Back to Blog

The Ten Article 21 Measure Categories

Article 21(2) of NIS2 requires essential and important entities to implement cybersecurity risk-management measures that include, as a minimum, the following ten categories. We will go through each one and honestly assess whether DDoS detection and monitoring addresses it.

Important context: NIS2 compliance is a holistic obligation. No single tool or product covers all ten categories. Flowtriq addresses the DDoS-specific aspects of incident handling, business continuity, risk analysis, and effectiveness assessment. You will need separate controls (and possibly separate vendors) for the remaining categories. We believe being transparent about scope is more useful than overpromising.

What DDoS Detection Covers

21(2)(a): Policies on risk analysis and information system security

Coverage: Partial. DDoS detection contributes to the risk analysis component by providing continuous visibility into your network's threat landscape. The historical attack data that Flowtriq collects (attack frequency, volume trends, targeted assets, attack type distribution) is direct input to your risk analysis process.

When your risk analysis needs to answer "What is our exposure to availability threats?" and "How effective are our current controls?", the detection data provides empirical answers rather than theoretical estimates. Monthly attack reports show trending, seasonal patterns, and whether your attack surface is growing or shrinking.

However, this category also includes broader information system security policies (acceptable use, change management, security architecture) that fall entirely outside the scope of DDoS detection. Flowtriq provides data for your risk analysis. It does not write your security policies.

21(2)(b): Incident handling

Coverage: Strong. This is the category where DDoS detection provides the most direct and comprehensive coverage. Incident handling encompasses detection, classification, response, mitigation, documentation, and post-incident review. Flowtriq's detection engine, runbooks, and execution logs address every phase:

  • Detection: Per-second anomaly detection with automated classification. Attacks are identified and categorized within seconds of onset.
  • Response: Automated runbooks execute pre-defined response procedures without human latency. FlowSpec rules, RTBH announcements, notifications, and status page updates all fire automatically.
  • Documentation: Every detection event, runbook action, and mitigation step is logged with timestamps and parameters. The incident record is complete and auditable without any manual reconstruction.
  • Post-incident review: Execution logs and attack metadata provide the raw material for post-incident analysis. What happened, when, how was it classified, what actions were taken, and how effective were they.

For DDoS incidents specifically, Flowtriq provides end-to-end incident handling coverage. For other incident types (malware, data breach, insider threat), you will need separate incident handling procedures and tools.

21(2)(c): Business continuity and crisis management

Coverage: Partial. DDoS attacks are one of the primary threats to business continuity for ISPs and hosting providers. Automated detection and mitigation is a business continuity control: it ensures that service availability is maintained (or rapidly restored) during DDoS attacks.

Specific business continuity capabilities that Flowtriq provides:

  • Automated failover mitigation: If FlowSpec filtering fails to contain an attack, the runbook escalates to upstream scrubbing or RTBH automatically. The escalation chain is your business continuity plan for volumetric attacks.
  • Status page communication: Keeping customers informed during incidents is a crisis management function. Automated status pages handle this without requiring human coordination during the crisis.
  • Service restoration monitoring: The detection engine monitors for attack cessation and can automatically withdraw mitigation rules and confirm service restoration.

However, business continuity and crisis management extend far beyond DDoS. Backup and recovery, disaster recovery sites, crisis communication plans, and organizational resilience are all part of this category and are not addressed by DDoS detection.

21(2)(f): Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

Coverage: Partial. Flowtriq provides concrete effectiveness metrics for your DDoS-related security controls:

  • Detection rate: How many attacks were detected, classified, and responded to automatically versus how many required manual intervention.
  • Mitigation time: Time from detection to mitigation for each incident. Are your runbooks getting faster or slower?
  • False positive rate: How many detection events turned out to be legitimate traffic spikes rather than actual attacks.
  • Runbook success rate: What percentage of automated responses successfully mitigated the attack without human escalation.

These metrics are exactly what effectiveness assessment requires: empirical evidence that your controls work, measured over time. Monthly reports provide trending data that shows whether your security posture is improving or degrading.

This category also includes broader effectiveness assessment (penetration testing, vulnerability scanning, audit programs) that falls outside DDoS detection scope.

What DDoS Detection Does NOT Cover

The remaining six categories require separate controls. We are listing them here so you know exactly what else you need to address.

21(2)(d): Supply chain security

Coverage: None. Supply chain security involves assessing and managing risks from your suppliers, service providers, and their products. This includes contractual security requirements, vendor risk assessments, and monitoring the security posture of your supply chain. DDoS detection does not address this category at all.

What you need: vendor risk management processes, security requirements in procurement contracts, and ongoing monitoring of supplier security posture.

21(2)(e): Security in network and information systems acquisition, development and maintenance

Coverage: None. This category covers secure development practices, vulnerability handling, and security testing during system acquisition and maintenance. It addresses how you build and maintain secure systems, not how you defend them against DDoS attacks.

What you need: secure development lifecycle (SDLC) policies, vulnerability management processes, patch management procedures, and security testing during acquisition.

21(2)(g): Basic cyber hygiene practices and cybersecurity training

Coverage: None. This is about people, not technology. Cybersecurity awareness training for staff, basic hygiene practices (password policies, phishing awareness), and ensuring that employees understand their role in maintaining security.

What you need: security awareness training programs, phishing simulation exercises, and documented cyber hygiene policies.

21(2)(h): Policies and procedures regarding the use of cryptography and encryption

Coverage: None. Cryptographic policy covers how your organization uses encryption to protect data in transit and at rest. Key management, certificate lifecycle, algorithm selection, and encryption standards are all part of this category.

What you need: cryptographic policies, key management procedures, TLS/SSL standards, and encryption-at-rest requirements.

21(2)(i): Human resources security, access control policies, and asset management

Coverage: None. This is a broad category covering HR security (background checks, joiners/movers/leavers procedures), access control (least privilege, MFA, role-based access), and asset management (inventory of systems, data classification).

What you need: IAM solutions, MFA implementation, asset inventory systems, HR security procedures, and access control policies.

21(2)(j): Use of multi-factor authentication or continuous authentication solutions

Coverage: None. This specifically requires MFA or equivalent strong authentication measures. It is a technical control that applies to user and system authentication, not to network traffic monitoring.

What you need: MFA deployment across all critical systems, authentication policies, and monitoring of authentication events.

The Honest Coverage Map

Here is the complete mapping in summary form:

Article 21(2) Category                           DDoS Detection Coverage
-----------------------------------------------------------
(a) Risk analysis, info system security          Partial (threat data for risk analysis)
(b) Incident handling                            Strong  (full DDoS incident lifecycle)
(c) Business continuity, crisis management       Partial (availability protection)
(d) Supply chain security                        None
(e) Secure acquisition, development, maintenance None
(f) Effectiveness assessment                     Partial (DDoS control metrics)
(g) Cyber hygiene and training                   None
(h) Cryptography and encryption                  None
(i) HR security, access control, asset mgmt      None
(j) Multi-factor authentication                  None

Four categories with partial to strong coverage. Six categories with no coverage. That is the honest picture.

Where Flowtriq Fits in Your Compliance Stack

Flowtriq is one component in a broader NIS2 compliance program. Specifically, it is the component that addresses the most common and most disruptive threat to ISP and hosting provider availability: DDoS attacks.

The value Flowtriq provides for NIS2 compliance is twofold:

First, it implements required controls. Incident handling (21(2)(b)) is not optional. You must have documented, tested, and effective incident handling procedures. For DDoS incidents, Flowtriq provides those procedures in the form of automated detection, classification, runbook-driven response, and comprehensive logging. This is not a nice-to-have. It is a mandatory measure.

Second, it generates evidence. NIS2 compliance is not just about having controls. It is about demonstrating that you have controls, that they work, and that you can prove it. Every incident detection, every runbook execution, every mitigation action, and every effectiveness metric is logged, timestamped, and exportable. When your auditor or national authority asks for evidence of your incident handling capabilities, you hand them the execution logs and monthly reports.

Flowtriq is a required piece of your NIS2 compliance posture for DDoS-related controls. It is not the whole directive. No single product is. The organizations that get NIS2 right are the ones that honestly assess their gaps across all ten categories and address each one with appropriate controls.

Getting Started

If you are working through NIS2 compliance and need to address the DDoS-specific aspects of incident handling, business continuity, and effectiveness assessment, Flowtriq is the tool for that job. For the other six categories, you will need separate controls, and we encourage you to work with a compliance advisor who can help you build a complete program.

Flowtriq starts at $9.99/node/month. NIS2 reporting tools are included on all plans. Start your free 7-day trial or review pricing to see what fits your infrastructure.

Back to Blog

Related Articles

Fundamentals

NIS2 incident reporting for ISPs: what the 24-hour clock requires

The three-stage NIS2 reporting timeline and how automated detection makes it manageable.
Fundamentals

How to document DDoS incidents for compliance

Collecting evidence during attacks for insurance, SLA credits, legal proceedings, and audits.
Mitigations

How to configure ExaBGP for RTBH

Complete ExaBGP setup for programmatic RTBH route injection with BGP config and community tagging.