NIS2 enforcement began October 17, 2024 — the EU member state transposition deadline. All 27 member states are now required to have transposed NIS2 into national law. National regulators (BSI in Germany, ANSSI in France, NCSC in Netherlands, etc.) are conducting assessments and issuing notices.
Who NIS2 covers
NIS2 applies to "essential" and "important" entities in 18 sectors operating in the EU. Size thresholds: 50+ employees or €10M+ revenue (medium enterprises). Large enterprises (250+ employees or €50M+ revenue) face stricter "essential entity" obligations.
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Healthcare and pharmaceutical
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD, IXP, cloud, datacenter)
- ICT service management (B2B)
- Public administration
- Space
- Postal and courier services
- Waste management
- Chemicals
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research organizations
Why ISO 27001 isn't enough
This is the question we get most from EU organizations: "We're ISO 27001 certified — does NIS2 apply to us differently?"
The answer is yes, NIS2 applies the same way regardless of ISO 27001 status, for three reasons:
- Mandatory 24-hour incident reporting — ISO 27001 has no mandatory incident reporting timeline. NIS2 Art 23 requires initial notification within 24 hours of a significant incident, and a detailed report within 72 hours. Missing this deadline is a separate fine from any underlying security failure.
- Supply chain security obligations — Art 21(2)(d) requires assessment and management of third-party security risks. ISO 27001 Annex A has supplier controls, but NIS2 goes further by requiring contractual guarantees and audit rights with critical suppliers.
- Board-level accountability — Art 20 requires management body approval of cybersecurity risk management measures and personal liability for non-compliance. ISO 27001 has no equivalent management accountability provision.
In our passive scan of 63+ NIS2-essential entities across EU member states, the most common finding is weak email security (DMARC p=none or missing). This violates Art 21(2)(h) (secure communications) and Art 21(2)(e) (encryption and access control). It's also the easiest to fix — and the most embarrassing to have when regulators come calling.
Fine structure under NIS2
Art 21 technical requirements — what we check
NIS2 Art 21(2) specifies minimum cybersecurity measures. Here's how our passive scan maps to the controls that are visible externally:
- Art 21(2)(b) — Incident handling: We look for public disclosure policies and security.txt files as evidence of incident readiness
- Art 21(2)(e) — Policies on use of cryptography: We check TLS versions, cipher suites, and HSTS configuration
- Art 21(2)(g) — Vulnerability disclosure: We check for coordinated disclosure policies and responsible disclosure programs
- Art 21(2)(h) — Secure communications: We check DMARC, DKIM, SPF, MTA-STS, and STARTTLS configuration
- Art 21(2)(i) — Secure emergency systems: We check for internet-exposed management interfaces and VPN CVEs
A passive exposure scan is the fastest way to identify which Art 21(2) controls have externally visible failures. Our T1 report includes a compliance mapping table showing which NIS2 articles each finding implicates, with specific remediation steps for each. This gives you a defensible gap assessment before a C3PAO or notified body engagement.
Check your NIS2 external exposure
Our passive scan covers TLS configuration, email security (DMARC/DKIM/SPF), exposed management interfaces, VPN CVEs, and credential breach data — with explicit mapping to NIS2 Art 21(2) controls. 48-hour delivery, no system access required.
GET FREE DOMAIN CHECK →