EU NIS 2 Compliance
The EU NIS 2 Directive requires essential and important entities to manage cybersecurity risk, including vulnerability handling and secure development. Learn how ImmuniWeb helps with Article 21.
Conformité à la directive NIS 2 de l'UE
What Is the EU NIS 2 Directive?
NIS 2 broadens the scope of EU cybersecurity rules to a wide range of sectors - including energy, transport, banking, health, drinking and waste water, digital infrastructure, ICT service management, public administration, manufacturing, food and more - classifying organizations as 'essential' or 'important' entities.
It sets baseline cyber risk-management measures, tightens incident reporting, and introduces management accountability and registration. Because it is a directive, the precise obligations apply through each member state's national transposition.
See how ImmuniWeb supports NIS 2 Article 21 measures - vulnerability handling and secure development for your applications.Request a demoor run a free Community Edition test.
Who Must Comply with NIS 2?
NIS 2 applies to a broad set of organizations:
- Essential entities - larger organizations in high-criticality sectors (energy, transport, banking, health, digital infrastructure and more).
- Important entities - medium-sized organizations in other covered sectors.
- Note:exact thresholds and duties apply through each member state's national transposition.
The web, mobile and API applications these entities run fall within the Article 21 risk-management measures.
Key NIS 2 Requirements for Application Security
Application security is driven by the Article 21 risk-management measures:
- • Security in development and maintenance: security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
- • Analyse des risques et tests: politiques concernant l’analyse des risques et la sécurité des systèmes d’information, ainsi que l’évaluation de l’efficacité des mesures.
- • Signalement des incidents (article 23): alerte précoce sous 24 heures et notification sous 72 heures pour les incidents significatifs.
NIS 2 Article 21 Measures in Depth
Article 21 - Risk-Management Measures
Article 21 requires, among other measures, security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure, and the assessment of the effectiveness of cybersecurity measures. Penetration testing and vulnerability scanning of web and mobile applications are direct ways to handle vulnerabilities and evidence effectiveness.
Article 23 - Signalement des incidents
Les incidents majeurs doivent être signalés: une alerte précoce dans les 24 heures et une notification dans les 72 heures. Réduire la probabilité d’incidents grâce à des tests réguliers d’applications est le moyen le plus efficace de rester en avance sur ces obligations.
Risques courants des applications Web et mobiles à remédier
The application vulnerabilities NIS 2 expects entities to handle map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Échecs cryptographiques — chiffrement faible ou absent exposant des données sensibles.
- Injection —SQL, command or other injection via unvalidated input.
- Insecure Design — des contrôles de sécurité manquants par conception, et non pas seulement par bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Composants vulnérables et obsolètes — bibliothèques et frameworks non patchés.
- Échecs d'identification et d'authentification — gestion faible des connexions, des sessions ou des identifiants.
- Échecs d'intégrité des logiciels et des données — mises à jour non fiables, pipelines CI/CD non sécurisés.
- Échecs de la journalisation et de la surveillance de la sécurité — attaques non détectées.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support NIS 2 Article 21 with ImmuniWeb
- Map your assets. Inventory internet-facing apps and your attack surface with ImmuniWeb Discovery.
- Handle vulnerabilities with Neuron scanning and On-Demand penetration testing.
- Testez les applications mobiles avec MobileSuite et Neuron Mobile.
- Développement et maintenance sécurisés avec Continuous en CI/CD.
- Remediate and retest with actionable reports evidencing effectiveness.
- Monitor continuously with Discovery and Continuous.
Comment ImmuniWeb vous aide à atteindre la conformité NIS 2
ImmuniWeb supports the Article 21 measures on vulnerability handling, secure development and effectiveness testing.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| Vulnerability handling | Identify and remediate application vulnerabilities. | Neuron, On-Demand, Discovery |
| Secure development & maintenance | Security across acquisition, development and maintenance. | On-Demand, Neuron, Continuous |
| Effectiveness assessment | Tester et documenter l'efficacité des mesures. | On-Demand, Neuron |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - supporting the Article 21 measures.
NIS 2 vs International Frameworks
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Comment ImmuniWeb s'aligne |
|---|---|---|
| EU NIS 2 | Mesures de gestion des risques de l'article 21 | Web/mobile pentest, scanning, ASM |
| EU DORA | Tests de résilience (secteur financier) | Les mêmes tests couvrent les deux |
| ISO/IEC 27001 | Annexe A: contrôles techniques | Tests comme preuve de contrôle |
| NIST CSF 2.0 | Protect / Detect functions | Tests et surveillance des applications |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- Inventaire des applications exposées sur Internet et des actifs exposés
- Vulnerability handling across web and mobile apps
- Security in development and maintenance (secure SDLC)
- Effectiveness of measures tested and evidenced
- Les failles identifiées sont corrigées et retestées ; les enregistrements sont conservés
- Incident-reporting process aligned with Article 23
- Attack-surface monitoring in place
Why NIS 2 Compliance Matters
NIS 2 is implemented through national law with significant enforcement powers: maximum fines for essential entities can reach EUR 10 million or 2% of global annual turnover (and up to EUR 7 million or 1.4% for important entities), alongside management accountability.
Because web and mobile applications are a leading source of incidents, demonstrably handling their vulnerabilities and testing effectiveness is one of the clearest ways to meet Article 21.