EU NIS 2 Compliance
The EU NIS 2 Directive requires essential and important entities to manage cybersecurity risk, including vulnerability
handling and secure development. Learn how ImmuniWeb helps with Article 21.
EU NIS 2 Directive Compliance
What Is the EU NIS 2 Directive?
NIS 2 broadens the scope of EU cybersecurity rules to a wide range of sectors - including energy, transport, banking, health, drinking and waste water, digital infrastructure, ICT service management, public administration, manufacturing, food and more - classifying organizations as 'essential' or 'important' entities.
It sets baseline cyber risk-management measures, tightens incident reporting, and introduces management accountability and registration. Because it is a directive, the precise obligations apply through each member state's national transposition.
See how ImmuniWeb supports NIS 2 Article 21 measures - vulnerability handling and secure development for your applications.Request a demoor run a free Community Edition test.
Who Must Comply with NIS 2?
NIS 2 applies to a broad set of organizations:
- Essential entities - larger organizations in high-criticality sectors (energy, transport, banking, health, digital infrastructure and more).
- Important entities - medium-sized organizations in other covered sectors.
- Note:exact thresholds and duties apply through each member state's national transposition.
The web, mobile and API applications these entities run fall within the Article 21 risk-management measures.
Key NIS 2 Requirements for Application Security
Application security is driven by the Article 21 risk-management measures:
- • Security in development and maintenance: security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
- • Risk analysis and testing: policies on risk analysis and information system security, and assessment of the effectiveness of measures.
- • Incident reporting (Article 23): early warning within 24 hours and notification within 72 hours of significant incidents.
NIS 2 Article 21 Measures in Depth
Article 21 - Risk-Management Measures
Article 21 requires, among other measures, security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure, and the assessment of the effectiveness of cybersecurity measures. Penetration testing and vulnerability scanning of web and mobile applications are direct ways to handle vulnerabilities and evidence effectiveness.
Article 23 - Incident Reporting
Significant incidents must be reported - an early warning within 24 hours and a notification within 72 hours. Reducing incident likelihood through regular application testing is the most effective way to stay ahead of these duties.
Common Web & Mobile Application Risks to Address
The application vulnerabilities NIS 2 expects entities to handle map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection —SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support NIS 2 Article 21 with ImmuniWeb
- Map your assets. Inventory internet-facing apps and your attack surface with ImmuniWeb Discovery.
- Handle vulnerabilities with Neuron scanning and On-Demand penetration testing.
- Test mobile applications with MobileSuite and Neuron Mobile.
- Secure development and maintenance with Continuous in CI/CD.
- Remediate and retest with actionable reports evidencing effectiveness.
- Monitor continuously with Discovery and Continuous.
How ImmuniWeb Helps You Achieve NIS 2 Compliance
ImmuniWeb supports the Article 21 measures on vulnerability handling, secure development and effectiveness testing.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Vulnerability handling | Identify and remediate application vulnerabilities. | Neuron, On-Demand, Discovery |
| Secure development & maintenance | Security across acquisition, development and maintenance. | On-Demand, Neuron, Continuous |
| Effectiveness assessment | Test and evidence the effectiveness of measures. | On-Demand, Neuron |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - supporting the Article 21 measures.
NIS 2 vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| EU NIS 2 | Article 21 risk-management measures | Web/mobile pentest, scanning, ASM |
| EU DORA | Resilience testing (financial sector) | Same testing supports both |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
| NIST CSF 2.0 | Protect / Detect functions | Application testing & monitoring |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Inventory of internet-facing apps and exposed assets
- Vulnerability handling across web and mobile apps
- Security in development and maintenance (secure SDLC)
- Effectiveness of measures tested and evidenced
- Findings remediated and re-tested; records retained
- Incident-reporting process aligned with Article 23
- Attack-surface monitoring in place
Why NIS 2 Compliance Matters
NIS 2 is implemented through national law with significant enforcement powers: maximum fines for essential entities can reach EUR 10 million or 2% of global annual turnover (and up to EUR 7 million or 1.4% for important entities), alongside management accountability.
Because web and mobile applications are a leading source of incidents, demonstrably handling their vulnerabilities and testing effectiveness is one of the clearest ways to meet Article 21.