The Effectiveness KPIs module enables you to define, track, and report on key performance indicators that measure the effectiveness of your cybersecurity risk-management measures. NIS2 Article 21(2)(f) requires organisations to have policies and procedures in place to assess the effectiveness of their cybersecurity measures. This module provides the structured framework to fulfil that obligation.
KPI Dashboard
The KPI dashboard provides a visual overview of all defined metrics:
KPI Cards
Each KPI is displayed as a card showing:
- KPI Name and category
- Current Value prominently displayed with unit
- Target Value for comparison
- Trend Arrow — an upward green arrow (improving), horizontal amber arrow (stable), or downward red arrow (declining)
- Progress bar showing current value as a percentage of the target
Target vs Actual Bars
A grouped bar chart compares target and actual values across all KPIs, providing an at-a-glance view of which metrics are meeting targets and which are falling short.
Historical Charts
Click on any KPI card to view a historical trend chart showing how the metric has evolved over time based on measurement frequency. This helps identify patterns, seasonal variations, and the impact of improvement initiatives.
Creating a KPI
To create a new KPI, click "Add KPI" and complete the form:
Enter the KPI name and select the category that maps to the relevant Art. 21(2) area. This categorisation ensures coverage across all NIS2 requirement areas.
Enter the target value (your goal) and the current measured value. Specify the unit of measurement (e.g., "%", "hours", "count", "days").
Select the measurement frequency and identify the data source from which the metric is collected. Assign an owner responsible for reporting this KPI.
Indicate the current trend direction: improving, stable, or declining. This is updated each time the KPI value is refreshed.
Provide any additional context, calculation methodology, or commentary about the KPI.
Click "Save" to add the KPI to your dashboard.
Form Fields Reference
| Field | Type | Required | Description |
|---|---|---|---|
| KPI Name | Text input | Required | A clear, descriptive name for the metric. Example: "Mean Time to Detect (MTTD)", "Patch Compliance Rate", "Security Training Completion" |
| Category | Select dropdown | Optional | Maps to one of the Art. 21(2)(a–j) areas. See category table below for options. |
| Target Value | Number | Optional | The target or goal value for this KPI. Example: 95 (for a 95% target), 4 (for 4 hours MTTD) |
| Current Value | Number | Optional | The most recent measured value for this KPI |
| Unit | Text input | Optional | The unit of measurement. Examples: "%", "hours", "count", "days", "incidents", "score" |
| Measurement Frequency | Select dropdown | Optional | How often this KPI is measured and updated. Options: Monthly, Quarterly, Semi-Annual, Annual |
| Data Source | Text input | Optional | Where the metric data comes from. Examples: "SIEM Dashboard", "Vulnerability Scanner", "HR System", "Training Platform", "Manual Count" |
| Owner | User select | Optional | The person responsible for measuring and reporting this KPI. Select from your organisation's users. |
| Trend | Select dropdown | Optional | Current trend direction: Improving (green upward arrow), Stable (amber horizontal arrow), Declining (red downward arrow) |
| Notes | Textarea | Optional | Additional context, calculation methodology, thresholds, or commentary |
Category Options (Mapped to Art. 21(2))
| Category | Art. 21(2) Reference | Example KPIs |
|---|---|---|
| Risk Analysis and Policies | (a) | Risk assessments completed on schedule, Policy review compliance rate, Open risk items count |
| Incident Handling | (b) | Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), Incident closure rate, NIS2 notification compliance rate |
| Business Continuity | (c) | BCP test pass rate, Recovery time achieved vs RTO, Backup success rate, DR exercise completion |
| Supply Chain Security | (d) | Supplier security assessments completed, Critical supplier coverage rate, Contract compliance rate |
| Network and Systems Security | (e) | Patch compliance rate, Vulnerability remediation time, Penetration test findings closed, Configuration compliance |
| Effectiveness Assessment | (f) | Audit findings closure rate, KPIs meeting target percentage, Control effectiveness score |
| Cyber Hygiene and Training | (g) | Security awareness training completion rate, Phishing simulation click rate, Policy acknowledgement rate |
| Cryptography | (h) | Encryption coverage rate, Certificate expiry compliance, Key rotation adherence |
| HR Security and Access Control | (i) | Access review completion rate, Privileged account count, Orphaned account count, Joiner/leaver process time |
| MFA and Monitoring | (j) | MFA adoption rate, Monitoring coverage rate, Alert false positive rate, SOC response time |
Measurement Frequency Options
| Frequency | Description | Recommended For |
|---|---|---|
| Monthly | KPI is measured and updated every month | Operational metrics: patch rates, training completion, incident counts, MFA adoption |
| Quarterly | KPI is measured and updated every quarter | Tactical metrics: risk assessment progress, supplier reviews, access reviews |
| Semi-Annual | KPI is measured and updated every six months | Strategic metrics: BCP/DRP test results, penetration test scores |
| Annual | KPI is measured and updated once per year | Annual metrics: overall maturity score, audit findings, certification status |