CloudSoul
Resources · Blog · NIS2

Proportionality in Practice: Right-Sizing Your NIS2 Measures

Master NIS2 proportionality requirements. Learn how to assess, scale, and justify cybersecurity measures for essential and important entities.

Daniel Grigorovich
Daniel Grigorovich
Founder · 25 May 2026 · 7 min read
NIS2
Proportionality in Practice: Right-Sizing Your NIS2 Measures

Who should read this: Compliance Officers, Chief Information Security Officers, Risk Management Professionals.

One of the most significant challenges that organisations face when implementing the NIS2 Directive is determining what “appropriate and proportionate” actually means in practice. The Directive repeatedly emphasises proportionality: in Article 21(1), it mandates that essential and important entities implement “appropriate and proportionate technical, operational and organisational measures.” This language sounds straightforward until you sit down with your board and try to explain why your organisation is spending millions on certain controls but not others. Understanding proportionality is not academic; it is the legal and practical foundation of your compliance programme.

The principle of proportionality exists for good reason. The Directive explicitly recognises in Recital 81 that imposing disproportionate financial and administrative burdens serves no one, not the organisations themselves, and certainly not the security posture of Europe’s critical infrastructure. Yet proportionality is not a free pass to do the bare minimum. Instead, it is a nuanced requirement that demands you understand your risks, your operating context, and the resources at your disposal, then make defensible decisions about where to invest your security budget.

Understanding the Proportionality Framework

Article 21(1) of NIS2 sets out the core principle: measures must be proportionate to the risks posed to your network and information systems. When assessing that proportionality, the Directive requires you to take account of several factors, all of which must be documented and considered systematically. These factors form a proportionality matrix that every compliance officer should internalise.

The first factor is your organisation’s exposure to risks. This is not generic risk; it is the specific threat landscape facing your sector and your particular position within it. A healthcare provider managing patient records faces different threats than a water utility managing distribution networks, even if both are essential entities. Your exposure assessment should consider the sector-specific threat intelligence available to you, the prevalence of attacks against similar organisations, and the tactics that threat actors typically employ in your industry. The Cooperation Group and ENISA publish sector-specific guidance, and your national CSIRT can provide threat information tailored to your national context.

The second factor is your organisation’s size. A small essential entity with fifty employees cannot credibly implement the same technical architecture as a large multinational corporation. NIS2 acknowledges this reality. When you assess proportionality, your organisation’s size (measured in employees, revenue, or operational scope) is a legitimate variable. However, size is not a binary; it sits on a spectrum. A mid-market organisation cannot hide behind size claims. The Directive expects a proportionate response that reflects your actual operational capability.

The third factor is the likelihood and severity of incidents that could affect your operations. This is probability multiplied by impact. You need to estimate not merely whether an incident could occur, but how likely it is given your threat landscape, and what the consequences would be if it did. The consequences include operational disruption, financial loss, and critically, societal and economic impact. If your organisation provides energy, water, or health services, an incident could harm public welfare. The societal dimension is woven throughout NIS2 and is essential to proportionality assessments for essential entities.

Recital 82 adds further clarity: proportionality should reflect the criticality of your entity, the risks to which it is exposed (including societal risks), your size, and the likelihood and severity of incidents including their societal and economic impact. Note the deliberate repetition of societal impact. The Directive is signalling that for essential entities, societal impact is not peripheral; it is central to determining appropriate measures.

The Role of Standards and State-of-the-Art

Article 21(1) requires that you consider “the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation” when determining proportionate measures. This is critical language. You are not expected to implement every cutting-edge technology or every control published in the latest NIST framework revision. You are expected to implement measures that are current and accepted within your industry.

The phrase “state-of-the-art” is a moving target. It means the current, widely accepted best practices in your sector. If your water utility competitors are implementing industrial control system hardening according to IEC 62443, then state-of-the-art for water utilities includes that standard. If hospitals are deploying medical device segmentation networks, that becomes relevant to other hospitals’ proportionality assessments.

European and international standards (ISO 27001, ISO 27005, IEC 62443, NIST Cybersecurity Framework, and others) serve as reference points. They are not mandatory by name, but they are the benchmarks against which regulators will assess whether your approach is reasonable. Notably, the Directive does not require you to be certified to ISO 27001. It does not mandate specific control frameworks. It asks that you take them seriously as points of reference and justify departures from them.

Cost of implementation is explicitly part of the proportionality assessment. If a particular control costs more than the benefit it delivers, you have legitimate grounds to question whether it is proportionate. However, this must be understood carefully. You cannot argue that a critical control is disproportionate because it is expensive if the alternative is unacceptable risk to your organisation or to public services. Instead, you assess cost-benefit at the margin: controls that deliver modest risk reduction at enormous cost may reasonably be deprioritised in favour of controls that deliver substantial risk reduction at moderate cost.

Documenting Your Proportionality Analysis

In practice, proportionality must be demonstrable. Your compliance officers, your board, and ultimately your regulator need to see that you have applied a structured methodology to your proportionality assessment. This is not about producing elaborate documentation for its own sake. It is about creating an audit trail that shows your reasoning.

Start by mapping your critical assets and services. What are the core services your organisation provides? What network and information systems are essential to delivering those services? For essential entities, this typically includes systems supporting energy supply, water distribution, transport networks, health services, or digital infrastructure. For important entities, the assessment is narrower but follows the same logic.

Next, conduct a risk assessment that addresses the specific factors mentioned in Article 21(1). Document your exposure to risks: which threat actors target your sector, what techniques do they employ, what is the typical frequency of attacks, and what is the severity of incidents when they occur. Assess your size and operational capability: how many security professionals do you have, what is your budget, what is your geographic footprint, and what is your technical maturity? Evaluate the likelihood and severity of incidents that could affect your organisation specifically, drawing on sector-specific threat intelligence and your own historical incident data.

Then, for each of the mandatory risk-management measures set out in Article 21(2), which include risk analysis policies, incident handling, business continuity, supply chain security, development practices, effectiveness assessment, training, cryptography policies, human resources security, and multi-factor authentication, evaluate which specific controls are proportionate to your risk profile. You may implement these measures through different mechanisms: some organisations build controls in-house, others outsource to managed security service providers, and some rely on cloud providers’ built-in capabilities. The Directive cares about the outcome, that measures are in place and effective, not the delivery mechanism.

Document your decisions and your reasoning. If you have decided not to implement a particular control, explain why it is not proportionate. If you have implemented a control in a modified form rather than the standard industry approach, explain the risk-based justification. This documentation is not mere bureaucracy; it is your first line of defence if your regulator questions your proportionality assessment.

Proportionality in Enforcement

It is worth noting that proportionality is not only a design principle; it is also an enforcement principle. Article 21(4) requires that organisations that discover non-compliance take “all necessary, appropriate and proportionate corrective measures” without undue delay. This means that if you identify a gap, your remediation plan should be proportionate to the risk posed by that gap. A delay in multi-factor authentication deployment in a non-critical system might warrant a shorter remediation timeline than a delay in incident detection capabilities in a critical system.

Furthermore, proportionality is embedded in the administrative fines regime. Article 32 sets maximum fines of EUR 10 million or 2 per cent of global annual turnover (whichever is higher) for essential entities, and EUR 7 million or 1.4 per cent of turnover for important entities. These are maximums, not guarantees. When regulators assess fines, they will consider the severity of the infringement, the size of the organisation, and the adequacy of remediation measures. An organisation that can demonstrate a good-faith proportionality assessment and rapid remediation following discovery of a gap will be treated more leniently than an organisation that ignores obligations.

Key Takeaways

  • Proportionality is a legal requirement, not an excuse for minimal compliance. Article 21(1) and Recital 81-82 require you to document how your risk-management measures match your risk exposure, size, and operational context.

  • Your proportionality assessment should explicitly address threat exposure, organisational size, likelihood and severity of incidents, and societal impact for essential entities. Each factor should be documented with evidence and reasoning.

  • State-of-the-art standards and practices in your sector serve as reference points. Use ISO, NIST, IEC, and sector-specific frameworks to benchmark your approach, and document any justified departures.

  • Proportionality is not static. As threats evolve, your organisation grows, or your critical services change, revisit your proportionality assessment and adjust your measures accordingly.

  • Clear documentation of your proportionality methodology is your strongest defence. It demonstrates good-faith compliance, supports board governance, and provides evidence of reasonable decision-making in regulatory conversations.

Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.

Related reading

More from the blog.

NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive
NIS2 · 31 May 2026

NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive

Luxembourg transposed NIS2 through the Law of 5 May 2026, designating ILR, HCPN and CIRCL as the institutional pillars. What every essential and important entity needs to know.
Coordinated Vulnerability Disclosure: A New Framework for Researchers
NIS2 · 29 May 2026

Coordinated Vulnerability Disclosure: A New Framework for Researchers

Understand NIS2 Article 12 coordinated vulnerability disclosure framework. Learn how researchers, vendors, and CSIRTs interact in Europe's new CVD process.
NIS2 for Manufacturing: Cars, Electronics, and Machinery
NIS2 · 27 May 2026

NIS2 for Manufacturing: Cars, Electronics, and Machinery

Understand NIS2 requirements for manufacturers of vehicles, electronics, and machinery. Learn what 'important entities' must implement under Annex II.