Compliance

NIS2 Directive

How Scrutex Supports NIS2 Directive Compliance

Sign up for freeAll Frameworks

Executive Summary

NIS2 significantly expands the scope of EU cybersecurity regulation, covering more sectors and entities, introducing prescriptive security requirements, stronger enforcement with fines up to 10 million euros or 2% of turnover, and personal liability for management bodies. Scrutex supports NIS2 compliance across supply chain security, vulnerability management, incident detection, threat intelligence, and governance reporting.

About NIS2 Directive

NIS2 replaces the original 2016 NIS Directive with significantly expanded scope, prescriptive security measures, and enforcement teeth. It distinguishes between essential and important entities, with essential entities subject to more rigorous supervision. Article 21 mandates risk-based cybersecurity measures including supply chain security, vulnerability handling, and incident management. Article 23 requires incident reporting within 24 hours (early warning) and 72 hours (detailed notification). Penalties reach 10 million euros or 2% of turnover for essential entities.

Geographic and Sector Applicability

NIS2 covers medium and large entities across sectors listed in its annexes. The scope is significantly broader than NIS1, bringing many mid-market companies under cybersecurity regulation for the first time. The directive's size-based threshold and broad sector coverage mean that organisations across energy, transport, banking, health, digital infrastructure, manufacturing, food, chemicals, and digital services are now in scope.

Who Should Care

Management Body (Board)

Article 20 requires management bodies to approve cybersecurity risk management measures. Personal liability applies for failure to fulfil this obligation.

CISO

Responsible for implementing Article 21 security measures and Article 23 incident reporting.

Procurement / Supply Chain

Article 21(2)(d) explicitly addresses supply chain security as a mandatory measure.

Legal

Must navigate national transposition differences and cross-border incident reporting requirements.

Key Risks of Non-Compliance

!

Fines up to 10 million euros or 2% of global turnover for essential entities.

!

Fines up to 7 million euros or 1.4% of turnover for important entities.

!

Personal liability for management body members.

!

Supervisory measures including suspension of business activities.

!

Public disclosure of enforcement actions.

Common Compliance Gaps

No Supply Chain Security Programme

Article 21(2)(d) explicitly requires supply chain security measures. Many organisations have no structured programme for assessing and monitoring supplier cybersecurity.

Insufficient Incident Detection

The 24-hour early warning requirement demands rapid detection capability. Organisations relying solely on internal monitoring miss external indicators of compromise.

Undocumented Vulnerability Handling

Article 21(2)(e) requires vulnerability handling and disclosure processes. Many organisations lack documented vulnerability management programmes, particularly for external-facing systems.

How Scrutex Supports NIS2 Directive Compliance

Scrutex capabilities mapped to NIS2 Directive requirements.

Vulnerability Insights

Article 21(2)(e) requires vulnerability handling and disclosure processes. Scrutex provides continuous external vulnerability assessment, identifying weaknesses in internet-facing systems and supporting the documented vulnerability management programme that NIS2 demands.

Scrutex Capabilities

  • Continuous vulnerability assessment
  • External asset discovery
  • Configuration monitoring

Requirements Addressed

  • Article 21(2)(a): Risk analysis
  • Article 21(2)(e): Vulnerability handling
Data Exposure Insights

NIS2's incident reporting (Article 23) requires 24-hour early warning followed by 72-hour detailed notification. Scrutex provides early detection through monitoring of breached credentials, dark web, paste sites, Telegram, and breach databases, enabling faster identification of incidents.

Scrutex Capabilities

  • Breached credential monitoring
  • Dark web surveillance
  • Telegram monitoring
  • Open cloud bucket scanning
  • VIP monitoring

Requirements Addressed

  • Article 23: Incident reporting
  • Article 21(2)(b): Incident handling
Vendor Insights

Article 21(2)(d) explicitly requires supply chain security measures. Scrutex enables continuous external monitoring of supplier and service provider security posture, providing the ongoing supply chain risk management that NIS2 mandates.

Scrutex Capabilities

  • Continuous supplier assessment
  • Supply chain risk scoring
  • Automated vendor alerting

Requirements Addressed

  • Article 21(2)(d): Supply chain security
Threat Insights

Understanding the threat landscape helps entities prioritise their security measures. Scrutex provides IOC feeds, ransomware intelligence, threat actor tracking, and campaign monitoring relevant to the entity's sector.

Scrutex Capabilities

  • IOC collection
  • Ransomware intelligence
  • Threat actor tracking
  • CVE repository
  • Hacktivism monitoring

Requirements Addressed

  • Article 21(2)(a): Risk analysis (threat-informed)

Compliance Reporting

NIS2 requires governance documentation and management body approval of security measures. Scrutex supports these requirements with structured, compliance-aligned reporting.

Scrutex Capabilities

  • NIS2-aligned compliance reports
  • Management body reporting
  • Incident reporting evidence

Requirements Addressed

  • Article 20: Governance obligations
  • Article 21: Documentation

Quick-Start Compliance Checklist

1

Run external discovery to identify internet-facing assets in scope.

2

Onboard critical suppliers into Vendor Insights for Article 21(2)(d).

3

Activate Data Exposure Insights for early incident detection.

4

Enable Threat Insights for sector-specific intelligence.

5

Generate a compliance report for management body approval.

Summary

NIS2 represents a step change in European cybersecurity regulation, expanding scope, introducing prescriptive requirements, and creating meaningful enforcement. For many organisations, NIS2 compliance requires significant investment in continuous monitoring, supply chain oversight, and incident detection. Scrutex provides the continuous external visibility that NIS2 demands, helping essential and important entities manage their security posture, oversee supply chains, detect threats early, and maintain the governance documentation that supervisory authorities expect.

Related Regulations and Standards

DORA: Financial entities may be subject to both; DORA is lex specialis for finance.

GDPR: Data protection obligations apply alongside NIS2.

ISO 27001: ISO certification supports NIS2 compliance demonstration.

Ready to Strengthen Your Compliance Posture?

Book a personalised demonstration and receive a complimentary external exposure assessment.

Sign up for freeRequest a demo