NIS2 effectiveness assessment
NIS2 Article 21(2)(f) asks you to measure whether your cybersecurity controls work, not just to have them. The Effectiveness screen turns your live ITAM data into quantitative control KPIs, then walks a review from draft to management signoff so you keep a dated, reproducible evidence trail. This page covers reading the dashboard, uploading the required policy document, and recording a review.
:::note Before you begin
- You have an admin role (
admin,it-admin, orsuper-admin). The screen lives in the admin console under Compliance → Effectiveness. - The KPIs reflect your real data. For credible numbers, keep your hardware register, licenses, MFA enrolment, agent fleet, and offboarding current.
- Have the documented effectiveness-assessment policy ready as a PDF (max 10 MB). The §7.1 requirement is unmet until you upload it. :::
What this screen evidences
Article 21(2)(f) and its detailing regulation, Commission Implementing Regulation (EU) 2024/2690 Annex §7, expect three things: a documented policy (§7.1), control metrics measured on a cadence (§7.2), and analysis of those metrics with management signoff (§7.3). The Effectiveness screen has one surface for each.
| Surface | Where | What it proves |
|---|---|---|
| Metrics dashboard | Compliance → Effectiveness | §7.2 — control KPIs measured continuously, with current value, target, trend, and status |
| Policy | Policy button | §7.1 — the uploaded, version-controlled policy document with a SHA-256 tamper-check |
| Reviews | Reviews button | §7.3 — cadenced and event-triggered reviews carried through to management signoff |
This is the ITAM-derived portion of NIS2 evidence, not a certification. It demonstrates that your asset, identity, and offboarding controls are measured and reviewed — pair it with your own GRC programme for the controls that sit outside ITAM scope.
Read the metrics dashboard
Open Compliance → Effectiveness. The rollup tiles across the top count every active metric by status, and the Article 21(2) controls table lists each KPI with its live value. The platform recomputes a snapshot for every metric daily, so the numbers are current without any action from you — there is no manual "recalculate" button.
Rollup tiles
| Tile | Counts metrics whose status is | Meaning |
|---|---|---|
| Measured | any | Active metrics in scope |
| Effective | pass | At or above target |
| Partially | warn | Within 10% of target (at least 90% of the threshold) |
| Not effective | fail plus unmeasured | Below target, or with no snapshot yet |
Metric columns
Each row maps to one Article 21(2) sub-control. The columns are read-only.
| Column | What it shows |
|---|---|
| Control | The sub-control code, such as 21(2)(g) |
| Metric | The KPI name and a one-line description |
| Current | The latest snapshot value, or — if not yet measured |
| Target | The threshold, formatted by unit — ≥95%, =0, ≥365 d, or a boolean such as true |
| Trend (last 4) | A sparkline of the last four snapshots in chronological order |
| Status | effective, partial, not effective, or no data |
| Accountable | The named owner for the control, if assigned |
| Cadence | How often the metric is measured (the seeded metrics are daily) |
The seeded controls
A fresh tenant ships with nine starter metrics, each wired to a deterministic data source that reads your live data. Sub-control (f) is the assessment itself — its evidence is the review record below, not a numeric KPI.
| Control | Metric | Default target |
|---|---|---|
21(2)(a) | Asset classification coverage | ≥95% |
21(2)(b) | Incidents overdue CSIRT notification | =0 |
21(2)(c) | Audit-log retention days | ≥365 d |
21(2)(d) | Supply-chain coverage (licenses with a vendor) | ≥95% |
21(2)(e) | Procurement record coverage (hardware with a purchase date) | ≥95% |
21(2)(g) | MFA enrolment rate | ≥95% |
21(2)(h) | Endpoint agent coverage | ≥80% |
21(2)(i) | Offboarded users still holding assets | =0 |
21(2)(j) | MFA admin policy enforcement | true |
A metric reading not effective is a prompt to fix the underlying data, not to edit the
target. For example, raise MFA enrolment rate by enrolling users in
two-factor authentication, and clear
Offboarded users still holding assets through offboarding.
Upload the policy document (§7.1)
Until a policy PDF is on file, the dashboard shows a rose banner reading No effectiveness-assessment policy document on file and the §7.1 claim is unevidenced. To record the policy:
- On the dashboard, select Policy (top right), or follow the banner's Upload one now link.
- Under Upload first version, set Version to a semantic version such as
1.0. Bump the major on substantive content changes and the minor on clarifications. - Set Effective from to the date the policy takes effect.
- Select the Policy PDF file. PDF only, maximum 10 MB.
- Add Internal notes if useful — for example, what changed or who reviewed it. This field is optional.
- Select Upload policy.
The page confirms the upload, marks the version Current, and records its file name, size, and a SHA-256 (auditor tamper-check) hash. The stored file is private; only admins can download it.
| Field | Required | Notes |
|---|---|---|
| Version | Yes | Semantic version, for example 1.0 or 2.1.0. Must be unique — a duplicate is rejected with a prompt to bump it. |
| Effective from | Yes | The date the version takes effect. |
| Policy PDF | Yes | PDF only, max 10 MB. Stored privately. |
| Internal notes | No | Free text, up to 2,000 characters. |
To record a later policy review, upload a new version. The previous version is auto-superseded and kept under Superseded versions for audit history, with its own download link and SHA-256 prefix.
The dashboard tracks the policy's two-year review window per ENISA cadence guidance. Once the window passes, an amber Policy review overdue banner appears and the policy is flagged Review overdue — clear it by uploading a fresh version.
Record a review (§7.3)
A review freezes the current value of every active metric onto an immutable record, captures your findings and remediation plan, and carries them to management signoff. The platform auto-creates a draft for the just-closed quarter at the start of each quarter, but you can start one at any time.
Create a draft
-
From the dashboard or the Reviews list, select New review.
-
Set Period start and Period end. They default to the prior calendar quarter — the ENISA default cadence.
-
Choose a Scope:
Scope Use it for Quarterly review (ENISA default cadence) The routine quarterly assessment Annual overall effectiveness assessment The yearly roll-up auditors look for Incident-triggered review (§7.3) A review prompted by a significant incident Significant-change review (§7.3) A review prompted by an operational change -
Select Create draft.
The draft opens with a Metrics at review time table — the value, target, and status of every metric, frozen on the record so it stays auditor-reproducible even after old snapshots are pruned.
Add findings and mark reviewed
On the draft, complete the form:
- In Findings, describe what the metrics revealed. Reference specific control codes and values. Minimum 10 characters.
- In Remediation plan, describe the actions, owners, and target close dates. Minimum 10 characters.
- Set Remediation status to No remediation needed, In progress, or Complete.
- Select Mark reviewed.
The review moves to Awaiting signoff and the findings become read-only.
Sign off as management
Signoff is the auditable record that management received and approved the assessment.
- Open the reviewed record.
- Under Management signoff, select Sign off as management and confirm the prompt.
The state badge flips to Signed off and stamps the signer's name and timestamp. Only an
admin, it-admin, or super-admin can sign off.
Signoff is final — there is no edit or unlock action. Confirm the findings and remediation plan are correct before you mark a review reviewed, because the next step locks the record into the evidence trail.
Review states
| State | Badge | Reached by | Next step |
|---|---|---|---|
| Draft | slate Draft | Creating a review | Add findings, then Mark reviewed |
| Reviewed | amber Awaiting signoff | Mark reviewed | Sign off as management |
| Signed off | emerald Signed off | Sign off as management | None — part of the evidence trail |
Verify
- The dashboard shows a green banner reading Policy v
<version>effective since<date>with a next-review date. - The metrics table shows a live value, target, and status for each control.
- The Reviews list shows your review with the Signed off badge and the signer's name.
- Opening the signed review shows the frozen Metrics at review time table plus the recorded findings, remediation plan, reviewer, and signoff timestamp.
Troubleshooting
| Symptom | What to do |
|---|---|
| The metrics table reads No effectiveness metrics seeded | The starter metrics haven't been loaded for this tenant. Contact support to seed them. |
A metric shows no data or — | No snapshot exists yet. The daily snapshot populates it; wait for the next run, or confirm the underlying data exists. |
| A KPI is lower than expected | The value reflects live data. Fix the source — for example, classify assets, enrol users in MFA, or recover assets from offboarded users — and the next daily snapshot updates it. |
| Rose banner: No effectiveness-assessment policy document on file | Upload the policy PDF under Policy. The §7.1 requirement is unmet until you do. |
| Amber banner: Policy review overdue | The policy passed its two-year review window. Upload a new version to reset it. |
Version <x> already exists on upload | Versions are unique. Bump to a new semantic version and re-upload. |
| Sign off as management doesn't appear | The review isn't in the reviewed state yet, or you lack an admin role. Mark it reviewed first, then sign off with an admin account. |
| You can't reach the Effectiveness screen | The screen requires an admin role and an active subscription. If your network uses an IP allowlist, confirm you're on an allowed address. |