The EU NIS2 Directive (Directive 2022/2555) requires Essential and Important entities to maintain, test, and document incident handling and crisis management processes. Skyhigh provides 65 ready-to-run ICS/OT tabletop scenarios in four languages, AI-generated After Action Reports, and audit-ready compliance evidence — supporting your NIS2 obligations from Article 20 governance through to Article 21 technical measures.
NIS2 expands significantly on NIS1, covering 11 essential sectors and 7 important sectors. Both categories must implement Article 21 measures — including documented incident handling and crisis management testing.
Essential entities are subject to proactive supervision by national competent authorities, stricter incident reporting timelines (24hr early warning / 72hr notification / 1-month final report), and potential sanctions of up to €10M or 2% of global annual turnover.
Important entities face reactive (complaint-driven) supervision and lower penalty caps (up to €7M or 1.4% of global turnover), but must implement the same Article 21 cybersecurity risk management measures as Essential Entities.
The NIS2 Directive applies across 27 Member States in multiple working languages. Skyhigh delivers exercises, AI facilitation outputs, and After Action Reports in four languages — enabling cross-border and multilingual teams to run exercises in their working language.
Article 21 defines ten mandatory cybersecurity measures for all covered entities. Tabletop exercises directly satisfy (b) and (c), and support evidence generation for six additional measures.
| Article | Measure | Requirement Summary | Skyhigh Capability | Coverage |
|---|---|---|---|---|
| Art. 21(a) | Risk analysis & IS policies | Policies on information security risk analysis and information system security | AI Facilitator Briefing surfaces policy gaps; AAR documents policy weaknesses identified during exercises; Gap Analysis flags absent policies | Supporting |
| Art. 21(b) | Incident handling | Procedures for incident detection, analysis, containment, and recovery. Documented testing of incident response plans | Live Session mode executes structured incident response exercises. AI AAR documents detection, containment, and recovery steps taken. Compliance evidence package provides audit-ready incident handling test record | Core |
| Art. 21(c) | Business continuity & crisis management | Backup management, disaster recovery, and crisis management plans — including documented testing | Recovery-focused scenario variants test backup activation and DR procedures; Crisis management steps are recorded and reflected in the AAR; Compliance evidence package documents the crisis management exercise | Core |
| Art. 21(d) | Supply chain security | Security of supply chain relationships, including vendor risk assessment and contractual security requirements | Supply chain attack scenarios exercise third-party compromise detection and vendor communication procedures; Gap Analysis flags supply chain vulnerabilities identified during exercise | Partial |
| Art. 21(e) | Network & IS security | Security in network and information systems acquisition, development, and maintenance | Network-layer attack scenarios (lateral movement, OT/IT boundary crossing) exercise detection and response; AAR documents control gaps in network security posture | Partial |
| Art. 21(f) | Cyber hygiene & training | Policies and procedures for evaluating effectiveness of measures, including basic cyber hygiene and cybersecurity training | Exercise completion demonstrates active cybersecurity training activity; Facilitator Certification (CTEP) evidence of qualified facilitation; AI Coaching tips reinforce hygiene practices during exercises | Supporting |
| Art. 21(g) | Cryptography policies | Policies on the use of cryptography and encryption | Scenarios referencing encrypted communication channels and data-at-rest protections exercise cryptography-adjacent procedures; limited direct coverage | Partial |
| Art. 21(h) | Human resources security & access control | HR security policies, access control, asset management | Insider threat and privilege escalation scenarios exercise access control response procedures; AAR flags access management gaps identified during exercises | Supporting |
| Art. 21(i) | Multi-factor authentication | Use of MFA or continuous authentication for access to network and information systems | Authentication bypass scenarios test detection of MFA circumvention; limited direct coverage of MFA policy enforcement | Partial |
| Art. 20 | Governance — Management oversight | Management bodies must approve cybersecurity risk management measures, oversee their implementation, and attend cybersecurity training | Executive-level scenario participants, AI AAR addressed to management, exercise history demonstrating consistent programme, Compliance Dashboard for board-level reporting | Supporting |
Three core capabilities work together to deliver, document, and evidence your Article 21(b) and 21(c) obligations.
Live Session mode provides a real-time, multi-participant exercise environment. All steps, responses, and host actions are timestamped — creating an auditable record of your incident handling test.
Immediately after each exercise, Skyhigh's AI generates a structured AAR documenting gaps, recommendations, and NIS2 Article 21 control references — in the language your team worked in.
The Compliance Dashboard generates per-framework NIS2 evidence packages — a 6-page audit PDF covering exercise log, Article 21 controls coverage, gap analysis, remediation plan, and attestation.
Six high-fidelity scenarios covering the most regulated NIS2 sectors — ready to run without customisation, with AI facilitator briefing included.
Ransomware propagates through a hospital's Building Management System, affecting HVAC, access control, and medical gas pressure monitoring. Tests Art. 21(b)(c) incident and continuity response.
A coordinated cyberattack targets multiple substations simultaneously, triggering cascading grid failures. Exercises Art. 21(b) incident response and cross-authority communication under Art. 23.
An attacker gains access to a municipal water treatment SCADA system and begins altering chemical dosing setpoints. Tests detection, containment, and public authority notification under NIS2 Art. 23.
A sophisticated threat actor compromises SWIFT messaging infrastructure, threatening transaction integrity and regulatory notification timelines. Exercises DORA/NIS2 dual obligations and Art. 21(b) response.
Ransomware strikes a port's logistics management platform, halting container tracking and creating cross-border supply chain disruption. Tests Art. 21(b)(c) and supply chain notification obligations.
A trusted software vendor used across multiple EU Member State entities is compromised, requiring coordinated cross-border response. Tests Art. 21(d) supply chain obligations and Art. 23 notification flows.
Plus 59 additional scenarios across Pharma, Chemical, Manufacturing, Oil & Gas, and more. Browse the full library →
Every Skyhigh exercise generates four categories of compliance evidence supporting NIS2 Article 21 demonstration requirements and competent authority reporting.
AI-generated PDF with gap analysis, corrective actions, and NIS2 Article 21 references. Available in EN, FR, PT, ES within minutes of exercise completion.
6-page per-framework audit PDF: exercise log, Article 21 controls map, gap analysis, remediation timeline, and attestation page for competent authority files.
Timestamped record of all participant responses and exercise activity demonstrating real team engagement — relevant to Art. 20 management participation evidence.
Identified exercise gaps are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail for Article 21 implementation evidence.
Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with 3 free exercises in your working language — no credit card required. Or speak with our EU compliance team about building a structured NIS2 exercise programme.
Also explore: NIST CSF 2.0 Toolkit · IEC 62443 Toolkit · NERC CIP Toolkit