CISA's Cybersecurity Performance Goals (CPG 2.0) define 38 cross-sector foundational cybersecurity practices for critical infrastructure operators — aligned to NIST CSF 2.0's six functions: Govern, Identify, Protect, Detect, Respond, and Recover. CyberICS maps 335+ ready-to-run OT/ICS tabletop scenarios to specific CPG goal IDs, generating audit-ready evidence packages that demonstrate goal achievement across Energy, Water, Manufacturing, and 21 more sectors.
NIS2 expands significantly on NIS1, covering 11 essential sectors and 7 important sectors. Both categories must implement Article 21 measures — including documented incident handling and crisis management testing.
Essential entities are subject to proactive supervision by national competent authorities, stricter incident reporting timelines (24hr early warning / 72hr notification / 1-month final report), and potential sanctions of up to €10M or 2% of global annual turnover.
Important entities face reactive (complaint-driven) supervision and lower penalty caps (up to €7M or 1.4% of global turnover), but must implement the same Article 21 cybersecurity risk management measures as Essential Entities.
The NIS2 Directive applies across 27 Member States in multiple working languages. CyberICS delivers exercises, AI facilitation outputs, and After Action Reports in Multi-Language — enabling cross-border and multilingual teams to run exercises in their working language.
Article 21 defines ten mandatory cybersecurity measures for all covered entities. Tabletop exercises directly satisfy (b) and (c), and support evidence generation for six additional measures.
| Article | Measure | Requirement Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| Art. 21(a) | Risk analysis & IS policies | Policies on information security risk analysis and information system security | AI Facilitator Briefing surfaces policy gaps; AAR documents policy weaknesses identified during exercises; Gap Analysis flags absent policies | Supporting |
| Art. 21(b) | Incident handling | Procedures for incident detection, analysis, containment, and recovery. Documented testing of incident response plans | Live Session mode executes structured incident response exercises. AI AAR documents detection, containment, and recovery steps taken. Compliance evidence package provides audit-ready incident handling test record | Core |
| Art. 21(c) | Business continuity & crisis management | Backup management, disaster recovery, and crisis management plans — including documented testing | Recovery-focused scenario variants test backup activation and DR procedures; Crisis management steps are recorded and reflected in the AAR; Compliance evidence package documents the crisis management exercise | Core |
| Art. 21(d) | Supply chain security | Security of supply chain relationships, including vendor risk assessment and contractual security requirements | Supply chain attack scenarios exercise third-party compromise detection and vendor communication procedures; Gap Analysis flags supply chain vulnerabilities identified during exercise | Partial |
| Art. 21(e) | Network & IS security | Security in network and information systems acquisition, development, and maintenance | Network-layer attack scenarios (lateral movement, OT/IT boundary crossing) exercise detection and response; AAR documents control gaps in network security posture | Partial |
| Art. 21(f) | Cyber hygiene & training | Policies and procedures for evaluating effectiveness of measures, including basic cyber hygiene and cybersecurity training | Exercise completion demonstrates active cybersecurity training activity; Facilitator Certification (CTEP) evidence of qualified facilitation; AI Coaching tips reinforce hygiene practices during exercises | Supporting |
| Art. 21(g) | Cryptography policies | Policies on the use of cryptography and encryption | Scenarios referencing encrypted communication channels and data-at-rest protections exercise cryptography-adjacent procedures; limited direct coverage | Partial |
| Art. 21(h) | Human resources security & access control | HR security policies, access control, asset management | Insider threat and privilege escalation scenarios exercise access control response procedures; AAR flags access management gaps identified during exercises | Supporting |
| Art. 21(i) | Multi-factor authentication | Use of MFA or continuous authentication for access to network and information systems | Authentication bypass scenarios test detection of MFA circumvention; limited direct coverage of MFA policy enforcement | Partial |
| Art. 20 | Governance — Management oversight | Management bodies must approve cybersecurity risk management measures, oversee their implementation, and attend cybersecurity training | Executive-level scenario participants, AI AAR addressed to management, exercise history demonstrating consistent programme, Compliance Dashboard for board-level reporting | Supporting |
Three core capabilities work together to deliver, document, and evidence your Article 21(b) and 21(c) obligations.
Live Session mode provides a real-time, multi-participant exercise environment. All steps, responses, and host actions are timestamped — creating an auditable record of your incident handling test.
Immediately after each exercise, CyberICS's AI generates a structured AAR documenting gaps, recommendations, and NIS2 Article 21 control references — in the language your team worked in.
The Compliance Dashboard generates per-framework NIS2 evidence packages — a 6-page audit PDF covering exercise log, Article 21 controls coverage, gap analysis, remediation plan, and attestation.
Six high-fidelity scenarios covering the most regulated NIS2 sectors — ready to run without customisation, with AI facilitator briefing included.
Ransomware propagates through a hospital's Building Management System, affecting HVAC, access control, and medical gas pressure monitoring. Tests Art. 21(b)(c) incident and continuity response.
A coordinated cyberattack targets multiple substations simultaneously, triggering cascading grid failures. Exercises Art. 21(b) incident response and cross-authority communication under Art. 23.
An attacker gains access to a municipal water treatment SCADA system and begins altering chemical dosing setpoints. Tests detection, containment, and public authority notification under NIS2 Art. 23.
A sophisticated threat actor compromises SWIFT messaging infrastructure, threatening transaction integrity and regulatory notification timelines. Exercises DORA/NIS2 dual obligations and Art. 21(b) response.
Ransomware strikes a port's logistics management platform, halting container tracking and creating cross-border supply chain disruption. Tests Art. 21(b)(c) and supply chain notification obligations.
A trusted software vendor used across multiple EU Member State entities is compromised, requiring coordinated cross-border response. Tests Art. 21(d) supply chain obligations and Art. 23 notification flows.
Plus 59 additional scenarios across Pharma, Chemical, Manufacturing, Oil & Gas, and more. Browse the full library →
Every CyberICS exercise generates four categories of compliance evidence supporting NIS2 Article 21 demonstration requirements and competent authority reporting.
AI-generated PDF with gap analysis, corrective actions, and NIS2 Article 21 references. Available in EN, FR, PT, ES within minutes of exercise completion.
6-page per-framework audit PDF: exercise log, Article 21 controls map, gap analysis, remediation timeline, and attestation page for competent authority files.
Timestamped record of all participant responses and exercise activity demonstrating real team engagement — relevant to Art. 20 management participation evidence.
Identified exercise gaps are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail for Article 21 implementation evidence.
CISA CPG 1.0.1 defines 38 foundational goals across five NIST CSF functions. CPG 2.0 (Dec 2024) reorganizes these under six functions — adding GOVERN — and consolidates IT/OT goals into universal standards. CyberICS scenarios map directly to specific CPG goal IDs.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with 3 free exercises — no credit card required. Or speak with our team about building a structured CPG exercise programme mapped to your sector's specific goals.
Also explore: CISA CTEP Toolkit · NIST CSF 2.0 Toolkit · NERC CIP Toolkit