Skip to main content
EU Directive 2022/2555

NIS2 Compliance.
Continuous monitoring, documented evidence.

The NIS2 Directive requires organisations across 18 sectors to implement cybersecurity measures — or face fines up to €10M. National laws are now taking effect across the EU.

EU Directive

In force

Since Jan 16, 2023

National transposition

Ongoing

Deadline was Oct 17, 2024

Germany (NIS2UmsuCG)

In force

Since Dec 6, 2025

Affected entities must comply from the date their national law takes effect. Check your country's implementation status.

Scan your website now Check which rules apply

Does NIS2 apply to you?

NIS2 applies to essential and important entities in 18 sectors. If your organisation has 50+ employees or €10M+ turnover in one of these sectors, you are likely in scope.

Energy

Essential

Transport

Essential

Banking

Essential

Health

Essential

Digital Infrastructure

Essential

ICT Services

Essential

Chemicals

Important

Manufacturing

Important

Postal Services

Important

Cloud / SaaS

Important

Food

Important

Research

Important

The cost of non-compliance

Essential entities

€10M

or 2% of global annual turnover

whichever is higher

Important entities

€7M

or 1.4% of global annual turnover

whichever is higher

Management can be held personally liable under NIS2 Art. 20.

What NIS2 requires — and what SiteGuardian monitors

NIS2 Art. 21 defines 10 cybersecurity risk management measures. SiteGuardian continuously monitors the technical ones.

Art. 21(2)(a)

Risk analysis and security policies

Monitored

SiteGuardian provides continuous security posture scoring, DNSSEC validation, vulnerability disclosure checks (security.txt), server version concealment, and an immutable audit trail with hash-chain tamper detection.

Art. 21(2)(b)

Incident handling

Monitored

SiteGuardian detects incidents in real time, supports NIS2-compliant reporting workflows (24h early warning, 72h notification, 30-day final report), and generates pre-filled incident reports for your national CSIRT.

Art. 21(2)(c)

Business continuity

SiteGuardian monitors uptime from multiple regions and alerts on outages. Backup management, disaster recovery plans, and crisis management require organisational measures.

Art. 21(2)(d)

Supply chain security

Monitored

SiteGuardian classifies monitors into own infrastructure, suppliers, and partners. It scores supplier security posture, verifies DMARC/SPF/DKIM enforcement, and tracks supply chain concentration risk across 5 maturity levels.

Art. 21(2)(e)

Secure development

SiteGuardian monitors Content Security Policy quality, detects unsafe-inline/unsafe-eval directives, and checks for security headers that protect against injection attacks. Secure SDLC processes require organisational measures.

Art. 21(2)(f)

Effectiveness assessment

Monitored

SiteGuardian tracks your compliance score over time, generates 90-day trend reports, and provides before/after comparisons to measure the effectiveness of your security improvements.

Art. 21(2)(g)

Cyber hygiene and training

Monitored

SiteGuardian continuously monitors technical cyber hygiene: HTTPS enforcement, HSTS, security headers, MFA, and DNS hardening. Training and awareness programmes require organisational measures beyond automated monitoring.

Art. 21(2)(h)

Cryptography and encryption

Monitored

SiteGuardian validates TLS 1.2+ enforcement, detects deprecated protocols and weak cipher suites, checks forward secrecy (PFS), monitors SSL certificate validity, and verifies HSTS preload readiness.

Art. 21(2)(i)

Access control and asset management

SiteGuardian enforces MFA (TOTP/SSO) on all accounts, provides role-based access control, and maintains an asset inventory of all monitored services. HR security policies require organisational measures.

Art. 21(2)(j)

Multi-factor authentication

Monitored

SiteGuardian requires TOTP or Google SSO for platform access, monitors MFA status across all team members, and verifies encrypted communication channels (TLS, DANE, MTA-STS) for email transport.

Start preparing today

Scan your website to see where you stand. SiteGuardian maps every finding to NIS2 articles — so you know exactly what to fix.

Free security scan View compliance plans

Free forever for 1 monitor. No credit card required.

Frequently asked questions

What is the NIS2 Directive?
NIS2 (Directive 2022/2555) is the EU's updated cybersecurity regulation replacing the original NIS Directive. It significantly expands the scope to cover 18 sectors and introduces stricter requirements for incident reporting, risk management, and supply chain security.
When does NIS2 take effect?
NIS2 entered into force on January 16, 2023. Member states had until October 17, 2024 to transpose it into national law. Many countries missed this deadline — Germany's NIS2UmsuCG entered into force on December 6, 2025. Affected entities must comply from the date their national law takes effect.
Does NIS2 apply to my company?
If your organisation has 50+ employees or €10M+ annual turnover and operates in one of the 18 listed sectors (energy, transport, banking, health, digital infrastructure, ICT, manufacturing, etc.), you are likely in scope. Use our compliance check tool to find out.
What are the reporting deadlines?
Under NIS2 Art. 23: 24 hours for an early warning, 72 hours for the formal incident notification, and 1 month for the final report. SiteGuardian tracks these deadlines automatically when an incident is opened.
How does SiteGuardian help with NIS2?
SiteGuardian continuously monitors your website's security posture (encryption, headers, DNS, email authentication) and maps findings to NIS2 articles. When an incident occurs, it classifies the regulatory impact and tracks notification deadlines. Compliance reports document your measures for auditors.

How SiteGuardian supports this framework

SiteGuardian monitors technical readiness signals and produces evidence documentation that auditors can use. It does not make your organisation compliant — your organisation remains the responsible party for regulatory compliance. Algorithmic assessments are advisory and do not substitute qualified counsel or formal audits.