NIS2 Compliance: Vulnerability Management and Attack Surface Monitoring

What is NIS2?

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation. It replaces the original NIS Directive from 2016, significantly expanding the scope and strengthening the requirements for cybersecurity risk management across the EU.

NIS2 entered into force on 16 January 2023, and EU member states were required to transpose it into national law by 17 October 2024. Enforcement timelines vary by country, but organisations in scope should already be working toward compliance.

Who does NIS2 apply to?

NIS2 divides organisations into two categories:

Essential entities

These are organisations in sectors considered critical to society:

Energy (electricity, oil, gas, hydrogen, district heating)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, labs, pharma, medical device manufacturers)
Drinking water and wastewater
Digital infrastructure (DNS, TLD registries, cloud providers, data centres, CDNs)
ICT service management (managed service providers, managed security service providers)
Public administration
Space

Important entities

These are organisations in sectors that are important but not as critical:

Postal and courier services
Waste management
Chemical manufacturing and distribution
Food production and distribution
Manufacturing (medical devices, electronics, machinery, motor vehicles)
Digital providers (online marketplaces, search engines, social networks)
Research organisations

Size thresholds

NIS2 generally applies to organisations with:

50 or more employees, OR
Annual turnover or balance sheet exceeding EUR 10 million

However, certain entities are in scope regardless of size -- including DNS providers, TLD registries, and entities identified as critical by member states.

Article 21: Risk management requirements

Article 21 is the heart of NIS2 from a technical compliance perspective. It requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks.

The specific measures listed in Article 21(2) include:

Risk analysis and information system security policies
Incident handling
Business continuity and crisis management
Supply chain security
Security in network and information systems acquisition, development, and maintenance -- including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk management measures
Basic cyber hygiene practices and cybersecurity training
Policies on the use of cryptography and encryption
Human resources security and access control policies
The use of multi-factor authentication, secured communications, and secured emergency communication systems

Items 5 and 6 are directly related to vulnerability scanning and attack surface monitoring.

How attack surface monitoring maps to NIS2 obligations

Vulnerability handling (Article 21(2)(e))

NIS2 requires you to have processes for identifying and addressing vulnerabilities in your systems. This maps directly to:

Continuous vulnerability scanning of internet-facing assets
Timely remediation of discovered vulnerabilities
Patch management processes
Configuration monitoring to detect drift from secure baselines

An exposed database port, a weak TLS configuration, or a missing security header are all vulnerabilities that NIS2 expects you to find and fix.

Effectiveness assessment (Article 21(2)(f))

NIS2 requires you to assess whether your security measures are actually working. Attack surface monitoring provides this by:

Verifying that firewalls are blocking what they should
Confirming that decommissioned services are truly offline
Detecting new services that appear without authorisation
Measuring improvement over time with historical data

Supply chain security (Article 21(2)(d))

Your attack surface is not just your own infrastructure. NIS2 requires you to consider supply chain risks. Monitoring the external attack surface of critical suppliers -- or at least verifying they meet basic security hygiene -- supports this requirement.

Cryptography and encryption (Article 21(2)(h))

Monitoring TLS configurations, cipher suites, and certificate health directly supports this requirement. See our guide on expired TLS certificates for the practical side.

Timeline and enforcement

Date	Milestone
16 January 2023	NIS2 entered into force
17 October 2024	Deadline for member state transposition
17 April 2025	Member states must establish list of essential and important entities
Ongoing	Supervision and enforcement by national authorities

Penalties

NIS2 introduces significant penalties:

Essential entities: up to EUR 10 million or 2% of global annual turnover (whichever is higher)
Important entities: up to EUR 7 million or 1.4% of global annual turnover (whichever is higher)

Additionally, NIS2 introduces management liability -- senior management can be held personally responsible for compliance failures.

Practical steps for compliance

1. Determine if you are in scope

Check whether your organisation falls into the essential or important entity categories and meets the size thresholds. If you operate in the EU or provide services to EU entities, NIS2 likely applies to you.

2. Conduct a gap analysis

Compare your current security posture against the Article 21 requirements. Common gaps include:

No external vulnerability scanning or attack surface monitoring
Inconsistent patch management
No formal incident response process
Lack of supply chain security assessment
Missing or incomplete risk analysis documentation

3. Implement attack surface monitoring

Deploy continuous monitoring of your external-facing infrastructure. This should cover:

All domains and subdomains
All public IP ranges
TLS certificate health and configuration
Open ports and exposed services
DNS record integrity
Email authentication (SPF, DKIM, DMARC)
Known vulnerabilities (CVEs)

4. Establish a vulnerability management process

Define and document your process for:

Discovery (how you find vulnerabilities)
Classification (how you prioritise them)
Remediation (who fixes them and how fast)
Verification (how you confirm the fix)
Reporting (how results reach management)

If you are also pursuing ISO 27001 certification, this process can serve both frameworks.

5. Document everything

NIS2 supervision will be evidence-based. Maintain records of:

Scan schedules and results
Remediation timelines and outcomes
Risk assessments and treatment decisions
Management review of security posture
Incident reports and lessons learned

6. Report incidents

NIS2 requires essential and important entities to report significant cybersecurity incidents to their national CSIRT (Computer Security Incident Response Team) within strict timelines:

Early warning within 24 hours of becoming aware of an incident
Incident notification within 72 hours with initial assessment
Final report within one month with detailed analysis and lessons learned

7. Engage management

NIS2 explicitly requires management bodies to approve cybersecurity measures and to undergo cybersecurity training. Make sure your board or executive team is involved in, and informed about, your security posture.

How SurfaceScan helps

SurfaceScan provides the continuous attack surface monitoring that NIS2 Article 21 requires. It discovers your full external footprint -- domains, subdomains, IPs, and cloud assets -- and scans for vulnerabilities including open ports, weak TLS, missing email authentication, and known CVEs. Scheduled scans with historical data retention give you the evidence trail needed for NIS2 supervision. The dashboard provides management-level visibility into your security posture, and exportable reports support your documentation obligations. For organisations that also need ISO 27001 compliance, SurfaceScan findings map directly to the evidence auditors expect.