NIS2 Article 21
essential measures — covered.
NIS2 entered force across the EU in October 2024. If you're an essential or important entity in one of 18 sectors, Article 21 mandates 10 categories of risk-management measures. Personal liability for boards if you fail. AuditCore generates the technical evidence for the half that can be automated.
TL;DR
NIS2 (Directive 2022/2555) replaced NIS1 with bigger scope (18 sectors vs 7), bigger fines (up to €10M or 2% global turnover), and personal management-body liability. National transpositions are now in force; member states' competent authorities are actively enforcing.
Article 21(2) lists 10 categories of measures. AuditCore directly automates: vulnerability handling and disclosure (e), encryption (h), cyber hygiene (g). It produces supporting evidence for: network and information systems security (b), business continuity (c), supply chain security (d), human resources security (i — for technical access controls).
Requirement → AuditCore scanner coverage
Each requirement of the standard mapped to the AuditCore scanners that contribute evidence. Full = automated end-to-end; partial = covers part, manual review for rest; manual= AuditCore doesn't automate (process / paperwork / org-only).
| ID | Requirement | Coverage | Scanners |
|---|---|---|---|
| Art 21(2)(a) | Policies on risk analysis and information system security Risk-scored findings (CVSS) feeding into your risk register. Trend reports show measure effectiveness over time. | partial | AiContextScanner |
| Art 21(2)(b) | Incident handling Continuous scanning produces the early-warning signal stream; webhooks notify your SOC. Incident response process itself is yours to build. | partial | ZapScannerNucleiScanner |
| Art 21(2)(c) | Business continuity, including backup management + crisis management Resilience-related findings: DoS-amplification vectors, race conditions, smuggling. | partial | RaceConditionTesterSmugglingScannerHostHeaderScanner |
| Art 21(2)(d) | Supply chain security Dependency CVE scanning, sub-domain takeover detection (cloud supplier risk), exposed third-party credentials. | full | TrivyScannerSubdomainTakeoverScannerGitleaksScannerSsrfScanner |
| Art 21(2)(e) | Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure The core DAST + SAST mandate. Vulnerability identification → severity → remediation tracking → re-test. | full | ZapScannerNucleiScannerSqlmapScannerSemgrepScannerTrivyScannerNiktoScanner |
| Art 21(2)(f) | Policies and procedures to assess effectiveness of cybersecurity risk-management measures Scheduled scans with documented coverage + remediation evidence = exactly this. | full | ZapScannerNucleiScanner |
| Art 21(2)(g) | Basic cyber hygiene practices and cybersecurity training Default-credentials checks, exposed admin paths, security headers, weak crypto — the hygiene basics. | full | HeaderAnalyzerCookieAnalyzerSSLyzeScannerWordPressScannerSensitiveFilesScanner |
| Art 21(2)(h) | Policies and procedures regarding the use of cryptography and, where appropriate, encryption TLS configuration audit, weak cipher detection, certificate expiry, encryption-in-transit verification. | full | SSLyzeScannerHeaderAnalyzer |
| Art 21(2)(i) | Human resources security, access control policies, asset management BOLA/BFLA detection = access-control-policy verification. Doesn't cover HR-side. | partial | AuthReplayJwtAnalyzerSessionTesterOAuthTester |
| Art 21(2)(j) | Use of multi-factor authentication, secured voice/video/text comms, secured emergency comms We can detect missing MFA at the auth flow (no MFA prompt visible) and weak OAuth state. Voice/video/text auth = outside scope. | partial | OAuthTesterAuthReplay |
Sample findings AuditCore surfaces for this standard
Real findings types our scanners produce. Each maps to one or more of the requirements above.
Vulnerability handling failure — undocumented admin API discoverable to anyone. Common cause of NIS2-reportable incidents.
Direct cryptography requirement breach. NIS2 competent authorities check this in their first sweep.
Supply chain security gap — attacker can phish your users from your own domain. Highly visible to your competent authority.
Vulnerability handling. NIS2 reportable incident if exploited; preventable with monthly scans.
Cyber hygiene + encryption-in-transit gap. Both are explicit Article 21 categories.
Pro ($299) — Essential entities should consider Business ($499)
Pro covers Article 21 technical scope. Essential entities (Annex I sectors: energy, transport, banking, healthcare, etc.) often need Business tier for credentialed scans of internal systems + custom scan profiles aligned to your competent authority's expectations.
What AuditCore doesn't cover
Honest scope — these items are part of the standard but require process, paperwork, or org-level controls outside what a web scanner can verify. Use a manual auditor / compliance consultant for these.
- •Management body (board) cybersecurity training (Art 20(2))
- •Incident notification workflow to CSIRT (Art 23) — process, not scan
- •Crisis communication plan (Art 21(2)(c))
- •Supplier risk assessment process + contracts (Art 21(2)(d) supplier side)
- •Human resources screening + background checks (Art 21(2)(i))
- •Physical security of facilities (Art 21(2)(i))
- •Cybersecurity training and awareness program (Art 21(2)(g))
- •Registration with competent authority (varies by member state)
FAQ
Does NIS2 apply to my company?+
Likely yes if you have ≥50 employees OR ≥€10M annual revenue/turnover AND operate in one of 18 sectors (energy, transport, banking, financial market, health, drinking water, wastewater, digital infra, ICT service management, public admin, space, postal, waste, chemicals, food, manufacturing, digital providers, research). 'Essential' entities face stricter supervision than 'important' ones. Most B2B SaaS = digital infra or ICT service mgmt = important entity. Check your member state's official register.
What are the actual NIS2 fines?+
Up to €10M or 2% of global annual turnover (whichever higher) for essential entities. Up to €7M or 1.4% for important entities. Plus personal liability for management body members — they can be temporarily banned from management roles. Member states added their own enforcement (e.g. Germany's BSI publishes a public register of NIS2-fined companies).
How is NIS2 enforced — proactive audits or only after incident?+
Both. Essential entities face ex ante supervision: competent authorities can demand evidence at any time. Important entities get ex post: only audited after an incident or credible tip. AuditCore's scheduled scans + report history is exactly the kind of 'evidence on demand' a competent authority asks for during an ex ante review.
When do I need to report an incident under NIS2?+
Article 23 — early warning within 24h of becoming aware, incident notification within 72h, final report within 1 month. AuditCore findings aren't 'incidents' themselves (they're potential vulns), but a confirmed exploited finding IS reportable. Webhooks let you wire scan-completed events into your incident response workflow.
Is AuditCore aligned to ENISA NIS2 implementing acts?+
The European Commission published the NIS2 Implementing Regulation in October 2024 with technical requirements for digital infrastructure entities. Our scanner coverage tracks the same OWASP / ASVS / CIS technical baselines those acts reference. We don't claim formal 'NIS2 certification' — that doesn't exist (NIS2 doesn't have a certification scheme like ISO 27001).
I'm already ISO 27001 certified. Do I need NIS2 too?+
ISO 27001 certification helps significantly — most member states accept it as evidence for several Article 21 categories. But ISO 27001 ≠ NIS2 compliance. You still need to: register with your competent authority, implement the incident reporting workflow (Art 23), ensure management body training (Art 20). The technical measures overlap ~80% — your existing AuditCore scans support both standards.
Start the audit in 60 seconds
Free 1-page audit, no credit card. Upgrade to Pro ($299) — Essential entities should consider Business ($499) when you need the full standard coverage.