Compliance & Risk

How to Report NIS2 to Your Board

Tired of complex NIS2 compliance reports? Learn the 4 essential, board-ready metrics that translate technical risk (Art. 21/23) into business resilience, covering IR, recovery, and supply chain.
Ev
Evangeline
Oct 21, 2025
How to Report NIS2 to Your Board
Contents
4 Board-Ready Metrics to Report for NIS2 (and how to measure them)

4 Board-Ready Metrics to Report for NIS2 (and how to measure them)

Here are 4 board-ready NIS2 metrics that you can report every quarter (and monthly to EXCO). To make these truly resonate, they are grounded in real-world risk and financial impact. Each metric maps to NIS2 obligations, spells out how to measure it, and lists the audit-friendly evidence your regulator will expect.

1. Incident Reporting Readiness & Timeliness (Art. 23)

What to report:

  • % of “significant incidents” where the early warning to CSIRT/authority was sent ≤ 24h.

  • % with the 72h “incident notification” on time.

  • Median hours to early warning / to 72h notification (trend vs last quarter).

How to measure:

  • Instrument your IR ticketing/SOAR to time-stamp awareness $\rightarrow$ early warning $\rightarrow$ 72h notification $\rightarrow$ final report.

  • Tag incidents that meet your “significant” threshold (aligned to Art. 23 and your competent authority’s guidance).

  • Reconcile against legal/PR comms logs and CSIRT submission receipts.

Evidence for auditors/regulator:

  • Incident timeline exports + CSIRT receipts; copies of early warning / notification; final report within 1 month.

  • Playbook that shows who triggers which report and when.

Why This Metric Matters (The "So What"):

The 24-hour "early warning" deadline is one of the most demanding parts of NIS2. This isn't just a compliance checkbox; it's a direct measure of your procedural maturity. A 2024 study by IBM found that it takes an average of 204 days to even identify a breach, let alone report it. This metric proves your internal processes are fast, decisive, and coordinated. Failure here, in front of your regulator, signals a chaotic response and invites maximum scrutiny and potential fines.

Why it maps to NIS2: Art. 23 sets the staged deadlines: 24h early warning, 72h incident notification, final report within one month. (EUR-Lex)

2. Recovery Capability: Restore Success & RTO/RPO (Art. 21(2)(f))

What to report:

  • Restore Success Rate for Tier-1 services (last quarter).

  • % Tier-1 restores meeting RTO/RPO targets (by service).

  • Oldest successful restore proof per Tier-1 (days since last drill).

How to measure:

  • Run documented restore drills (not just backup checks) for each Tier-1 at least quarterly.

  • Capture start/end timestamps, data integrity checks, and any manual steps.

  • Track gap log (controls, staffing, vendor assistance) and remediation dates.

Evidence for auditors/regulator:

  • Drill runbooks + screenshots, immutable backup location, integrity check logs, sign-offs.

Why This Metric Matters (The "So What"):

Boards understand downtime. The average downtime from a ransomware attack is now 24 days, with the total average cost of a data breach soaring to $4.45 million (IBM, 2024). The 2021 ransomware attack on the Irish Health Service Executive (HSE) is the ultimate case study: it cost them an estimated €700 million and took months to restore critical services, all because recovery systems were inadequate. This metric proves you can survive an attack, not just detect one.

Why it maps to NIS2: Art. 21 requires business continuity, backup management and disaster recovery; ENISA’s technical guidance expects monitoring/measurement results reported to management. (ENISA)

3. Vulnerability & Exposure Management: KEV/Critical MTTR (Art. 21 risk management)

What to report:

  • Mean Time to Remediate (MTTR) for Critical vulns (and KEV-listed when applicable).

  • % Critical/KEV remediated within policy (e.g., Critical $\leq$ 14 days; KEV $\leq$ 7 days).

  • % assets on unsupported OS/app versions (legacy exposure).

How to measure:

  • Use your VM platform + asset inventory to age findings by first seen $\rightarrow$ fixed/compensated.

  • Separate patched vs compensating control (e.g., patchless/in-memory protection on legacy).

  • Track internet-exposed assets separately (tighter SLOs).

Evidence for auditors/regulator:

  • VM dashboards, change tickets, exceptions register with compensating controls, management sign-offs.

Why This Metric Matters (The "So What"):

The gap between vulnerability disclosure and exploitation is collapsing. While the average Mean Time to Remediate (MTTR) for critical vulnerabilities hovers around 12 days (Edgescan, 2024), threat actors can develop exploits in under 24 hours. The 2023 MOVEit vulnerability (a KEV) is a perfect example. Organizations that failed to patch this single, known flaw within days were breached, leading to a cascade compromise of over 2,000 organizations. This metric measures your speed in a race you can't afford to lose.

Why it maps to NIS2: Art. 21 mandates risk-based technical/operational measures; the Implementing Regulation (EU) 2024/2690 translates these into concrete security requirements with compliance monitoring, including evidence that management receives reporting. (Blaze Information Security)

4. Supply-Chain Resilience: Vendor IR & Tabletop Coverage (Art. 21(2)(d))

What to report:

  • % of critical suppliers with NIS2-aligned IR SLAs (1-hour acknowledge; 24/72h data flows; evidence sharing).

  • % of critical suppliers that participated in a joint tabletop in the last 12 months.

  • % supplier integrations with MFA/SSO + IP allow-listing (admin/support access).

How to measure:

  • Maintain a tiered supplier register (critical/important).

  • Log tabletop dates, scenarios, gaps, and improvements; require flow-down of IR terms to sub-processors.

  • Validate admin access controls via quarterly attestation/evidence.

Evidence for auditors/regulator:

  • Executed DPAs/MSAs with IR clauses; tabletop reports; supplier attestations for MFA/SSO.

Why This Metric Matters (The "So What"):

Gartner predicts that by 2025, 45% of organizations worldwide will experience an attack on their software supply chain. NIS2 explicitly makes you responsible for the security of your suppliers. The 2020 SolarWinds attack showed how one compromised vendor (an IT management tool) became a master key for thousands of high-profile victims, including government agencies. This metric proves you are not just securing your own house but also vetting every key-holder you give access to.

Why it maps to NIS2: Art. 21 requires supply-chain security as part of risk management; ENISA guidance and NIS2 awareness materials highlight supplier measures and management oversight. (ENISA)

How to present these to the Board (1 slide)

  • Top line: Green/Amber/Red for each metric vs target.

  • Sparksline trend: Last 4 quarters.

  • Exceptions: 3 bullets (biggest blocker; owner; ETA).

  • Ask: Decisions or budget needed this quarter.

Why these 4? They directly evidence NIS2’s pillars: incident reporting (Art. 23), continuity/recovery (Art. 21), technical risk management (Art. 21 + CIR 2024/2690), and supply-chain security (Art. 21(2)(d))—and they’re measurable with auditable trails.

Sources & Further Reading

  • NIS2 (official text) — Directive (EU) 2022/2555: Articles 21 (risk management) & 23 (incident reporting); penalties in Art. 34.

    • Link: https://eur-lex.europa.eu/eli/dir/2022/2555/oj

  • European Commission summary of NIS2 (scope, obligations).

    • Link: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

  • ENISA — Technical Implementation Guidance on Cybersecurity Risk-Management Measures (June 2025): monitoring/measurement & management reporting; practical evidence examples.

    • Link: https://www.enisa.europa.eu/publications/technical-guideline-for-nis2-security-measures

  • Implementing guidance (public consultation draft $\rightarrow$ adopted as CIR 2024/2690) — includes explicit notes on reporting results to management as compliance evidence.

    • Link: https://www.enisa.europa.eu/publications/nis-2-implementing-act

  • Irish NCSC draft guidance on Art. 21 & 23 (practical transposition view).

    • Link: https://www.ncsc.gov.ie/guidance/

  • Fines & liability — administrative fines thresholds for Art. 21/23 breaches (max €10M or 2% turnover for essential entities).

    • Link: https://www.nis-2-directive.com/

  • IBM (2024), Cost of a Data Breach Report. (For breach identification time and financial impact).

    • Link: https://www.ibm.com/reports/cost-of-a-data-breach

  • Edgescan (2024), Vulnerability Statistics Report. (For MTTR benchmarks).

    • Link: https://www.edgescan.com/wp-content/uploads/2025/04/2024-Vulnerability-Statistics-Report.pdf

  • Gartner (2023), Predicts 2024: Cyber Supply Chain Risk. (Cited by Cybersecurity Ventures for supplier attack statistics).

    • Link: https://cybersecurityventures.com/software-supply-chain-attacks-to-cost-the-world-60-billion-by-2025/

  • PwC (2021), Conti cyber attack on the HSE: Independent Post Incident Review. (For RTO/RPO case study).

    • Link: https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

Share article

Trescudo Blog

RSS·Powered by Inblog