Evaluating Organization Security: User Stories of European Union NIS2 Directive
Mari Seeba, Magnus Valgre, Raimundas Matulevičius
TL;DR
This work addresses how to evaluate organizational information security under the EU NIS2 directive by translating legal requirements into pragmatic user stories for six stakeholder personas. It employs requirements elicitation and i* modelling to derive ten user stories tied to risk-management measures and validates them against existing security-evaluation instruments, highlighting instrument coverage and gaps. The study demonstrates that user stories can guide the adaptation and development of NIS2-compliant evaluation methods and support data reuse to reduce administrative burden on entities. Practically, the approach offers a structured, stakeholder-centered pathway to operationalize NIS2 requirements and informs policymakers and practitioners on how to balance evaluation rigor with administrative feasibility.
Abstract
The NIS2 directive requires EU Member States to ensure a consistently high level of cybersecurity by setting risk-management measures for essential and important entities. Evaluations are necessary to assess whether the required security level is met. This involves understanding the needs and goals of different personas defined by NIS2, who benefit from evaluation results. In this paper, we consider how NIS2 user stories support the evaluation of the level of information security in organizations. Using requirements elicitation principles, we extracted the legal requirements from NIS2 from our narrowed scope, identified six key personas and their goals, formulated user stories based on the gathered information, and validated the usability and relevance of the user stories with security evaluation instruments or methods we found from the literature. The defined user stories help to adjust existing instruments and methods of assessing the security level to comply with NIS2. On the other hand, user stories enable us to see the patterns related to security evaluation when developing new NIS2-compliant security evaluation methods to optimize the administrative burden of entities.
