NIS2 Article 21 Implementation: Three Patterns from Q1 2026 Sectoral Audits

Three implementation patterns emerged from Q1 2026 sectoral audits of NIS2 Article 21 measures across nine EU member states. The patterns reflect operator interpretation choices rather than legal ambiguity; Article 21 is comparatively prescriptive on the ten minimum-measure categories. The divergence matters because audit findings drive enforcement letters, and enforcement letters drive procurement decisions for the next twelve months.

What happened

ENISA's Q1 2026 compendium of national competent authority audit findings covered 134 audits across nine member states (Germany, France, Netherlands, Poland, Czech Republic, Lithuania, Latvia, Estonia, Finland) ¹. The audits sampled regulated entities across water, energy, transport, and digital infrastructure sectors. Article 21 measure-by-measure compliance ranged from 41% on incident handling formalization to 79% on basic access control.

Three patterns crystallized across the audit reports.

Technical detail

The first pattern is variation in supply-chain security interpretation. NIS2 Article 21(2)(d) requires "security in supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers." Operators implemented this either as contractual flow-down (require suppliers to attest to specific controls) or as technical validation (run independent assessment of supplier security posture). The two approaches are not equivalent in audit defense: French and Dutch competent authorities credited contractual flow-down provided that the contract included audit rights, while German and Polish authorities required evidence of actual exercise of those audit rights at least every twenty-four months ².

The second pattern is divergence on encryption-at-rest requirements. Article 21(2)(h) requires policies and procedures for cryptography, but neither the directive nor the implementing acts specify which data must be encrypted at rest. Water utilities in Germany and Finland implemented full-disk encryption on all servers including SCADA historians. Water utilities in Lithuania and Estonia limited encryption to business IT, leaving historian databases unencrypted under the rationale that an attacker with database access has bypassed the relevant controls. Both interpretations passed Q1 audits in their respective member states, but the ENISA compendium notes that the divergence is unlikely to persist past the next round of harmonized guidance.

The third pattern is governance documentation depth. Article 21(1) requires risk-management measures to be appropriate and proportionate. Operators documented this either through a single-page risk acceptance statement signed by the executive responsible for cybersecurity (the minimum interpretation) or through a multi-document risk register with quarterly review minutes (the maximum interpretation). Audit findings indicate that single-page statements survived initial Q1 audits but generated follow-up requests for additional evidence in five of nine member states ³.

EU context

The European Commission's NIS2 implementation review, expected in Q4 2026, will likely propose specifications that narrow these divergences. Practitioners should expect the supply-chain interpretation to converge on a "demonstrable audit rights exercise" standard, the encryption interpretation to converge on a "regulated data classes" standard with explicit enumeration, and the governance documentation interpretation to converge on a "risk register with review evidence" minimum.

For Lithuania specifically, the TIS2 bylaw published in March 2026 already requires the risk register documentation level rather than the single-page acceptance. Lithuanian operators that have not yet upgraded their NIS2 documentation to the TIS2 standard will need to do so before the next NKSC audit cycle, regardless of how Commission-level guidance evolves ⁴.

Sectoral implication

Three operational priorities for compliance officers at NIS2-regulated entities:

• Document supplier audit exercise. If supply-chain security is implemented via contract flow-down, schedule at least one independent assessment per supplier per two years and retain the evidence with the procurement record. Audit rights that are never exercised offer limited defense value.
• Re-baseline encryption-at-rest scope. Assume the next ENISA harmonized guidance will require historian database encryption. Begin the planning conversation with operations engineering now; the technical migration is non-trivial because historian write performance is sensitive to encryption overhead and most operators have not benchmarked their specific deployment.
• Move to risk register documentation. The single-page acceptance is a temporary interpretation. The risk register with quarterly minutes is the converging standard and is also a better operational artifact for incident defensibility.

The ENISA Q2 compendium is scheduled for July 2026; operators with audits planned in that quarter should review the Q1 findings before their assessment date.