NIS 2: cybersecurity for organizations who didn't sign up
The EU NIS 2 directive (Directive (EU) 2022/2555) replaced the original NIS directive in October 2024. Member states had to transpose into national law by 2024-10-17. France (LOI n° 2025-XXX), Germany (NIS2UmsuCG), Italy, Spain — most of the EU has now codified it. Enforcement powers are real, including up to €10M or 2% of global turnover for non-compliance with critical operators, €7M / 1.4% for important operators.
Most affected mid-market companies still don't realise they're in scope. If you operate in any of the 18 sectors below at medium-or-larger size (50+ headcount AND €10M+ turnover, OR any size for some sectors), NIS 2 applies to you.
Are you in scope?
| Sector group | Examples | Critical/Important |
|---|---|---|
| Energy | Power, gas, oil, district heating | Critical |
| Transport | Air, rail, water, road | Critical |
| Banking, financial markets | Banks, exchanges | Critical |
| Health | Hospitals, labs, devices | Critical |
| Water | Drinking + waste | Critical |
| Digital infrastructure | DNS, TLD registries, cloud, CDN, data centers, B2B IXPs | Critical |
| Public administration | Government bodies | Critical (often) |
| Postal/courier | EU national post + DHL, UPS, etc. | Important |
| Waste management | Industrial | Important |
| Chemicals | Production / distribution | Important |
| Food | Production + distribution chains | Important |
| Manufacturing | Medical devices, computers, electrical equipment, vehicles | Important |
| Digital providers | Online marketplaces, search engines, social platforms | Important |
| Research | Research orgs (incl. universities under some interpretations) | Important |
Notable: cloud providers, CDNs, B2B IT services, and SaaS that operate in any of the above sectors are pulled into scope as supply-chain dependencies.
What you must do
NIS 2 has 10 mandatory measures (Article 21). The web/email-relevant ones:
- Risk analysis + ISMS — formal documented process. Most orgs have an ad-hoc one; document it.
- Incident handling — written procedures + escalation chain. 24h initial notification, 72h details, 1 month final report to your national CSIRT.
- Business continuity + crisis management — backups, restoration tests, alternative comms.
- Supply chain security — assess third-party risks. SaaS vendors used internally now need to be vetted.
- Network and information system security — patching, monitoring, segmentation. THIS is where domain scanning fits.
- Vulnerability disclosure policy — must accept and handle external reports.
security.txt+ bug bounty. - Cryptography policies — define what's strong, when to rotate.
- Personnel security — onboarding, offboarding, training.
- Access control — MFA mandatory for admin, least-privilege.
- Asset management — keep an inventory.
Reporting obligations (the part that scares people)
A "significant incident" — defined as one that "causes severe operational disruption or financial loss" — triggers reporting:
- Within 24 hours: an early warning to your national CSIRT.
- Within 72 hours: an incident notification with initial assessment.
- Within 1 month: a final report.
"Significant" is intentionally subjective; competent authorities adjudicate. In practice, a ransomware event, a customer data breach, or an extended outage of a critical service counts.
Where domain scanning fits
NIS 2 doesn't say "use a domain scanner". But it requires:
- A vulnerability management process (Art. 21.2.f) — domain-level findings are part of this.
- Regular testing of effectiveness of measures (21.2.j) — quarterly external scans plug into this.
- Cybersecurity training (21.2.g) — your team should be reading findings, not just dashboard scores.
A regular external attack-surface assessment, with documentation showing the findings triaged and remediated, is the most direct evidence you can show an auditor under Art. 21.
Penalties
For "essential entities" (critical sector + medium-or-larger):
- Up to €10M or 2% of total global annual turnover (whichever higher).
- Suspension of executives' management responsibilities.
- Public naming.
For "important entities":
- Up to €7M or 1.4% of global turnover.
Per-state implementations vary; check your transposition law.
How UnveilScan helps
Our Extended scan generates a JSON export with NIS 2 mappings on every finding. We map TLS, DMARC, CSP, leak findings against the relevant NIS 2 articles + national implementations (France, Germany so far; Italy and Spain in development). The CISO can drop the export into the audit deliverables.
Build your NIS 2 evidence trail
Extended scan + JSON export with NIS 2 mappings. Schedule monthly for continuous evidence.
See pricing