NIS2 Technical Review

The NIS2 Directive introduces binding cybersecurity requirements for thousands of organisations across the EU. Criterio analyses the technical security surface of your website against NIS2 Article 21.

The NIS2 Directive (2022/2555/EU) replaces the original 2016 NIS Directive and significantly expands which organisations must meet cybersecurity requirements. In Sweden it is transposed through NIS2-lagen. Criterio reviews the technical aspects of your website that are observable without authentication — security headers, TLS configuration, DNS security, email authentication, and exposed admin paths. Results are presented as technical insights that give you a fact-based foundation for a broader NIS2 assessment.

What's included in the review

  • HTTP security header checks (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy)
  • TLS version review — TLS 1.2 minimum, TLS 1.3 preferred
  • Certificate validation and expiry check
  • DNS security — DMARC, SPF, and DKIM records
  • Exposed admin path and login page check
  • Cookie security flags — HttpOnly, Secure, and SameSite
  • Results report with findings mapped to NIS2 Article 21(2)

Criterio performs an automated technical review of observable properties. This is a technical insights report — not a full NIS2 audit. A complete NIS2 assessment requires review of organisational and operational measures beyond what can be detected automatically. Consult your security advisor for a comprehensive assessment.

How the NIS2 Directive came about

  • 2016 The EU adopts the original NIS Directive (2016/1148/EU) — the first EU-wide framework for network and information security. Its scope is narrow: around 700 organisations across the EU in practice.
  • 2020 The European Commission evaluates NIS1 and finds it insufficient: too few sectors covered, uneven implementation across member states, and inadequate incident reporting requirements.
  • 2022 The NIS2 Directive (2022/2555/EU) is adopted in December. The scope expands dramatically — 18 sectors, from energy and transport to healthcare and digital infrastructure.
  • 2024 Member states must transpose NIS2 into national law by October. Sweden transposes via NIS2-lagen. Thousands of organisations never previously regulated now fall within scope.
  • Nu Supervisory authorities are active. Board members can be held personally liable for security failures. Incidents must be reported within 24 hours — hoping you are not affected is no longer a strategy.

Did you know?

  • NIS2 applies to an estimated 160,000 organisations across the EU — compared to fewer than 700 under NIS1. That is an increase of more than 200 times
  • Board members and senior executives can be held personally liable if an organisation fails to meet NIS2 requirements — it is no longer solely IT's responsibility
  • The incident reporting window is tight: initial notification within 24 hours, full report within 72 hours, and final report within one month
  • Fines for essential entities can reach €10,000,000 or 2% of global annual turnover — whichever is higher
  • NIS2 covers 18 sectors — including energy, transport, banking, healthcare, drinking water, digital infrastructure, and public administration
  • Supply chains are explicitly addressed: organisations must manage cybersecurity risks in their suppliers and service providers

What does your technical security surface look like?

Start with a free scope assessment. No commitment required.

Request a free assessment