ISMS Copilot
NIS2 with AI

How to conduct NIS2 risk assessment using AI

Overview

You'll learn how to use AI to conduct a comprehensive NIS2 risk assessment aligned with Article 21. This guide covers the all-hazards approach required by the Directive, identifying both cyber and non-cyber risks, applying the proportionality principle, building a risk methodology tailored to your entity type, creating detailed risk registers, analyzing your threat landscape, and mapping risk treatment to the ten Article 21 measure areas.

Who this is for

This guide is for:

  • Risk managers and CISOs responsible for NIS2 risk assessment processes

  • Compliance officers building or updating risk management frameworks for NIS2

  • Security consultants conducting NIS2 risk assessments for clients across critical sectors

  • IT managers who need to translate Article 21 requirements into actionable risk treatment plans

  • Management body members who must approve risk management measures and understand their personal liability under Article 20

Before you begin

You will need:

  • An ISMS Copilot account (free trial available)

  • Your NIS2 scoping determination (essential or important entity classification) -- see How to Get Started with NIS2 Implementation Using AI if you have not completed this

  • An inventory of your critical information systems, networks, and services

  • Your current risk assessment documentation (if any)

  • Management body approval for the risk assessment process (Article 20)

NIS2 Article 21(1) requires a risk-based, all-hazards approach. This means your risk assessment must consider not only cyber threats but also physical, environmental, human, and supply chain risks that could affect the security of your network and information systems.

Understanding NIS2 risk assessment requirements

What Article 21 demands

Article 21(1) of the NIS2 Directive requires essential and important entities to take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services. These measures must be based on an all-hazards approach and must aim to protect network and information systems and their physical environment from incidents.

The all-hazards approach means your risk assessment must address:

  • Cyber threats: Ransomware, phishing, advanced persistent threats, DDoS, supply chain compromise, insider threats

  • Physical threats: Unauthorized physical access, theft of equipment, sabotage, vandalism

  • Environmental threats: Natural disasters, flooding, fire, power outages, extreme weather events

  • Human factors: Human error, social engineering, insufficient training, key-person dependency

  • Supply chain risks: Supplier compromise, dependency on single vendors, third-party vulnerabilities

  • Technical failures: Hardware failure, software defects, capacity exhaustion, configuration errors

Audit focus area: Supervisory authorities will examine whether your risk assessment genuinely adopts an all-hazards approach or focuses only on cyber threats. Assessments that ignore physical, environmental, or human risks will be flagged as non-compliant with Article 21(1).

The proportionality principle

Article 21(1) explicitly states that measures must be proportionate to:

  • The degree of the entity's exposure to risks

  • The entity's size

  • The likelihood and severity of incidents

  • The societal and economic impact of incidents

This means a small managed service provider classified as an essential entity will have different control expectations than a major energy provider, even though both must address all ten measure areas. Your risk assessment must document how proportionality has been applied.

How AI transforms NIS2 risk assessment

Traditional risk assessment for NIS2 requires deep expertise across multiple threat domains, sector-specific knowledge, and the ability to map hundreds of risks to control measures. ISMS Copilot accelerates this by:

  • Sector-specific threat intelligence: Generating threat landscapes tailored to your specific sector based on ENISA reports and real-world attack patterns

  • Comprehensive risk identification: Ensuring all-hazards coverage by systematically generating risk scenarios across all threat categories

  • Consistent scoring: Applying likelihood and impact criteria consistently across hundreds of risk scenarios

  • Control mapping: Automatically mapping identified risks to the appropriate Article 21 measure areas and specific controls

  • Risk register generation: Producing structured, audit-ready risk registers in minutes rather than weeks

Step 1: Define your risk assessment methodology

Why methodology must come first

Before identifying any risks, you must establish and document your risk assessment methodology. Supervisory authorities will verify that a methodology exists, was approved by the management body, and was applied consistently across all assessed risks.

Building the methodology with AI

  1. Generate the methodology framework:

    "Create a comprehensive NIS2 risk assessment methodology for a [sector] organization classified as an [essential/important] entity with [employee count] employees. The methodology must: adopt an all-hazards approach as required by Article 21(1), include risk identification, analysis, evaluation, and treatment stages, define likelihood and impact scales (5-point), include risk calculation and risk acceptance criteria, address the proportionality principle, and be suitable for approval by our management body."

  2. Define impact criteria tailored to NIS2:

    "Create NIS2-specific impact assessment criteria covering five dimensions: (1) operational disruption to essential/important services, (2) financial loss including potential regulatory penalties up to EUR [10M/7M] or [2%/1.4%] of turnover, (3) impact on other entities and sectors (cascading effects), (4) number of affected users/recipients, and (5) reputational and societal impact. Provide a 5-point scale with concrete examples for each dimension relevant to a [sector] organization."

  3. Define likelihood criteria:

    "Create risk likelihood assessment criteria for our NIS2 risk assessment. Include a 5-point scale (Rare/Unlikely/Possible/Likely/Almost Certain) with: frequency-based definitions, threat-capability-based definitions, and sector-specific examples. Reference current ENISA threat landscape data for our [sector] sector."

  4. Establish risk acceptance thresholds:

    "Define risk acceptance criteria for NIS2 compliance. Our organization's risk appetite is [conservative/moderate/aggressive]. Create: a risk matrix (5x5) with color-coded risk levels, acceptance thresholds by risk level (accept/mitigate/transfer/avoid), escalation rules for risks above tolerance, and approval authority levels (risk owner/CISO/management body) for each treatment decision."

Document the approval: Once ISMS Copilot generates your methodology, present it to your management body for formal approval. Record the approval in board minutes. This is a specific Article 20 requirement -- the management body must approve cybersecurity risk management measures.

Step 2: Identify and catalog your assets

What to include in your asset inventory

NIS2 risk assessment requires a thorough understanding of the network and information systems your organization uses for operations and service delivery. Your asset inventory should cover:

Asset category

Examples

NIS2 relevance

Information assets

Customer data, operational data, configuration data, credentials

Confidentiality, integrity, availability of services

Hardware

Servers, network equipment, OT/ICS systems, endpoints, IoT devices

Physical environment protection, access control

Software

Operating systems, applications, firmware, SCADA/DCS systems

Vulnerability handling, acquisition security

Network infrastructure

Routers, switches, firewalls, VPNs, wireless networks

Network security, segmentation, monitoring

Cloud services

IaaS, PaaS, SaaS providers, CDN, DNS

Supply chain security, third-party risk

People

Key personnel, administrators, third-party contractors

HR security, access control, training

Facilities

Data centers, offices, industrial sites, control rooms

Physical environment, business continuity

Services

Essential/important services delivered, supporting services

Service availability, incident impact assessment

Generating your asset inventory with AI

  1. Create the inventory template:

    "Generate a comprehensive asset inventory template for NIS2 risk assessment at a [sector] organization. Include columns for: Asset ID, Asset Name, Asset Category, Description, Asset Owner, Business Criticality (1-5), Dependencies (upstream/downstream), Location, NIS2 Measure Area Relevance, and Current Protection Measures. Pre-populate with typical assets for a [sector] entity."

  2. Identify critical service dependencies:

    "For our [sector] organization that provides [describe essential/important services], map the critical dependencies between our services and underlying assets. Create a dependency tree showing: which assets support which services, single points of failure, and cascading impact paths if specific assets are compromised. This is critical for NIS2 incident impact assessment."

  3. Classify assets by criticality:

    "Apply business criticality classifications to our asset inventory for NIS2 risk assessment. Classification criteria should consider: impact on essential/important service delivery if the asset is compromised, recovery time requirements, regulatory sensitivity, and interconnection with other critical assets. Assign criticality levels (Critical/High/Medium/Low) with justification for each."

OT/ICS consideration: If your organization operates in sectors like energy, water, transport, or manufacturing, your asset inventory must include operational technology (OT) and industrial control system (ICS) assets. These often have different risk profiles, longer patching cycles, and unique vulnerabilities compared to IT assets. ISMS Copilot can help you identify sector-specific OT risks.

Step 3: Analyze your threat landscape

Building a sector-specific threat profile

NIS2 requires an all-hazards approach, but the specific threats your organization faces depend heavily on your sector, geographic location, and technology environment. ENISA publishes annual threat landscape reports that provide sector-specific intelligence.

  1. Generate your threat landscape:

    "Create a comprehensive threat landscape analysis for our [sector] organization for NIS2 risk assessment. Include: (1) Cyber threats: top attack vectors targeting our sector (with recent examples), threat actors most relevant to our sector (state-sponsored, cybercriminal, hacktivist, insider), and emerging threats. (2) Physical threats: unauthorized access, equipment theft, sabotage. (3) Environmental threats: natural disasters relevant to our [location], power grid risks, climate-related risks. (4) Human threats: social engineering patterns in our sector, insider threat indicators, key-person dependency. (5) Supply chain threats: common supply chain attack patterns in our sector, dependency risks. Reference ENISA threat landscape data where applicable."

  2. Assess threat actor capabilities:

    "For each threat actor category relevant to our [sector] entity, assess: motivation (financial, espionage, disruption, ideological), capability level (opportunistic to advanced), typical attack methods, targeting patterns for our sector, and historical incidents affecting similar organizations. Present this as a threat actor profile matrix."

  3. Identify sector-specific attack scenarios:

    "Generate 20 realistic attack scenarios specific to a [sector] organization for NIS2 risk assessment. Each scenario should include: threat actor, attack vector, targeted assets, potential impact on essential/important services, likelihood assessment, and cascading effects on other entities or sectors. Include both cyber and non-cyber scenarios to satisfy the all-hazards requirement."

Do not ignore non-cyber risks: A common mistake is treating NIS2 risk assessment as purely a cybersecurity exercise. Article 21(1) explicitly requires protection of network and information systems and "the physical environment of those systems" from incidents. Auditors will look for evidence that you assessed physical, environmental, and human risks alongside cyber threats.

Step 4: Conduct the risk assessment

Risk identification

With your asset inventory and threat landscape established, systematically identify risks by considering how each threat could exploit vulnerabilities in each critical asset, and what the impact would be on your essential or important services.

  1. Generate the initial risk register:

    "Using the asset inventory and threat landscape we have developed, generate a comprehensive risk register for our NIS2 risk assessment. For each risk entry include: Risk ID, Risk Title, Risk Description (threat + vulnerability + impact), Affected Asset(s), Threat Category (cyber/physical/environmental/human/supply chain), Affected NIS2 Article 21 Measure Area(s), Existing Controls, Residual Likelihood (1-5), Residual Impact (1-5), Risk Score, Risk Level, Risk Owner, and Recommended Treatment. Generate at least 40 risks covering all threat categories for a [sector] organization."

  2. Ensure all-hazards coverage:

    "Review our risk register for all-hazards completeness. Verify we have adequate coverage across: cyber threats (minimum 15 risks), physical threats (minimum 5 risks), environmental threats (minimum 5 risks), human factor risks (minimum 5 risks), supply chain risks (minimum 5 risks), and technical failure risks (minimum 5 risks). Identify any gaps and generate additional risk entries to fill them."

  3. Assess cascading and cross-sector impacts:

    "For the top 10 highest-rated risks in our register, analyze potential cascading impacts: (1) how this risk could affect other entities that depend on our services, (2) how disruption of our services could propagate across our sector, (3) whether the impact could cross into other NIS2 sectors. This cascading impact analysis is critical for NIS2 incident significance determination."

Risk evaluation and scoring

  1. Apply consistent scoring:

    "Review and validate the risk scores in our risk register. For each risk, verify that: the likelihood assessment reflects current threat intelligence for our sector, the impact assessment considers all five NIS2-relevant impact dimensions (operational disruption, financial loss, cascading effects, affected users, societal impact), and the risk score calculation follows our approved methodology. Flag any inconsistencies and recommend adjustments."

  2. Create a risk heat map:

    "Generate a risk heat map visualization for our NIS2 risk register showing: the distribution of risks across likelihood and impact levels, clustering of risks by threat category, and identification of the top risk clusters that require priority treatment. Format as an HTML table with color-coded cells."

Upload existing risk data: If your organization has existing risk assessments (from ISO 27001, DORA, or internal processes), upload them to ISMS Copilot and ask it to identify which existing risks are relevant to NIS2, which need updating for the all-hazards approach, and what additional risks need to be added to meet Article 21 requirements.

Step 5: Develop risk treatment plans aligned with Article 21

Mapping risks to Article 21 measure areas

Every risk in your register must be linked to one or more of the ten Article 21(2) measure areas, and your treatment plans must specify the controls that address each risk. This creates the audit trail from risk identification through to control implementation.

  1. Map risks to controls:

    "For each risk in our risk register, map the recommended treatment to specific NIS2 Article 21(2) measure areas: (a) risk analysis and information security policies, (b) incident handling, (c) business continuity and disaster recovery, (d) supply chain security, (e) network and information system security including vulnerability handling, (f) effectiveness assessment, (g) cyber hygiene and training, (h) cryptography, (i) HR security, access control, and asset management, (j) multi-factor authentication and secure communications. For each mapping, specify the concrete control to be implemented and the expected risk reduction."

  2. Create risk treatment plans:

    "For the top 20 risks in our register that exceed our risk acceptance threshold, generate detailed risk treatment plans. Each plan should include: Risk ID, Treatment Decision (mitigate/transfer/avoid), Specific Controls to Implement, Responsible Person, Implementation Timeline, Expected Residual Risk After Treatment, Resource Requirements, and Success Criteria. Ensure treatments are proportionate to our organization's size and risk exposure as required by NIS2 Article 21(1)."

  3. Document risk acceptance decisions:

    "For risks that fall within our acceptance threshold, generate formal risk acceptance statements. Each statement should include: Risk ID, Risk Description, Current Risk Score, Justification for Acceptance (including proportionality rationale), Conditions for Reassessment, Acceptance Authority (risk owner or management body), and Review Date. These statements must be approved by the appropriate authority per our risk methodology."

Applying the proportionality principle to treatments

NIS2 does not require identical controls across all organizations. Your treatments must be proportionate to your specific risk exposure.

"Review our risk treatment plans for proportionality compliance. Our organization has [employee count] employees, EUR [turnover] annual turnover, and operates in the [sector] sector as an [essential/important] entity. For each proposed treatment, assess whether it is: (1) proportionate to our size and resources, (2) proportionate to the likelihood and severity of the risk, (3) aligned with state-of-the-art practices for our sector, and (4) cost-effective relative to the risk reduction achieved. Flag any treatments that may be disproportionately expensive or insufficient, and recommend alternatives."

State of the art: Article 21(1) requires entities to take into account the state of the art and, where applicable, relevant European and international standards. This means your controls should reflect current best practices and industry standards -- not outdated approaches. ISMS Copilot's knowledge includes current standards and practices.

Step 6: Document and present the risk assessment

Creating the formal risk assessment report

  1. Generate the report:

    "Create a formal NIS2 Risk Assessment Report for our organization. Structure the report as follows: (1) Executive Summary with key findings and top risks, (2) Scope and Methodology (reference our approved methodology), (3) Asset Inventory Summary, (4) Threat Landscape Analysis, (5) Risk Register with full scoring details, (6) Risk Heat Map, (7) Risk Treatment Plans for risks exceeding acceptance threshold, (8) Risk Acceptance Statements for accepted risks, (9) Mapping of Risks to Article 21(2) Measure Areas, (10) Proportionality Assessment, (11) Recommendations and Next Steps, (12) Appendices (full risk register, threat profiles, asset inventory). This report will be presented to the management body for approval."

  2. Create the management body summary:

    "Create a 3-page executive summary of our NIS2 risk assessment results for the management body. Focus on: top 10 risks and their business impact, areas where we are most exposed, required investments for risk treatment, timeline for implementing priority treatments, and the management body's specific approval and oversight obligations. Include a clear recommendation for a management body resolution approving the risk treatment plan."

Management body approval is mandatory: Under Article 20, the management body must approve the cybersecurity risk management measures. This includes the risk assessment methodology, the risk register, and the risk treatment plans. Document the approval in board minutes and retain as audit evidence.

Step 7: Establish ongoing risk monitoring

Continuous risk management

NIS2 compliance is not a one-time exercise. Your risk assessment must be reviewed and updated regularly and whenever significant changes occur.

  1. Define the review cycle:

    "Create a risk assessment review and update schedule for ongoing NIS2 compliance. Define: (1) Regular review frequency (recommend quarterly for essential entities, semi-annually for important entities), (2) Trigger events that require immediate reassessment (new threats, incidents, organizational changes, supply chain changes, regulatory updates), (3) Roles responsible for monitoring and escalation, (4) Process for updating the risk register and treatment plans, (5) Reporting cadence to the management body."

  2. Build threat monitoring procedures:

    "Create a threat intelligence monitoring procedure for our [sector] organization to support ongoing NIS2 risk assessment. Include: sources to monitor (ENISA, national CSIRT advisories, sector ISACs, vendor security bulletins), monitoring frequency, criteria for escalating new threats to risk reassessment, and integration with our incident detection capabilities."

Common risk assessment pitfalls and how to avoid them

Pitfall

Why it matters for NIS2

How to avoid it

Cyber-only focus

Violates the all-hazards requirement of Article 21(1)

Systematically assess physical, environmental, and human risks alongside cyber threats

No documented methodology

Supervisory authorities require evidence of a consistent, repeatable approach

Document and get management body approval before starting assessment

Ignoring cascading impacts

NIS2 incident significance considers impact on other entities and sectors

Analyze cross-entity and cross-sector impact for high-rated risks

Disproportionate controls

Article 21(1) requires proportionality -- over- or under-controlling is non-compliant

Document proportionality rationale for each treatment decision

Static risk register

Risk landscape changes continuously; a stale register demonstrates poor governance

Establish quarterly reviews and trigger-based reassessment processes

Missing management approval

Article 20 requires management body approval of risk management measures

Present risk assessment and treatment plans to the board; record approval in minutes

No supply chain risk coverage

Article 21(2)(d) specifically requires supply chain risk assessment

Include supplier and third-party risks systematically in the register

Next steps

With your risk assessment complete, you now have the foundation for implementing NIS2 controls across all Article 21 measure areas.

Continue with the next guides in this series:

  • Policy creation: See How to Create NIS2 Cybersecurity Policies Using AI to translate your risk treatment plans into audit-ready policies for each of the ten Article 21 measure areas

  • Incident reporting: See How to Implement NIS2 Incident Reporting Using AI to build the incident detection and reporting capabilities identified in your risk treatment plans

  • Supply chain security: See How to Manage NIS2 Supply Chain Security Using AI for detailed guidance on addressing the supply chain risks identified in your register

If you have not yet completed the initial setup, start with How to Get Started with NIS2 Implementation Using AI for scoping, governance, and workspace configuration.

For ready-to-use risk assessment prompts, explore the NIS2 Directive Prompt Library. For a comprehensive overview of all NIS2 requirements, see the NIS2 Compliance Guide for In-Scope Companies.

Getting help

For additional support with NIS2 risk assessment:

  • Ask ISMS Copilot: Use your NIS2 workspace for ongoing risk assessment questions and updates

  • Upload existing risk data: Get AI analysis of your current risk registers, threat assessments, or control inventories

  • Sector-specific guidance: Ask for threat landscapes and risk scenarios tailored to your specific sector and operating environment

  • Framework alignment: Get guidance on aligning NIS2 risk assessment with ISO 27005, ISO 31000, or other risk management standards you already use

Ready to conduct your NIS2 risk assessment? Open your NIS2 workspace at chat.ismscopilot.com and start with your risk methodology. The AI will guide you through each step, from asset identification to risk treatment plans, with outputs calibrated to your sector and entity classification.

Was this helpful?