Who should read this: Risk managers, facilities teams, security teams, and anyone responsible for comprehensive risk management beyond cybersecurity.
NIS2 Article 21(2) requires that risk-management measures “be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents.”
This phrase—“all-hazards approach”—is vital. It means NIS2 is not just about cyberattacks. It is about protecting information systems and infrastructure from any incident that could disrupt service or cause harm. This includes physical attacks, environmental disasters, accidents, and yes, cyberattacks.
The all-hazards approach reflects a critical insight: a sophisticated attacker does not always attack digitally. An attacker who wants to disrupt a power plant might not target the SCADA system. Instead, they might simply cut the power cables with an axe. A disaster that disrupts a data centre might not be a cyberattack—it might be a fire, a flood, or a theft of critical hardware.
This guide explains what the all-hazards approach means, why it matters, and how to implement it.
The All-Hazards Concept
An “all-hazards approach” to security means addressing all categories of threats to your systems and services, not just cyberattacks.
Categories of hazards include:
Cyber Threats
Attacks on information systems:
Malware, ransomware, viruses.
Phishing, social engineering.
Exploitation of vulnerabilities.
Distributed denial-of-service (DDoS) attacks.
Data theft, espionage.
Insider threats (disgruntled employees, sabotage).
Supply chain compromise.
Physical Attacks
Deliberate physical damage:
Breaking and entering to steal hardware or data.
Vandalism of critical infrastructure.
Cutting cables or disabling equipment.
Tampering with systems (adding malicious hardware, USB devices).
Bomb threats or explosive attacks on facilities.
Environmental and Natural Disasters
Naturally occurring hazards:
Fire (accidental or deliberately set).
Flooding (burst pipes, heavy rain, storm surge).
Earthquakes or other seismic events.
High winds, storms, ice.
Extreme temperatures affecting equipment.
Loss of utility services (power outages, water loss, HVAC failure).
Accidents
Unintentional incidents:
Power surges damaging equipment.
Accidental spills or water damage.
Employee error (misconfiguration, accidental data deletion).
Vehicle accidents affecting facilities.
Supply Chain Incidents
Incidents affecting suppliers or dependencies:
Supplier bankruptcy or closure.
Supplier data breach affecting your data held by them.
Compromise of critical components in supplier products.
Loss of supplier services (outage, termination).
Operational Incidents
Issues in your own operations:
Key personnel becoming unavailable (illness, departure).
Inadequate backup systems or failed restoration.
Procedure failures (misconfiguration, incorrect updates).
Monitoring or detection failures.
Why All-Hazards Matters
The all-hazards approach recognises that threats to your services are not exclusively cyber.
A sophisticated attacker might use any means available. A nation-state attacking critical infrastructure might combine cyber attacks with physical sabotage. A criminal targeting a financial institution might combine a cyber attack with physical theft. A disgruntled employee might both steal data and damage equipment.
Environmental disasters can be as damaging as cyberattacks. A flood in a data centre can destroy hardware faster than any ransomware. A power outage can bring down services as effectively as a DDoS attack.
Moreover, the all-hazards approach helps you think holistically about risk. If you focus only on cyberecurity, you might have robust intrusion detection and patch management but terrible physical security. An attacker could simply walk into your data centre and unplug servers or load malicious hardware onto your network.
NIS2’s all-hazards approach forces you to think about security across all dimensions.
Article 21 Measures in an All-Hazards Context
Each of the ten Article 21(2) measures should be implemented with all-hazards in mind.
Measure 1 – Risk Analysis and Security Policies
Your risk assessment must address all categories of hazards, not just cyber threats.
For each critical system or asset, identify:
Cyber threats (what attacks could affect this?).
Physical threats (could someone break in and damage it?).
Environmental threats (could fire, flood, or power loss affect it?).
Accident risks (what human errors could damage it?).
Supplier/operational risks.
Prioritise risks based on likelihood and impact. A critical data centre should assess flood risk geographically. Does it sit in a flood-prone area? What is the likelihood? If flooding is high-risk, your mitigation (raising facilities, flood barriers, backup sites outside flood zones) must reflect that.
Your security policies should address all-hazards risks, not just cyber controls.
Measure 2 – Incident Handling
Incident handling includes responses to cyber incidents, but also to physical and environmental incidents.
Define incident types:
Cyber incident: malware, intrusion, data theft.
Physical incident: break-in, theft, vandalism, fire.
Environmental incident: flooding, power outage, HVAC failure.
Operational incident: supply chain failure, key personnel loss, procedure error.
For each incident type, define your response:
Detection: How do you detect this type of incident?
Investigation: What do you do to investigate?
Containment: How do you stop it?
Recovery: How do you restore service?
Documentation: What do you document for regulators?
Your incident response should be integrated across all hazard types, not just cyber.
Measure 3 – Business Continuity and Disaster Recovery
This is where all-hazards really matters.
Business continuity planning must address:
Cyber incidents: If your systems are encrypted by ransomware, can you restore from backups?
Physical incidents: If your data centre burns down, can you failover to another location?
Environmental incidents: If a flood destroys your primary site, is your backup in another geographic area?
Supplier failures: If your cloud provider fails, can you migrate to another?
Personnel loss: If key technical staff become unavailable, can someone else manage critical functions?
Your backups must be stored off-site or in separate facilities so that a disaster affecting your primary location does not also destroy backups.
Your disaster recovery plan must be tested regularly against different scenarios (cyber attack, fire, flooding, etc.). Do not assume your plan will work without testing.
Your recovery time objectives (RTOs) must be realistic. For critical services, RTOs might be minutes or hours. To achieve tight RTOs, you need advance planning, tested procedures, and often multiple sites.
Measure 4 – Supply Chain Security
Supply chain security in an all-hazards context means:
Assessing suppliers for cyber security (do they have security practices?).
Assessing suppliers for operational resilience (can they survive a physical disaster and continue serving you?).
Assessing suppliers’ dependencies (if a supplier’s supplier fails, do they have contingencies?).
Having alternative suppliers so that a single supplier’s failure does not cause your failure.
Measure 5 – Secure Development
This is primarily a cyber measure. But it should address:
Secure coding to prevent vulnerabilities that attackers could exploit.
Testing to find and fix defects that could cause outages or data loss.
Secure deployment procedures to prevent misconfiguration.
Measure 6 – Effectiveness Assessment
Assess your controls against all-hazards:
Conduct vulnerability scans (cyber).
Conduct physical security assessments (can someone break in?).
Test disaster recovery procedures (can you restore if your primary site fails?).
Audit your supply chain resilience (what happens if suppliers fail?).
Measure 7 – Cyber Hygiene and Training
Training should address all-hazards awareness:
Cyber hygiene: phishing, passwords, data protection.
Physical security: do not leave doors propped open, do not share access badges, report suspicious persons.
Environmental awareness: know evacuation procedures, know how to report environmental hazards.
Measure 8 – Cryptography
Primarily a cyber measure.
Measure 9 – Human Resources and Access Control
Access control in all-hazards context:
Cyber access control: authentication, authorization, least privilege.
Physical access control: badges, locks, biometrics, visitor logs.
Separation of duties: prevent any single person from having too much control (cyber or physical).
Termination procedures: revoke access (cyber and physical) immediately when employees leave.
Background checks: screen people with access to critical systems for threats.
Measure 10 – Multi-Factor Authentication
Primarily cyber, but related to access control.
Physical Security Implementation
Given the all-hazards approach, your physical security must be strong.
Facilities
For facilities housing critical systems:
Access control: restrict entry to authorized personnel only.
Visitor management: log visitors, require escorting, limit access.
Perimeter security: fencing, gates, cameras.
Environmental controls: fire suppression (sprinklers), HVAC monitoring, humidity control.
Power backup: uninterruptible power supplies, backup generators.
Network security: secure cables, prevent tampering.
Hardware Security
For devices and hardware:
Secure storage: store equipment in locked areas.
Inventory management: track all hardware, prevent theft.
Secure disposal: destroy equipment at end-of-life so data cannot be recovered.
Firmware verification: ensure firmware on devices has not been tampered with.
Cable security: prevent cutting or interference with network cables.
Personnel Security
For people with access to systems:
Background checks before hire.
Security training and awareness.
Continuous monitoring (watch for suspicious behaviour).
Secure termination (revoke all access before departure).
Confidentiality agreements.
Environmental Risk Assessment
For each critical facility, conduct an environmental risk assessment.
Questions to ask:
Is the facility in a flood-prone area? What is the flood risk?
Is the facility in an earthquake-prone area?
Is there risk of extreme weather (high winds, ice, extreme temperatures)?
What is the local power grid reliability? Frequency of outages?
What is the local water supply reliability?
What is the fire risk? Is the facility near wildfire-prone areas or in a building with fire hazards?
For each risk identified, determine your mitigation:
Reduce likelihood: raise the facility above flood level, move away from fire-prone areas, improve fire suppression systems.
Reduce impact: if you cannot prevent flooding, have backup facilities outside flood zones; if you cannot prevent power outages, have backup generators; if you cannot prevent fires, have automatic sprinkler systems and early detection.
Accept risk: if the risk is very low probability and/or you have good mitigation, you may accept residual risk.
Document your assessment and any accepted risks. Regulators will want to see that you have thought through environmental hazards.
Resilience vs Resistance
The all-hazards approach recognises a distinction between resistance and resilience:
Resistance means preventing an incident from happening (a strong lock prevents a break-in, a firewall prevents a cyberattack).
Resilience means the ability to recover quickly if an incident happens anyway.
NIS2 requires both:
You must resist threats where possible (strong controls, defences).
You must be resilient where resistance is impossible (backup sites, redundancy, quick recovery).
For some hazards, resistance is not practical. You cannot prevent earthquakes or floods. But you can be resilient: by having multiple facilities in different areas, by having backups, by having insurance, by having incident response plans.
Proportionality in All-Hazards Approach
The all-hazards approach must be proportionate. You are not required to implement controls against hazards that are not realistic for your context.
Examples:
If your data centre is in a stable geological region far from earthquake zones, you do not need seismic reinforcement.
If your facility is on a hilltop far from flood zones, flood mitigation is less critical.
If your operations are not dependent on external suppliers, supply chain resilience is less critical.
However, you must do a risk assessment to determine what is and is not realistic. Do not simply assume low risk without analysis.
Practical Checklist: All-Hazards Implementation
For each critical system or facility:
Identify all potential hazards (cyber, physical, environmental, operational, supply chain).
Assess likelihood and impact for each hazard.
Determine acceptable risk (what will you tolerate?).
For each unacceptable risk, implement controls:
To reduce likelihood (prevent the hazard).
To reduce impact (mitigate if it happens anyway).
Test your controls (drills, tabletop exercises, security assessments).
Document your approach (risk assessment, controls, test results).
For high-risk environmental hazards:
Conduct geographic and facility risk assessment.
Implement environmental controls (fire suppression, HVAC monitoring, etc.).
Locate backup facilities in different geographic areas.
Test disaster recovery regularly.
For supply chain hazards:
Assess all critical suppliers.
Develop alternative supplier relationships.
Monitor suppliers’ operational health and security.
Test ability to switch suppliers if needed.
For physical security:
Implement access controls (badges, locks, biometrics).
Monitor access and detect anomalies.
Conduct regular physical security assessments.
Train personnel on physical security.
For personnel/operational hazards:
Document critical functions and who performs them.
Cross-train staff so multiple people can perform critical functions.
Have succession plans for key roles.
Test your ability to operate if key people are unavailable.
Key Takeaways
-
The all-hazards approach requires protecting systems and infrastructure from all categories of threats: cyber, physical, environmental, accidents, and supply chain; Article 21 measures must address all hazard types, not just cyberattacks.
-
Physical security is as important as cyber security; implementation includes access controls, visitor management, perimeter security, environmental controls (fire suppression, HVAC), power backup, and hardware security.
-
Business continuity and disaster recovery must be designed for all-hazards: backups must be stored off-site in different geographic areas; disaster recovery procedures must be tested against different scenarios (cyber, fire, flood, power outage); recovery time objectives must be achievable.
-
Environmental risk assessment should identify local hazards (flood risk, earthquake risk, extreme weather, power grid reliability) and determine appropriate mitigations (raising facilities, backup sites, backup generators, fire suppression).
-
Supply chain resilience is critical: assess suppliers for operational resilience, develop alternative suppliers, monitor supplier health, and test ability to switch suppliers if a critical supplier fails.
-
Proportionality applies: you are not required to implement controls against unrealistic hazards; however, you must conduct a risk assessment to determine what is realistic for your context and document your conclusions.
-
Resilience and resistance are complementary: resist threats where possible (strong controls, defences) and be resilient where resistance is impossible (backups, redundancy, quick recovery).
