The classic trap
Article 25 looks harmless: it merely encourages standards without imposing anything. The trap lies elsewhere. During an inspection, the ILR does not require you to have adopted a specific standard, but to have chosen a recognised framework (ISO 27001, ISO 27005, ENISA guidelines) and to have actually implemented it. Essential and important entities that claim to follow a standard but cannot produce the control coverage mapping end up in breach of Article 21, of which Article 25 is the enforcement arm. The absence of a structuring standard turns your risk management framework into a homemade construction that is impossible to defend.
Why standards become your best line of defence
No technology is imposed, but choosing a recognised European or international framework creates a presumption of seriousness before the ILR. Here are the standards that cover the areas targeted by Article 21:
- ISO/IEC 27001 and 27002: information security management system and control catalogue.
- ISO/IEC 27005: risk assessment methodology, directly aligned with Article 21(1).
- ENISA guidelines and advice: sectoral technical guidance that the ILR treats as state of the art.
- IEC 62443 for industrial and OT environments (energy, transport, infrastructure).
- ETSI EN 303 645 for connected products and digital infrastructure.
The operational trap: declaring a standard is not enough. You must trace which control of the standard answers which NIS 2 obligation, and prove its effective application.
How Luxgap automates this risk
Our Luxgap Standards Mapping Engine eliminates the blind spot between your declared standard and your real NIS 2 compliance: it automatically cross-references each ISO 27001 control or ENISA guideline with the requirements of Article 21, and detects uncovered areas before the ILR does. The AI agent reads your policies, your Microsoft Defender, Azure Sentinel and Active Directory configurations, then generates a living coverage matrix linking each technical measure to the normative clause it satisfies.
- Automatically maps your ISO 27001, ISO 27005 and IEC 62443 controls onto the obligations of NIS 2 Article 21, with no manual entry.
- Detects uncovered technical areas using ENISA advice and guidelines kept continuously up to date.
- Verifies the effective application of each control by querying your real sources (Defender, Sentinel, M365, Wazuh, CrowdStrike) rather than your declarations.
- Calculates a normative coverage score per area and alerts on Teams as soon as a configuration drift breaks compliance with a key control.
- Produces a timestamped and sealed PDF report, enforceable before the ILR, demonstrating the use of recognised European and international standards.
Available as an add-on to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real perimeter, with a free blank audit within 48h to measure your normative coverage before any engagement.