NIS2
What it is — The Network and Information Security Directive 2 (NIS2) is an EU directive (Directive (EU) 2022/2555 ) that strengthens cybersecurity requirements for essential and important entities across the EU. It expands the scope of the original NIS Directive to cover more sectors and introduces stricter obligations for risk management, incident reporting, and supply chain security. Member states were required to transpose NIS2 into national law by 17 October 2024.
Appsec relevance — Article 21(2) specifies cybersecurity risk-management measures that entities must implement, several of which directly involve vulnerability management, security testing, and system monitoring — core DAST and ASM capabilities.
How Detectify Supports NIS2
| Requirement | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| Article 21(2)(e) — Vulnerability handling and disclosure | Ensure security in network and information system acquisition, development, and maintenance, including vulnerability handling and disclosure | Rapid test module generation via Alfred AI for newly disclosed CVEs, Crowdsource vulnerability modules, vulnerability reporting with severity scoring and historical tracking | Full |
| Article 21(2)(f) — Assessing effectiveness | Implement policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Scheduled scanning with historical reports, OWASP Top 10 compliance view, and trend data demonstrate ongoing effectiveness assessment | Full |
| Article 21(2)(a) — Risk analysis | Implement risk analysis and information system security policies | Attack Surface Policies, CVSS risk scoring, and technology discovery support risk-based decision making | Partial |
| Article 21(2)(b) — Incident handling | Implement incident handling procedures | 24/7 Surface Monitoring with integrations (Slack, PagerDuty, Jira) enables alerting on newly discovered vulnerabilities, but does not provide incident management workflows | Partial |
| Article 21(2)(d) — Supply chain security | Address security-related aspects of relationships with direct suppliers and service providers | Technology discovery and third-party component vulnerability testing identify vulnerable components, but do not provide vendor risk management | Partial |
| Article 21(2)(e) — Security in acquisition, development, and maintenance | Ensure security in network and information system acquisition, development, and maintenance | Internal Scanning and API-triggered testing integrate into CI/CD pipelines; authenticated testing covers development and maintenance phases | Partial |
| Article 21(2)(g) — Cyber hygiene and training | Implement basic cyber hygiene practices and cybersecurity training | Port discovery, service fingerprinting, and exposed service detection via Surface Monitoring support cyber hygiene | Partial | | Article 21(2)(h) — Cryptography and encryption | Implement policies and procedures regarding the use of cryptography and, where appropriate, encryption | TLS/SSL configuration testing and cryptographic misconfiguration detection (CWE-326 , CWE-327 ) | Partial |
What Detectify Covers
Detectify directly addresses NIS2’s vulnerability handling (Article 21(2)(e)) and effectiveness assessment (Article 21(2)(f)) requirements. It provides partial support for risk analysis, incident detection, supply chain security, system security, and cryptography requirements through its scanning and monitoring capabilities.
NIS2’s governance, business continuity, training, and incident reporting requirements are outside DAST scope and require organizational processes and dedicated tools.
Complementary Tools You May Need
- Governance, risk, and compliance (GRC) platforms — For Article 20 governance and Article 21(2)(a) policy management
- Incident management and reporting — For Article 23 authority notification
- Business continuity / DR tools — For Article 21(2)(c) resilience planning
- Supply chain risk management — For comprehensive Article 21(2)(d) vendor assessment
- Security awareness training — For Article 21(2)(g) cyber hygiene and cybersecurity training
- Network security tools — For comprehensive Article 21(2)(h) network protection
- SAST — For code-level vulnerability analysis