The NIS2 Directive (transposed into national law by October 2024) significantly expands the scope of cybersecurity obligations across EU member states. KENSAI helps essential and important entities meet NIS2 Article 21 requirements with continuous vulnerability assessment.
Start NIS2 Assessment → Book a DemoNIS2 dramatically expands the scope of NIS1, now covering two entity categories:
| Category | Sectors | Supervision |
|---|---|---|
| Essential Entities | Energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, space | Proactive supervision; mandatory audits |
| Important Entities | Postal services, waste management, chemicals, food, manufacturing, digital providers, research | Reactive supervision; investigation-triggered |
Size thresholds: Generally applies to medium+ sized entities (≥50 employees or ≥€10M turnover). Some sectors (critical infrastructure) have no size threshold.
Article 21 requires "appropriate and proportionate technical, operational and organisational measures." Key requirements relevant to vulnerability management:
Policies for risk analysis including systematic identification of vulnerabilities in systems used for essential service delivery.
Security measures throughout the system lifecycle, including vulnerability management and disclosure policies.
Organizations must have procedures to assess the effectiveness of cybersecurity risk management measures. Security testing is the primary technical mechanism.
Security measures addressing supply chain vulnerabilities, including assessing security practices of direct suppliers and service providers.
Essential entities face maximum fines of €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Important entities face €7,000,000 or 1.4% of global turnover. NIS2 also introduces personal liability for management — senior executives can be held personally liable for negligence leading to NIS2 violations.
The European Union Agency for Cybersecurity (ENISA) has published implementation guidance clarifying NIS2 technical requirements. Vulnerability management expectations include:
Automatically discovers and inventories all ICT assets involved in essential service delivery — the foundation for NIS2 compliance.
Configure scanning frequency and depth proportionate to asset criticality — essential service systems get more frequent, deeper testing.
External attack surface management for ICT suppliers meets NIS2 Article 21(2)(h) supply chain security requirements.
NIS2 holds management personally liable — KENSAI provides executive dashboards for board-level visibility into vulnerability risk.
Generate audit-ready documentation for national competent authority inspection — scan history, remediation records, and policy evidence.
Link vulnerabilities to the 24-hour incident notification requirement — know immediately when a vulnerability is under active exploitation.
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Scope | Operators of Essential Services only | Essential + Important entities (10x more organizations) |
| Security measures | Vague "appropriate measures" | Specific 10-point security measure list |
| Supervision | Light-touch national approaches | Harmonized EU-wide proactive supervision |
| Fines | Varied by member state | Harmonized maximums (€10M / 2% turnover) |
| Management liability | Not specified | Personal liability for executives |
| Supply chain | Not required | Explicitly required |
With management personal liability and fines up to 2% of global turnover, NIS2 compliance is a board-level issue. KENSAI provides the automated vulnerability management and documentation needed to demonstrate NIS2 compliance to national competent authorities.
Start NIS2 Compliance → Talk to a NIS2 Expert