---
title: "NIS2 Article 24: Risk Management Measures"
description: "NIS2 Article 24 in practice: how to implement cybersecurity risk management measures. Technical and organizational controls, governance, and compliance steps."
canonical: https://www.aegister.com/en/cms/insights/nis2-article-24-risk-management-measures/
url: /en/cms/insights/nis2-article-24-risk-management-measures/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Article 24 in Practice: How to Implement Cybersecurity Risk-Management Measures

---

![NIS2 Article 24 in Practice: How to Implement Cybersecurity Risk-Management Measures](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Article 24 in Practice: How to Implement Cybersecurity Risk-Management Measures

January 28, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[baseline](/en/cms/keyword/baseline/)
+6

Article 24 of Legislative Decree 138/2024 requires NIS entities to adopt technical, operational, and organizational measures that are adequate and proportionate to cybersecurity risk. In practical terms, compliance programs need a documented risk cycle that connects governance decisions, control implementation, and evidence readiness.

Sources: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN baseline obligations specification](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [NIS baseline measures reference](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Key takeaways

- Article 24 is risk-based: measures must be selected and maintained according to actual exposure.
- The ACN baseline specification operationalizes Article 24 through structured control families.
- Governance, identification, protection, detection, response, and recovery must be integrated as one control model.
- Compliance evidence must show not only control existence, but also review and continuous improvement.

Sources: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN baseline obligations specification](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## What Article 24 means for operating teams

A minimal implementation model should align governance decisions to measurable technical and operational controls.

### 1. Governance and policy foundation (GV)

Organizations should define risk strategy, governance roles, policy set, and supply-chain risk responsibilities with clear ownership and approval workflows.

### 2. Asset and risk identification (ID)

Inventories, risk assessments, vulnerability inputs, and risk-treatment choices should be documented and periodically reviewed based on organizational changes and incident lessons.

### 3. Protection controls (PR)

Access management, awareness and training, data protection, platform hardening, and infrastructure resilience controls should be implemented in line with risk outcomes.

### 4. Detection, response, and recovery (DE/RS/RC)

Continuous monitoring, incident response execution, stakeholder communication, and restoration plans should operate as a coordinated lifecycle.

Sources: [NIS baseline measures extract](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [NIS baseline measures reference](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Control families and evidence expectations

| Area | Practical objective | Typical evidence |
| --- | --- | --- |
| Governance (GV) | Define and maintain cyber risk direction and accountability | Governance policy set, role matrix, review records |
| Identification (ID) | Maintain asset and risk visibility | Asset inventory, risk assessment reports, treatment plans |
| Protection (PR) | Reduce likelihood and impact of compromise | Access control records, training evidence, hardening standards |
| Detection (DE) | Detect anomalous events in relevant systems | Monitoring procedures, alert handling logs |
| Response (RS) | Contain and manage incidents consistently | Incident response procedures, investigation and escalation records |
| Recovery (RC) | Restore operations and improve resilience | Recovery procedures, restoration test outputs |

Sources: [ACN baseline obligations specification](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [NIS baseline measures reference](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## 90-day implementation priorities

1. Validate policy coverage against Article 24 obligations and ACN baseline control areas.
2. Confirm risk-assessment cadence and ensure outputs drive protection and detection controls.
3. Formalize control owners with measurable review and escalation responsibilities.
4. Build an evidence register for each control family (GV, ID, PR, DE, RS, RC).
5. Run a management review to approve remediation priorities and deadlines.

## FAQ

### Does Article 24 require the same controls for every organization?

No. Measures are expected to be adequate and proportionate to the risk profile, with implementation calibrated to exposure and critical services. Source: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

### Is risk assessment enough to show compliance?

No. Organizations also need implemented controls, governance oversight, and documentary evidence that controls are maintained and reviewed. Sources: [ACN baseline obligations specification](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [NIS baseline measures reference](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

### Which control area should start first?

Governance and identification generally start first because they define ownership, scope, and risk priorities for all other control families. Source: [ACN baseline obligations specification](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

Evaluate your risk management posture with Aegister's [free cybersecurity assessment](/en/assessment/), designed to identify gaps against NIS2 requirements.

### Related guides in this series

- [asset inventories and risk assessment](/en/cms/insights/nis2-identification-id-inventories-risk-assessment/)
- [technical and organizational protection measures](/en/cms/insights/nis2-protection-pr-technical-organizational-measures/)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 Identification Controls (ID): Inventories, Risk Assessment, and Improvement Cycle](/en/cms/insights/nis2-identification-id-inventories-risk-assessment/)
- [NIS2 Protection Controls (PR): Technical and Organizational Measures in Execution](/en/cms/insights/nis2-protection-pr-technical-organizational-measures/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Free NIS2 Assessment](/en/assessment/)

## Official sources

- [Gazzetta Ufficiale - Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)
- [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN - Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

Share this post

## Related News

[![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

[![NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2 supply-chain security is a governance obligation covering supplier identification, risk assessment, contractual integration, and lifecycle monitoring. Practical guide to GV.SC controls and evidence readiness.](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+9

[![NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[ACN baseline guidance requires documentary evidence as a core compliance element. Practical guide to evidence families, obligation-to-evidence mapping, version governance, and audit-readiness operating model.](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)