SaaSFort NIS2 Article 21 technical security assessment: what to check
NIS2 Article 21(2) lists 10 categories of technical measures. This guide explains what each one requires, how to check it, and what evidence you need for an auditor. The external scan covers the fastest 60 checks in under 60 seconds.
What NIS2 Article 21(2) requires
Article 21(2) lists 10 minimum technical and organisational measures. The ones most directly testable by automated external scanning are:
| Sub-clause | Testable externally? |
|---|---|
| Art. 21(2)(b) | Partial — DMARC, logging indicators |
| Art. 21(2)(d) | Partial — third-party headers, DNS |
| Art. 21(2)(e) | Yes — exposed CVEs, outdated libs, JS sources |
| Art. 21(2)(g) | Yes — TLS version, cipher suites, cert validity |
| Art. 21(2)(h) | Yes — HSTS, CSP, X-Frame-Options, DNSSEC |
| Art. 21(2)(i) | Partial — exposed admin panels |
5-step technical assessment process
- 1
Run an external posture scan
Start with what auditors and attackers see from outside: TLS configuration, HTTP security headers (HSTS, CSP, X-Frame-Options), DMARC, DNSSEC, and exposed admin panels. SaaSFort runs 60 checks against your domain in under 60 seconds, mapped to NIS2 Art. 21(2)(h) and (g). No account needed.
- 2
Check access control and authentication
Review MFA coverage for privileged accounts, verify that administrative interfaces are not publicly exposed, confirm session timeout policies. Maps to NIS2 Art. 21(2)(i).
- 3
Verify encryption in transit and at rest
Confirm TLS 1.2+ on all public endpoints (no TLS 1.0/1.1), check certificate validity and chain completeness, verify data at rest is encrypted. Covers NIS2 Art. 21(2)(g).
- 4
Review vulnerability management
Confirm a documented process for tracking and patching vulnerabilities. NIS2 Art. 21(2)(e) requires organisations to address vulnerabilities promptly. Monthly external scans are the practical floor.
- 5
Document findings for your auditor
Produce a dated report mapping each finding to the NIS2 Article 21 control it affects. The SaaSFort audit pack generates this PDF: 60 checks, A-F grade, NIS2 and ISO 27001 Annex A mapping. One-time purchase, no account.
Run step 1 now — free, 60 seconds
The external-posture scan covers 60 checks across NIS2 Art. 21(2)(g), (h), and (i). No account needed. The €39 audit pack adds the dated PDF your auditor or enterprise buyer accepts.
Common questions
What technical measures does NIS2 Article 21 require?
Article 21(2) lists 10 categories. The most testable externally are: (h) network and system security (HSTS, CSP, DMARC, DNSSEC), (g) encryption (TLS 1.2+, cipher suites, cert validity), (e) vulnerability handling (exposed CVEs, outdated libraries), and (i) access control (exposed admin panels, MFA). A full assessment covers all 10, but external scanning is the fastest starting point.
How long does a NIS2 technical security assessment take?
The external-posture part takes under 60 seconds with an automated scanner. A full internal assessment takes 1-3 days for a 50-200 employee SaaS team. Start with the external scan to find the quick wins first.
What does a NIS2 technical assessment report include?
Each control checked, the pass or fail result, the NIS2 Article 21 sub-clause it maps to, and remediation steps for failures. The SaaSFort audit pack covers 60 external-posture checks and produces a dated PDF for €39. For the full internal-controls scope you need a qualified auditor or the BSI IT-Grundschutz methodology.
How often should I run a NIS2 technical security assessment?
NIS2 does not specify a frequency, but most interpretations require annual assessments with ongoing monitoring. BSI guidance for German entities recommends quarterly external posture scans and annual internal reviews. Monthly automated scanning is the practical floor for B2B SaaS in scope.
Related guides: NIS2 Article 21 full guide · NIS2 self-assessment checklist · Security scan use cases
See also: SaaS Security Leaderboard — public NIS2 technical grades for Stripe, Slack, GitHub and 55 more domains.