NIS2 Directive (EU) 2022/2555

NIS2 Compliance Security Assessment for EU Organizations

The NIS2 Directive (transposed into national law by October 2024) significantly expands the scope of cybersecurity obligations across EU member states. KENSAI helps essential and important entities meet NIS2 Article 21 requirements with continuous vulnerability assessment.

Start NIS2 Assessment → Book a Demo

Who Is Subject to NIS2?

NIS2 dramatically expands the scope of NIS1, now covering two entity categories:

CategorySectorsSupervision
Essential EntitiesEnergy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, spaceProactive supervision; mandatory audits
Important EntitiesPostal services, waste management, chemicals, food, manufacturing, digital providers, researchReactive supervision; investigation-triggered

Size thresholds: Generally applies to medium+ sized entities (≥50 employees or ≥€10M turnover). Some sectors (critical infrastructure) have no size threshold.

NIS2 Article 21: Cybersecurity Risk Management Measures

Article 21 requires "appropriate and proportionate technical, operational and organisational measures." Key requirements relevant to vulnerability management:

Article 21(2)(a) — Risk Analysis and Information Security Policies

Policies for risk analysis including systematic identification of vulnerabilities in systems used for essential service delivery.

Article 21(2)(e) — Security in Acquisition, Development, and Maintenance

Security measures throughout the system lifecycle, including vulnerability management and disclosure policies.

Article 21(2)(f) — Policies and Procedures to Assess Effectiveness

Organizations must have procedures to assess the effectiveness of cybersecurity risk management measures. Security testing is the primary technical mechanism.

Article 21(2)(h) — Supply Chain Security

Security measures addressing supply chain vulnerabilities, including assessing security practices of direct suppliers and service providers.

🚨 NIS2 Fines: Up to €10 Million or 2% Global Turnover

Essential entities face maximum fines of €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Important entities face €7,000,000 or 1.4% of global turnover. NIS2 also introduces personal liability for management — senior executives can be held personally liable for negligence leading to NIS2 violations.

NIS2 Vulnerability Management Requirements

The European Union Agency for Cybersecurity (ENISA) has published implementation guidance clarifying NIS2 technical requirements. Vulnerability management expectations include:

How KENSAI Supports NIS2 Compliance

✓ Essential Service Asset Discovery

Automatically discovers and inventories all ICT assets involved in essential service delivery — the foundation for NIS2 compliance.

✓ Proportionate Risk Scanning

Configure scanning frequency and depth proportionate to asset criticality — essential service systems get more frequent, deeper testing.

✓ Supply Chain Assessment

External attack surface management for ICT suppliers meets NIS2 Article 21(2)(h) supply chain security requirements.

✓ Management Reporting

NIS2 holds management personally liable — KENSAI provides executive dashboards for board-level visibility into vulnerability risk.

✓ NIS2 Evidence Package

Generate audit-ready documentation for national competent authority inspection — scan history, remediation records, and policy evidence.

✓ Incident Correlation

Link vulnerabilities to the 24-hour incident notification requirement — know immediately when a vulnerability is under active exploitation.

NIS2 vs NIS1: What's Changed for Security Testing

AspectNIS1 (2016)NIS2 (2022)
ScopeOperators of Essential Services onlyEssential + Important entities (10x more organizations)
Security measuresVague "appropriate measures"Specific 10-point security measure list
SupervisionLight-touch national approachesHarmonized EU-wide proactive supervision
FinesVaried by member stateHarmonized maximums (€10M / 2% turnover)
Management liabilityNot specifiedPersonal liability for executives
Supply chainNot requiredExplicitly required

Meet NIS2 Cybersecurity Requirements with KENSAI

With management personal liability and fines up to 2% of global turnover, NIS2 compliance is a board-level issue. KENSAI provides the automated vulnerability management and documentation needed to demonstrate NIS2 compliance to national competent authorities.

Start NIS2 Compliance → Talk to a NIS2 Expert

Related Articles

Smart Slider WordPress CVEが50万サイトに影響、Coruna iOSエクスプロイトキットがOperation Triangulatio Startup SOC2 Type II Automated Security Testing Security Platform Enterprise DORA Digital Operational Resilience Testing Security Platform