NIS2 entered into force across EU member states in October 2024, replacing the original NIS Directive with significantly expanded scope, stricter security obligations, and substantially higher penalties. Article 21 is where most security teams need to focus: it defines the minimum technical and organisational security measures that essential and important entities must implement.
Vulnerability management is not optional under NIS2. It is one of the ten mandatory measures listed in Article 21(2). This guide walks you through exactly what the regulation requires and how to demonstrate compliance to your national authority.
What Article 21 actually requires
Article 21(2)(m) of NIS2 requires organisations to implement measures relating to "vulnerability handling and disclosure". This encompasses three practical obligations:
Systematic vulnerability identification
You must have a process to continuously discover vulnerabilities across your network and information systems โ not just periodic scans. This means maintaining an up-to-date asset inventory and scanning coverage.
Risk-based remediation with defined SLAs
Findings must be prioritised by risk and remediated within documented timeframes. "We will fix everything eventually" is not compliant. Regulators expect SLA tiers: critical findings within days, high findings within weeks.
Vulnerability disclosure process
Organisations must have a coordinated vulnerability disclosure (CVD) policy. This does not mean publishing every internal finding โ it means having a documented, contactable process for external reporters.
Which organisations are in scope?
NIS2 covers two categories of entity. Both must comply with Article 21, though essential entities face stricter supervisory powers (proactive audits, not just incident-triggered).
Essential Entities
- Energy (electricity, gas, oil)
- Transport (air, rail, road, water)
- Banking and financial market infrastructure
- Health โ hospitals and critical providers
- Drinking water and wastewater
- Digital infrastructure (IXPs, DNS, TLD)
- Public administration (central government)
- Space
Important Entities
- Postal and courier services
- Waste management
- Chemicals manufacture and distribution
- Food production and processing
- Medical devices and pharmaceuticals manufacture
- Digital providers (online marketplaces, search, social)
- Research organisations
A practical implementation roadmap
Asset inventory and scan coverage
- Deploy or connect a vulnerability scanner to all in-scope systems
- Build an authoritative asset register with criticality ratings
- Map data flows to identify which assets process critical or personal data
Risk-based prioritisation framework
- Implement contextual risk scoring that goes beyond raw severity โ DREAD, asset criticality, network exposure, exploitability, CTI signals, and team reaction time
- Define remediation SLA tiers: critical (72 h), high (7 d), medium (30 d), low (90 d)
- Assign ownership โ which team is accountable for each asset class?
Policy documentation and disclosure process
- Draft and publish a vulnerability management policy
- Create a coordinated vulnerability disclosure (CVD) policy and security.txt
- Document the escalation path from discovery to board-level reporting
Evidence and audit readiness
- Configure automated compliance reports (scan dates, remediation rates, SLA adherence)
- Retain vulnerability scan data and remediation evidence for at least 2 years
- Schedule quarterly reviews and annual gap assessments
What NIS2 auditors actually look for
National supervisory authorities conducting NIS2 audits are not checking that you have a scanner installed. They are looking for evidence of a functioning, risk-based process. Specifically:
- Timestamped scan records demonstrating continuous, not just periodic, scanning activity
- A documented policy with defined SLAs, approved at board or senior management level
- Closed-loop evidence: vulnerability discovered โ risk assessed โ remediated (or risk-accepted with justification) โ verified
- A published or documented disclosure mechanism so external researchers can report vulnerabilities responsibly
- Board-level reporting showing that vulnerability risk is communicated upward
Common questions
What are the penalties for non-compliance with NIS2?
Essential entities face fines up to โฌ10 million or 2 % of global annual turnover (whichever is higher). Important entities face up to โฌ7 million or 1.4 % of turnover. Senior management can be held personally liable.
Does NIS2 apply to non-EU companies?
Yes, if you provide services to EU entities in a covered sector. A US-based cloud provider serving an EU energy company would typically be considered an important entity and must comply.
Is penetration testing required under NIS2?
Article 21 does not mandate penetration testing explicitly, but it requires "security testing" as part of risk management. Most national authorities expect pen testing as part of a comprehensive programme.
How does Centraleyezer map to NIS2 Article 21?
Centraleyezer covers the vulnerability identification, contextual risk-based prioritisation, remediation tracking, SLA monitoring, and automated evidence generation required by Article 21(2)(m) and (e). It exports the vulnerability evidence NIS2 supervisors expect โ your team uses that as input into the NIS2 reports they produce for the competent authority.