, digital infrastructure, public administration, space) and important entities (postal services, waste, chemicals, food, manufacturing of critical products, digital providers, research). The general threshold is 50+ employees or €10M+ turnover, but some entities are in scope regardless of size — DNS providers and trust services, for example.
In the Netherlands, NIS2 is implemented through the Cyberbeveiligingswet. The Dutch implementation has run behind the original EU deadline, but supervisors have been clear that organizations are expected to work toward compliance now — the obligations come from the directive, and "we were waiting for the national law" is not a strategy an auditor rewards.
What a compliant exercise looks like
There is no certified template, but supervisory guidance and audit practice converge on a few characteristics:
- Grounded in your own plans. The exercise should test your incident response plan, your escalation paths, your communication obligations — not a generic scenario from a slide deck. If the exercise can't fail against your plan, it isn't testing anything.
- Realistic and role-based. Participants act in their actual roles, with information arriving the way it would in reality: incomplete, sequential, and sometimes contradictory.
- Covering the reporting clock. NIS2's own deadlines — early warning within 24 hours, incident notification within 72 hours, final report within a month — should appear inside the scenario, so the team practices deciding when something becomes notifiable.
- Debriefed and documented. The exercise ends with findings: what worked, what was missed, which parts of the plan turned out to be fiction. Without a debrief, the exercise produces experience but no evidence.
The evidence auditors expect
When a supervisor or auditor checks your Article 21 implementation, the exercise file they want to see contains:
| Artifact | Why it matters |
|---|---|
| Scenario & objectives | Shows the exercise was designed, not improvised |
| Participant list with roles | Shows the right people trained, including management (Art. 20) |
| Session log / transcript | Proves the exercise actually happened as described |
| Debrief report with findings | The effectiveness assessment of Art. 21(2)(f) |
| Follow-up actions with owners | Shows findings lead to improvement, closing the loop |
If your current exercises produce a calendar invite and a vague memory, you have a gap — not in exercising, but in evidencing.
A practical 12-month exercise calendar
For a mid-sized organization, a defensible and realistic rhythm looks like this:
- Quarter 1: Ransomware tabletop with the core response team (60–90 min).
- Quarter 2: Short, focused drill on one weakness from Q1's debrief (30 min).
- Quarter 3: Scenario rotation — data breach or supply-chain compromise, now including legal and communications roles.
- Quarter 4: Management-level exercise: the board faces the decisions only they can take (disclosure, ransom position, customer communication).
Four exercises a year sounds heavy under the traditional model, where each one costs weeks of consultant preparation. It stops being heavy when generating a scenario takes minutes instead of weeks — which is, transparently, the problem poisettx exists to solve: exercises generated from your own policy documents, run in a digital war room, with the audit-ready debrief produced automatically.
The directive's quiet message is this: incident response is a muscle, and Article 21 expects you to train it — and to keep the receipts.
Frequently asked questions
How often does NIS2 require cybersecurity exercises?
NIS2 does not prescribe a fixed frequency. It requires that your risk-management measures — including incident handling, crisis management, and training — are demonstrably effective and proportionate to your risk. In practice, supervisors and auditors expect at least an annual crisis exercise, with quarterly or scenario-specific exercises as good practice for essential entities.
Is a tabletop exercise enough to comply with NIS2?
A tabletop exercise covers the crisis-management, training, and effectiveness-assessment expectations for your response organization. It does not replace technical testing such as vulnerability scanning or penetration testing — you need both, and they answer different questions.
What documentation should I keep as exercise evidence?
Keep the scenario and objectives, the participant list with roles, the session log or transcript, the debrief report with findings and scores, and the follow-up actions with owners. This trail is exactly what an auditor asks for to verify Article 21 measures are tested in practice.
Does NIS2 apply to my organization?
NIS2 applies to essential and important entities in sectors like energy, transport, health, digital infrastructure, manufacturing of critical products, and digital providers — generally from 50 employees or €10M turnover, with exceptions where smaller entities are in scope regardless of size. If you are in a listed sector, assume you are in scope until verified otherwise.
What happens if we don't comply?
Supervisors can impose fines up to €10 million or 2% of global annual turnover for essential entities (€7 million or 1.4% for important entities), issue binding instructions, and — uniquely under NIS2 — hold management personally responsible for failing to oversee cybersecurity risk management.
Ready to practice it for real?
Generate a tabletop exercise tailored to your organization in minutes.
Sign upKeep reading
How to run a tabletop exercise: a step-by-step guide
From objectives to debrief: the seven steps of a tabletop exercise that actually changes how your team responds — and the mistakes that flatten most of them.
AI-driven vs consultant-led tabletop exercises: an honest comparison
Consultant-led tabletops cost thousands and happen once a year. AI-driven exercises cost a subscription and happen monthly. Here is where each model wins — without the vendor gloss.
Ransomware tabletop scenario: what a good exercise looks like
A strong ransomware tabletop is not 'your files are encrypted, discuss'. Here is the anatomy of a scenario that forces real decisions — with a sample inject timeline.