NIS2 Security Measures Mapped to SASE and ZTNA Controls

Map each NIS2 Article 21 security measure to a concrete SASE/ZTNA control, see what a platform covers, and what governance work you still own. 2026 guide.
Compliance lead and IT manager mapping NIS2 security measures to SASE controls in a Belgian office

NIS2 Article 21 sets out ten baseline security measures every in-scope organisation must implement. A SASE platform with Zero Trust Network Access (ZTNA) covers the heaviest technical ones directly: access control, network segmentation, MFA, traffic monitoring, encryption in transit, and secure third-party access. It does not cover the organisational and legal half of the law, the policies, the incident-response team, the supplier contracts, and the training. This guide maps each Article 21 measure to a concrete SASE/ZTNA control, and it is honest about the gaps a platform cannot close for you.

Key takeaways

  • Belgium’s NIS2 law (26 April 2024) applies from 50 employees or €10 million turnover in critical sectors, with the CCB as supervisor and fines up to €10 million or 2% of global turnover.
  • The CyberFundamentals (CyFun) framework translates NIS2 into concrete controls; its Basic tier (34 controls) is estimated to stop about 82% of common attacks.
  • A SASE/ZTNA platform maps directly to six of the ten Article 21 measures, mainly the access, network, monitoring and encryption-in-transit controls.
  • It does not map to the policy, backup, training and contractual measures. Compliance is technology plus organisation, not technology alone.
  • A CyFun auditor wants documentation and implementation evidence ready at the start of the audit, and a maturity score of at least 2.5 for Basic or 3.0 for Important on every key measure.

Who is in scope, and what it costs to get it wrong

The Belgian law splits organisations into essential entities (large firms in highly critical sectors, plus specific key actors regardless of size, under proactive and reactive supervision) and important entities (mid-sized firms from 50 FTE or €10 million turnover in critical sectors, under reactive supervision). Even below those thresholds you are pulled in by the “oil-slick effect”: essential entities must manage supply-chain risk, so they push the same security requirements onto smaller suppliers through contracts.

The financial stakes are structural. Essential entities face fines up to €10 million or 2% of global annual turnover; important entities up to €7 million or 1.4%. Belgium adds procedural fines on top: €500 to €125,000 for failing to register on Safeonweb@Work, and €500 to €200,000 for retaliating against whistleblowers or obstructing an inspection. Directors carry personal liability for approving and overseeing measures, and the regulator can suspend managers until compliance is shown. A significant incident triggers a strict reporting chain through notif.safeonweb.be: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.

The ten Article 21 measures in brief

Article 21(2) defines the minimum technical, operational and organisational measures. In short: (1) risk-analysis and information-security policy; (2) incident handling; (3) business continuity and crisis management; (4) supply-chain security; (5) security in acquisition, development and maintenance; (6) evaluation of the effectiveness of those measures; (7) cyber hygiene and training; (8) cryptography and encryption; (9) personnel security, access policy and asset management; and (10) multi-factor authentication and secure communications. Some are pure technology. Several are governance and process. A platform can do a lot for the first group and nothing for the second.

Mapping NIS2 measures to SASE/ZTNA controls

The table below pairs each measure with a concrete control, what a SASE platform such as Jimber contributes, and the part that stays your responsibility.

Article 21 measure SASE / ZTNA control What the platform contributes Gap you still own
1. Risk analysis & policy Centralised network and application visibility in one console Real-time view of shadow IT, unauthorised SaaS and risky browsing The formal information-security policy and the organisation-wide risk analysis
2. Incident handling Traffic inspection, centralised logging, SIEM integration Continuous logs of access attempts, web requests and sessions, and usable compliance reports The organisational incident response and the actual filing via Safeonweb
3. Business continuity Redundant paths and automatic failover (SD-WAN) Network availability when a physical line drops Backup management, immutable backups and disaster-recovery testing
4. Supply-chain security Agentless ZTNA for suppliers and third parties External technicians reach one application through an isolated browser session, with no network access Contracts, supplier audits and third-party GRC assessments
5. Acquisition & maintenance Edge inspection and isolation of inbound traffic Blocks exploitation of unpatched apps by inspecting and isolating traffic first Secure-coding policy, the local patch cycle and the CVD policy
6. Effectiveness evaluation Built-in analytics, configuration logs, report templates Direct evidence of enforced access control and isolation for the auditor Independent penetration testing and audit coordination
7. Cyber hygiene DNS filtering and Web Application Isolation Blocks phishing and drive-by malware by running web requests in a container outside the network The mandatory staff and management training
8. Cryptography End-to-end WAN encryption and SSL/TLS inspection Encrypts data in transit and inspects encrypted traffic for malware Encryption of data at rest and internal key management
9. Access policy & assets Identity-aware access control and least-privilege Enforces access at the application level (microsegmentation), not the network level HR joiner/leaver processes and physical asset inventory
10. MFA & secure comms Identity-provider integration and continuous session validation Enforces MFA on every access attempt and re-checks device posture Providing the primary IdP and any physical emergency-comms systems

The honest gap: what SASE does not solve

A SASE platform covers the heaviest technical controls, but technology alone does not make you compliant. The organisational and legal parts stay with you: writing the information-security policy, standing up the incident-response function, signing data-processing agreements with suppliers, and training staff and the board. Read the mapping as “this measure is substantially covered” or “this measure is partly covered,” never as “this box is ticked by buying a product.” Our NIS2 compliance checklist covers the organisational side an auditor still expects.

What a CyFun auditor actually checks

CyFun is built on NIST CSF 2.0 and splits security into six functions: Govern, Identify, Protect, Detect, Respond and Recover. During a conformity assessment the rules are strict. The CCB’s Excel tool must have every measure detailed in the Details tab; a changed file format means the audit is refused. The assessor demands a dual perspective for each control, both the policy side (is it documented?) and the practice side (is it demonstrably implemented?). You need an average maturity score of at least 2.5 for Basic verification and 3.0 for Important, and you must hit that on every identified key measure, not just on average. All objective evidence, configuration logs, policy texts, test results, must be ready when the on-site audit starts, because the auditor does not go searching in your systems. And any inflated claim in the self-assessment can only be corrected downward.

This is where a ZTNA console earns its place. When the auditor asks you to prove least-privilege access, you show active policies that map users to the specific applications their role needs, plus configuration logs, continuous session-validation records and evidence of enforced MFA on every external endpoint. That is the difference between claiming a control and demonstrating it.

CyFun or ISO 27001, and the sovereignty factor

Essential entities had to reach CyFun Basic or Important verification, or submit an ISO 27001 Statement of Applicability, by 18 April 2026, and move to full CyFun Essential or an accredited ISO 27001:2022 certificate by 18 April 2027. For mid-market teams CyFun is usually faster and cheaper: an ISO 27001 path typically runs 6 to 18 months and €30,000 to €120,000 over three years, while a CyFun verification can be done in 1 to 12 months for €10,000 to €60,000.

One more factor shapes the platform choice. US-headquartered cloud and network vendors fall under the US CLOUD Act, which can compel access to data wherever it is stored, creating a GDPR conflict for European organisations. An EU-sovereign platform such as Jimber keeps all inspection, logging and network flows inside the European Union, which removes that transfer risk while covering the technical controls above. Its Web Application Isolation also runs malicious code in a container at the network edge, giving a level of cyber hygiene a traditional firewall does not reach. For the wider case against legacy remote access under NIS2, see the enterprise VPN end-of-life watchlist, and for the control itself, the network isolation page.

Frequently asked questions

How do you prove the effectiveness of access control to an auditor?

The auditor wants objective evidence that theory matches practice. Show active policies in the ZTNA console proving that users only reach the applications their role needs (least-privilege), and back it with configuration logs, records of continuous session validation, and proof of enforced MFA on every external endpoint.

Is an ISO 27001 certificate enough to satisfy the Belgian NIS2 law?

Not automatically. The CCB accepts ISO 27001:2022 as a valid path, but you must submit a Statement of Applicability showing explicitly that your implemented ISO controls are equivalent to the controls of the required CyFun level. The CCB’s inspection service compares that Statement against the CyFun controls by hand.

What is the difference in cost and time between CyFun and ISO 27001?

For Belgian mid-market organisations CyFun is generally faster and cheaper. An ISO 27001 path usually takes 6 to 18 months and costs €30,000 to €120,000 over three years, whereas a CyFun verification can be completed in 1 to 12 months for €10,000 to €60,000.

Do organisations with fewer than 50 employees need to worry about NIS2?

Yes, for two reasons. Some sectors, such as DNS providers and parts of government, are in scope regardless of size. And larger in-scope organisations contractually require their suppliers to meet comparable security standards, so a small supplier that cannot show compliance risks losing the contract.

Does a SASE platform satisfy the incident-reporting requirement?

It does not file the report for you, but it supplies the technical data that makes the report possible. Centralised logging and traffic inspection let your team identify the scope, impact and likely source of an attack quickly, which is what you need to hit the 24-hour and 72-hour deadlines through Safeonweb.

Why is an EU-sovereign SASE platform safer for compliance than US alternatives?

US cloud and network providers fall under the US CLOUD Act, which lets US authorities demand access to data wherever it is stored, creating a GDPR risk around unlawful transfers to third countries. An EU-sovereign platform keeps all data inspection, logging and network flows inside the European Union, which removes that risk.

Turn the mandate into a control set

NIS2 is easier to act on once you separate the technical controls a platform can enforce from the governance work only your organisation can do. Map your Article 21 obligations against what you run today, close the technical gaps with ZTNA and isolation, and keep the policy and training work on your own roadmap. Book a Jimber demo to see how the access, monitoring and isolation controls map to your audit, or start with our NIS2 compliance checklist.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed