NIS2 Directive: External Security Controls Checklist

The Network and Information Security Directive 2 (NIS2) is the European Union's updated cybersecurity regulation that significantly expands the scope and requirements of its predecessor. NIS2 applies to a broad range of organizations classified as "essential" or "important" entities, spanning sectors including energy, transport, banking, healthcare, digital infrastructure, public administration, and manufacturing.

NIS2 went into effect with member state transposition deadlines in late 2024, and enforcement is now underway. Penalties for non-compliance can reach 10 million EUR or 2% of global annual turnover for essential entities, and 7 million EUR or 1.4% of turnover for important entities.

This checklist maps NIS2 requirements to the external security controls that CyberShield evaluates, helping you identify compliance gaps through automated scanning.

NIS2 Requirements Relevant to External Security

NIS2 Article 21 mandates that entities implement appropriate and proportionate technical and organizational measures to manage cybersecurity risks. Several specific requirements directly map to externally observable security controls.

Risk Analysis and Security Policies (Article 21.2.a)

NIS2 requires entities to perform risk analysis and establish information security policies. External security assessment provides the technical data that risk analysis depends on.

What CyberShield checks:

• Overall security posture score (risk quantification)
• Category-level scores identifying which areas carry the most risk
• Finding severity distribution (critical/high/medium/low)
• Score trends over time (risk trajectory)

Compliance evidence: Regular scan reports demonstrating ongoing risk assessment. Score trend data showing risk management effectiveness.

Incident Handling (Article 21.2.b)

NIS2 requires incident handling procedures. External security posture directly affects incident likelihood and the scope of potential incidents.

What CyberShield checks:

• Exposed services that increase incident probability (open RDP, database ports)
• Missing email authentication that enables phishing incidents
• Information disclosure that assists attackers during incidents

Compliance evidence: Remediation of findings that represent common incident entry points. Documentation of closed attack vectors.

Supply Chain Security (Article 21.2.d)

NIS2 requires entities to address cybersecurity risks in their supply chain and relationships with suppliers. External assessment enables objective vendor security evaluation.

What CyberShield checks:

• Vendor domain security posture (scan third-party domains)
• Vendor email authentication (spoofing risk from vendors)
• Vendor TLS configuration (data protection in vendor communications)

Compliance evidence: Vendor scan reports, score tracking over time, threshold enforcement.

Encryption and Cryptography (Article 21.2.h)

NIS2 requires policies and procedures regarding the use of cryptography and, where appropriate, encryption. TLS configuration is the most directly measurable cryptographic control.

What CyberShield checks:

• TLS certificate validity and chain completeness
• Protocol versions (TLS 1.2+ required, TLS 1.0/1.1 flagged)
• Cipher suite strength (forward secrecy, authenticated encryption)
• HSTS deployment
• Certificate authority restrictions (CAA records)

Compliance evidence: TLS module scan results showing strong cryptographic configuration. Remediation history for any cryptographic weaknesses.

Vulnerability Handling and Disclosure (Article 21.2.e)

NIS2 requires vulnerability handling procedures including vulnerability assessment. External scanning is a form of continuous vulnerability assessment.

What CyberShield checks:

• All 10+ scanning categories covering external vulnerability types
• Exposure module (sensitive files, path traversal, open redirects)
• Web module (cookie security, CORS, CSP, form security)
• Server version disclosure (potential vulnerability correlation)

Compliance evidence: Regular scan reports showing vulnerability identification and remediation.

External Security Controls Checklist

Use this checklist to verify your external security posture against NIS2 requirements. Each item maps to a CyberShield finding category.

Cryptography and Encryption Controls

• All TLS certificates are valid and not approaching expiration
• TLS 1.2 is the minimum supported protocol version
• TLS 1.0 and TLS 1.1 are disabled
• Strong cipher suites with forward secrecy are configured
• Weak ciphers (RC4, DES, 3DES, export-grade) are removed
• HSTS is enabled with adequate max-age (minimum 6 months)
• Certificate chains are complete (no missing intermediates)
• CAA records restrict certificate issuance to authorized CAs

Email Security Controls

• SPF record published with -all enforcement
• SPF record within 10 DNS lookup limit
• DKIM signing enabled on all outbound email services
• DKIM public keys published in DNS
• DMARC policy at p=quarantine or p=reject (see our DMARC policy setup guide for step-by-step enforcement)
• DMARC subdomain policy (sp=) matches main policy
• DMARC reporting (rua) configured and monitored
• MTA-STS policy published for inbound TLS enforcement
• TLS-RPT record published for delivery failure reporting

Network Security Controls

• No unnecessary ports exposed to the internet
• RDP (3389) not externally accessible
• Database ports (3306, 5432, 1433, 27017) not externally accessible
• SMB (445) not externally accessible
• Telnet (23) not externally accessible
• Administrative interfaces restricted to VPN or IP allowlist
• Only required services exposed (web, email, DNS)

Web Application Security Controls

• Content-Security-Policy header deployed
• X-Frame-Options header set to DENY or SAMEORIGIN
• X-Content-Type-Options header set to nosniff
• Referrer-Policy header configured
• Permissions-Policy header configured
• Server version banners removed from responses
• X-Powered-By and similar disclosure headers removed
• Custom error pages that do not reveal stack traces
• No sensitive files accessible (.env, .git, backups)
• Cookies set with Secure, HttpOnly, and SameSite flags

DNS Security Controls

• DNSSEC enabled and validated
• CAA records published
• Multiple nameservers on different networks
• No dangling CNAME records (subdomain takeover prevention)
• Zone transfer restricted to authorized servers

Domain Management Controls

• Domain registration not expiring within 90 days
• Auto-renewal enabled
• Registrar transfer lock enabled
• Consistent registration information across domains

Monitoring and Assessment Controls

• Regular external security scans scheduled (weekly or monthly)
• Scan results reviewed and findings triaged by severity
• Critical and high findings remediated within defined timelines
• Score trends tracked over time
• Baseline comparisons used to detect regression
• Supply chain partners assessed through external scanning

NIS2 Reporting Requirements

NIS2 introduces strict incident reporting obligations. Entities must report significant incidents to the national CSIRT or competent authority:

• Early warning: Within 24 hours of becoming aware of a significant incident
• Incident notification: Within 72 hours, including an initial assessment
• Final report: Within one month, including detailed description, root cause, and mitigation measures

External security assessment data supports these reporting requirements:

Pre-incident baseline: Regular scan reports establish your security posture before an incident, demonstrating that you maintained appropriate controls.

Root cause analysis: If an incident exploits an external weakness (expired certificate, exposed port, missing authentication), scan history shows when the weakness appeared and what remediation was in progress.

Remediation evidence: Post-incident scans verify that the exploited weakness has been addressed and that no similar weaknesses exist elsewhere.

Implementing NIS2 External Security Controls

Priority 1: Critical Controls (Address Immediately)

These controls address the most likely incident vectors and carry the highest compliance weight:

1. Close all exposed RDP, database, and unnecessary ports
2. Implement email authentication (SPF, DKIM, DMARC at enforcement)
3. Ensure all TLS certificates are valid and properly configured
4. Remove exposed sensitive files and information disclosure

Priority 2: Important Controls (Address Within 1 Month)

These controls strengthen your posture and demonstrate security program maturity:

1. Deploy HTTP security headers (CSP, HSTS, X-Frame-Options, etc.)
2. Enable DNSSEC and publish CAA records
3. Configure cookie security flags
4. Remove server version disclosure

Priority 3: Supporting Controls (Address Within 3 Months)

These controls complete your compliance posture:

1. Deploy MTA-STS and TLS-RPT
2. Implement certificate transparency monitoring
3. Establish vendor security assessment program
4. Configure automated scanning and monitoring

Ongoing Requirements

NIS2 compliance is not a one-time achievement:

• Scan all domains at least monthly (weekly recommended)
• Review and remediate findings within defined SLAs
• Track security posture trends for management reporting
• Assess supply chain partners regularly
• Update controls as threat landscape evolves
• Maintain documentation for audit and incident reporting

Using CyberShield for NIS2 Evidence

CyberShield scan results provide structured evidence for NIS2 compliance demonstrations:

Risk assessment evidence: Overall scores, category breakdowns, and severity distributions quantify external risk.

Control effectiveness evidence: Module-level findings demonstrate whether specific technical controls are implemented and properly configured.

Continuous improvement evidence: Score trends and scan comparisons show ongoing risk management and remediation progress.

Supply chain evidence: Vendor domain scans document third-party security assessment activities.

Compliance mapping: CyberShield maps findings to multiple compliance frameworks including NIST 800-53, ISO 27001, PCI-DSS, and CIS Controls. While NIS2 does not prescribe specific controls like these frameworks do, the mapping demonstrates alignment with recognized security standards that NIS2 references.

Regular scanning produces the timestamped, structured data that auditors and regulators expect. You can export this data as compliance-ready reports organized by control domain. Each scan report serves as evidence that the entity is performing ongoing technical risk assessment and maintaining the technical controls that NIS2 Article 21 requires.