SaaSFort Your customer’s compliance officer just emailed: “We need NIS2-mapped security evidence for all vendors by Friday.” You have 60 security checks running on your domain, but no way to hand a regulator-friendly document across the table.
That changed today. SaaSFort’s API now generates a branded, multi-page NIS2 compliance PDF that maps your scan results directly to all 10 NIS2 Article 21(2) security measures. The PDF takes 7 seconds to generate. No account required for single-domain exports.
What the PDF Contains
The export isn’t a raw data dump. It’s a structured compliance document designed to satisfy auditors and procurement teams who need to verify NIS2 supply chain obligations.
Each PDF includes:
- Domain summary — scanned domain, scan date, overall security grade (A+ to F), total checks passed/failed
- Article 21(2) controls mapping — all 10 NIS2 security measures with compliance percentage per control
- Status badges — each control marked as Compliant, Partial, Non-Compliant, or Not Assessed
- Per-control findings — specific scan results grouped under the NIS2 measure they address
- Remediation guidance — actionable fixes for each non-compliant finding
- SaaSFort branding — professional layout with navy/amber design, Space Grotesk typography
The output is a 4-page PDF (PDF 1.4 format, ~90KB) that a compliance officer can read without any security background. No CVSS matrices, no raw JSON, no vulnerability IDs that require a decoder ring.
The 10 NIS2 Article 21(2) Measures — Mapped
NIS2 Article 21(2) lists 10 specific security measures that covered entities must implement. SaaSFort maps its 60 scan checks to each one:
| Article 21(2) Measure | What SaaSFort Checks | Example Findings |
|---|---|---|
| (a) Risk analysis & policies | Overall security grade, policy documentation | Grade below C triggers non-compliant flag |
| (b) Incident handling | security.txt presence, response headers | Missing security.txt = partial compliance |
| (c) Business continuity | DNS redundancy, nameserver config | Single nameserver = non-compliant |
| (d) Supply chain security | Third-party script analysis, SRI checks | Unverified CDN scripts flagged |
| (e) Network security | TLS configuration, cipher suites, HSTS | TLS 1.0/1.1 enabled = non-compliant |
| (f) Vulnerability handling | OWASP checks, patch indicators, exposed files | SQL injection vectors, directory listing |
| (g) Assessment & testing | Scan completeness, test coverage metrics | Checks passed vs. total available |
| (h) Cryptography | SSL/TLS strength, certificate chain, HSTS preload | Weak ciphers, expired certificates |
| (i) Access control & authentication | Auth header checks, cookie security, session flags | Missing Secure/HttpOnly cookie flags |
| (j) Multi-factor & secure comms | HTTP/2 support, encrypted transport enforcement | HTTP-to-HTTPS redirect missing |
When your customer’s auditor asks “how does your SaaS vendor address Article 21(2)(e) network security?”, the PDF shows exactly which checks were run, what passed, and what needs attention — with your domain name and scan date stamped on every page.
How to Generate Your NIS2 PDF
Two paths, depending on whether you have a SaaSFort account:
Without an account (public endpoint)
Send a POST request with your domain:
POST https://api.saasfort.com/api/nis2/export/pdf
Content-Type: application/json
{"domain": "yourdomain.com"}
SaaSFort runs a full 60-check scan, maps findings to NIS2 controls, and returns the PDF. Takes about 7 seconds. No API key, no signup, no credit card.
With an account (authenticated endpoint)
GET https://api.saasfort.com/api/nis2/export/pdf
Authorization: Bearer sf_your_api_key
This generates a PDF from your existing scan history — all domains you’ve scanned, aggregated into a single compliance view. Useful when you manage multiple products and need one document covering your entire portfolio.
The authenticated endpoint returns 401 without a valid API key. The public endpoint returns 400 if you omit the domain parameter. Both are intentional: we validate inputs before spending compute on PDF generation.
Why This Matters Now — Not in October
Germany’s BSI sent its first NIS2 audit notifications in January 2026. Italy’s ACN started inspections in Q4 2025. The October 2026 enforcement deadline is when all 29,000 classified EU entities must be compliant — but audits are happening today.
Three numbers from BSI’s March 2026 data:
- 18,500 of 29,000 German entities missed the March 6 BSI registration deadline. They’re scrambling to catch up, and that scramble includes vendor assessments.
- €500,000 — the fine for failing to register alone. Security measure violations under §65 BSIG carry fines up to €10 million.
- Every SaaS vendor in a covered entity’s supply chain is in scope. If your customer is classified under NIS2, you’re part of their supply chain security obligation under Article 21(2)(d).
The companies that missed the BSI deadline are now racing to build compliance evidence. Their vendor assessment questionnaires are already landing in SaaS founders’ inboxes. A pre-built NIS2 compliance PDF turns a two-week scramble into a 7-second API call.
How This Fits Into Your Evidence Stack
The NIS2 PDF export is one piece of a broader compliance evidence package. Here’s how the pieces connect:
| Evidence Type | What It Covers | SaaSFort Feature |
|---|---|---|
| External security posture | 60 checks, A-F grade | Free scan |
| NIS2 compliance mapping | Article 21(2) controls | NIS2 PDF export (new) |
| Deal Report | Procurement-ready summary | Dashboard export |
| Continuous monitoring proof | Scan history over time | CI/CD integration |
| Full compliance playbook | 8-chapter guide | Free whitepaper |
For a complete walkthrough of organizing your evidence files by audit domain, see the NIS2 audit preparation evidence guide. The PDF export covers the external security posture layer — you’ll still need internal policies, incident response plans, and access control documentation to satisfy a full audit.
What Competitors Offer for NIS2 Compliance
Most security scanners treat compliance as a checkbox feature or a premium add-on:
| Scanner | NIS2 Compliance Export | Price |
|---|---|---|
| SaaSFort | Branded PDF, all 10 Art.21(2) controls, free public endpoint | Free (public) / €9-29/mo (authenticated) |
| Detectify | No NIS2 mapping | €90/mo |
| Intruder | No compliance export | $149/mo |
| SecurityScorecard | GRC module, enterprise pricing | $25K+/yr |
| Aikido | SOC2/ISO focus, no NIS2-specific export | $300/mo |
| HostedScan | No compliance mapping | $49/mo |
SecurityScorecard offers GRC capabilities but at enterprise price points. For a 20-person SaaS company that needs NIS2 evidence by October, SaaSFort generates it for free from the public endpoint.
FAQ
Does the PDF replace a full NIS2 compliance assessment?
No. The PDF covers your external security posture mapped to Article 21(2) controls. A full assessment also requires internal policies (incident response, access control, business continuity), employee training records, and supply chain documentation. Use the PDF as one layer of your complete evidence package.
Can I white-label the PDF for my own customers?
Not yet. The current PDF carries SaaSFort branding. If you need white-label compliance reports for your own customers, contact us — it’s on the roadmap for Q3 2026.
How current is the data in the PDF?
The public endpoint runs a live scan at generation time — the data is seconds old. The authenticated endpoint uses your most recent scan results. For maximum freshness, trigger a scan via the CI/CD webhook before exporting.
Is the PDF accepted by auditors?
The PDF provides structured evidence that maps to NIS2 Article 21(2) controls — the same framework auditors use. Whether it’s sufficient depends on your customer’s risk classification and the auditor’s requirements. It’s a strong foundation, especially paired with a BSI IT-Grundschutz aligned package for German customers.
What if my compliance percentage is low?
That’s actually the point. The PDF shows both what you’re doing right and where gaps exist. Use the remediation guidance to fix issues, then regenerate. Showing auditors a trajectory from 45% to 85% compliance is more convincing than a single perfect snapshot — it demonstrates active security management, which is what NIS2 Article 21 actually requires.
Generate your NIS2 compliance PDF now. Run a free scan on your domain, or call the API directly: POST /api/nis2/export/pdf with {"domain": "yourdomain.com"}. Seven seconds to audit-ready evidence.
Passez de la lecture à l'action
Scannez votre domaine gratuitement. Premiers résultats en moins de 10 secondes — sans inscription.