WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

Who must comply with NIS2?

NIS2 applies to "essential" and "important" entities across 18 sectors including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and space. It also covers the digital sector: online marketplaces, search engines, social networking platforms, and cloud computing services. Medium and large enterprises in these sectors must comply.

When does NIS2 come into effect?

NIS2 entered into force on January 16, 2023. EU member states had until October 17, 2024 to transpose it into national law. Enforcement began in 2025, with supervisory authorities actively conducting audits and imposing penalties for non-compliance.

What are the penalties for NIS2 non-compliance?

For essential entities, fines can reach EUR 10 million or 2% of total annual worldwide turnover, whichever is higher. For important entities, fines can reach EUR 7 million or 1.4% of turnover. Additionally, NIS2 introduces personal liability for management bodies who fail to ensure compliance.

How does NIS2 differ from the original NIS Directive?

NIS2 significantly expands scope from 7 to 18 sectors, replaces the vague "appropriate measures" requirement with 10 specific security measures in Article 21, introduces management accountability with personal liability, harmonizes incident reporting (24-hour early warning, 72-hour full notification), and establishes much higher penalties.

Does NIS2 apply to companies outside the EU?

NIS2 applies to entities that provide services within the EU, regardless of where they are established. Non-EU companies operating in covered sectors within EU member states must designate a representative in the EU and comply with the directive. This extraterritorial reach is similar to the GDPR model.

NIS2 Compliance Checklist — 10 Mandatory Measures

What is the NIS2 Directive?

The NIS2 Directive(Directive (EU) 2022/2555) is the European Union's comprehensive cybersecurity legislation, replacing the original Network and Information Security Directive of 2016. Adopted on December 14, 2022, NIS2 dramatically expands the scope of organizations that must comply, introduces specific security requirements, and establishes substantial penalties for non-compliance.

NIS2 affects an estimated 160,000 entities across the EU, compared to roughly 10,000 under the original NIS Directive. It covers 18 sectors classified as either "essential" (Annex I) or "important" (Annex II) entities:

Essential entities (Annex I): Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
Important entities (Annex II): Postal and courier services, waste management, chemicals, food, manufacturing, digital providers (online marketplaces, search engines, social networks), research organizations

Key Timeline

December 14, 2022

NIS2 Directive adopted by the European Parliament and Council

January 16, 2023

NIS2 entered into force (published in Official Journal)

October 17, 2024

Deadline for EU member states to transpose into national law

2025

Active enforcement begins; supervisory authorities conduct audits

April 17, 2025

Member states must establish list of essential and important entities

The 10 Article 21 Security Measures

Article 21 of NIS2 mandates that essential and important entities implement "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks. These measures must be based on an all-hazards approach and cover at minimum the following ten areas:

1. Risk Analysis and Information System Security Policies

Requirement: Establish and maintain comprehensive cybersecurity policies covering risk assessment methodologies, asset classification, and acceptable use. Policies must be approved by management and reviewed at least annually.

Implementation steps: Conduct a risk assessment following ISO 27005 or NIST SP 800-30. Document an information security policy aligned with ISO 27001. Classify all information assets by criticality. Define risk acceptance criteria and treatment plans. Assign policy ownership and review schedules.

Evidence needed: Written security policy approved by management, risk assessment report, asset inventory, risk treatment plan, annual review records.

2. Incident Handling

Requirement: Implement procedures for preventing, detecting, analyzing, containing, and responding to cybersecurity incidents. NIS2 introduces specific incident reporting timelines: 24-hour early warning, 72-hour full incident notification, and a one-month final report to the designated CSIRT.

Implementation steps: Develop an incident response plan with defined roles (RACI matrix). Establish a 24/7 incident detection capability or contract a Managed Detection and Response (MDR) service. Define incident classification criteria and escalation procedures. Test the plan through regular tabletop exercises.

Evidence needed: Incident response plan, CSIRT contact information and notification templates, incident log, tabletop exercise reports, post-incident review documentation.

3. Business Continuity and Crisis Management

Requirement: Ensure business continuity through backup management, disaster recovery, and crisis management procedures. This includes maintaining the ability to operate during and recover from cybersecurity incidents.

Implementation steps: Perform a business impact analysis (BIA) to identify critical processes and their maximum tolerable downtime. Implement automated backup systems with tested restoration procedures. Develop a disaster recovery plan with defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Establish a crisis communication plan.

Evidence needed: Business impact analysis, backup policy and restoration test logs, disaster recovery plan, crisis management procedures, annual DR test results.

4. Supply Chain Security

Requirement: Address security risks in relationships with direct suppliers and service providers. This includes assessing the overall quality of products and cybersecurity practices of suppliers, and incorporating security requirements into contractual arrangements.

Implementation steps: Create a supplier inventory with criticality classification. Define minimum security requirements for suppliers (contractual clauses). Conduct security assessments of critical suppliers annually. Monitor supplier security posture through questionnaires, audits, or automated tools. Include incident notification requirements in supplier contracts.

Evidence needed: Supplier inventory and risk classification, security clauses in contracts, supplier assessment reports, monitoring procedures, supply chain incident response plan.

5. Security in Network and Information Systems Acquisition, Development, and Maintenance

Requirement: Integrate security into the entire lifecycle of network and information systems, including acquisition, development, and maintenance. This covers vulnerability handling and disclosure.

Implementation steps: Implement a secure software development lifecycle (SSDLC). Conduct security testing (SAST, DAST, SCA) as part of CI/CD pipelines. Establish a vulnerability management program with SLA-based patching timelines. Define a vulnerability disclosure policy. Perform security reviews before deploying new systems.

Evidence needed: SSDLC documentation, security testing reports, vulnerability management policy, patch management records, vulnerability disclosure policy, system acceptance testing records.

6. Policies and Procedures to Assess Cybersecurity Risk Management Effectiveness

Requirement: Establish policies and procedures to evaluate whether the cybersecurity risk management measures implemented are effective. This means regular testing, auditing, and measuring security controls.

Implementation steps: Define security metrics and KPIs (mean time to detect, mean time to respond, patch compliance rate). Schedule regular internal audits and penetration tests. Implement continuous monitoring tools. Conduct management reviews of security performance quarterly. Consider external audits or certifications (ISO 27001, SOC 2).

Evidence needed: Security metrics dashboard, internal audit reports, penetration test reports, management review meeting minutes, continuous monitoring tool outputs, certification records.

7. Basic Cybersecurity Hygiene Practices and Training

Requirement: Implement basic cyber hygiene practices and provide regular cybersecurity awareness training for all employees, including management. Management bodies must receive specific training to enable them to identify risks and assess cybersecurity risk management practices.

Implementation steps: Deploy a cybersecurity awareness training program for all employees (at least annually). Provide specialized training for management on cybersecurity risk governance. Implement phishing simulation campaigns. Enforce basic hygiene: password policies, device encryption, clean desk policy, secure remote working guidelines.

Evidence needed: Training materials and completion records, phishing simulation results, cyber hygiene policy, management training certificates, awareness campaign metrics.

8. Policies and Procedures Regarding Cryptography and Encryption

Requirement: Establish policies on the use of cryptography and, where appropriate, encryption to protect the confidentiality, authenticity, and integrity of data.

Implementation steps: Define a cryptography policy specifying approved algorithms, key lengths, and protocols. Implement TLS 1.2+ for all data in transit. Encrypt sensitive data at rest using AES-256. Establish key management procedures (generation, distribution, storage, rotation, revocation). Document cryptographic inventories across all systems.

Evidence needed: Cryptography policy, TLS configuration records, encryption implementation documentation, key management procedures, cryptographic inventory, certificate management records.

9. Human Resources Security, Access Control, and Asset Management

Requirement: Implement security measures related to human resources (background checks, onboarding/offboarding security), access control policies (least privilege, role-based access), and asset management (inventory, classification, handling).

Implementation steps: Implement role-based access control (RBAC) with least privilege principle. Establish onboarding/offboarding checklists for access provisioning and revocation. Maintain a complete asset inventory including hardware, software, and data assets. Conduct periodic access reviews (quarterly for privileged accounts, annually for standard). Implement multi-factor authentication for all administrative and remote access.

Evidence needed: Access control policy, RBAC matrix, onboarding/offboarding checklists, asset inventory, access review records, MFA implementation documentation, background check policy.

10. Multi-Factor Authentication, Secured Communications, and Emergency Communication Systems

Requirement: Use multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity where appropriate.

Implementation steps: Deploy MFA for all user accounts with access to critical systems. Implement end-to-end encrypted communication channels for sensitive discussions. Establish out-of-band emergency communication procedures (in case primary channels are compromised). Test emergency communication systems regularly.

Evidence needed: MFA deployment records, secure communication platform documentation, emergency communication plan and test results, user enrollment statistics, exception documentation.

Penalties for Non-Compliance

NIS2 introduces a tiered penalty structure that makes cybersecurity a board-level concern:

Essential Entities

EUR 10M or 2%

of total annual worldwide turnover, whichever is higher

Important Entities

EUR 7M or 1.4%

of total annual worldwide turnover, whichever is higher

Beyond financial penalties, NIS2 introduces personal liability for management. Article 20 states that management bodies of essential and important entities must approve and oversee cybersecurity risk management measures and can be held personally liable for infringements. Supervisory authorities can impose temporary bans on individuals exercising management functions if they fail to comply.

Management Accountability Under NIS2

NIS2 explicitly addresses the "cybersecurity is an IT problem" misconception. Article 20 requires that:

Management bodies approve cybersecurity risk management measures
Management bodies oversee the implementation of those measures
Management members undergo training to acquire sufficient knowledge and skills to identify risks and assess cybersecurity practices
All employees receive regular training

This means that the CEO, CFO, and board members can be held personally accountable for cybersecurity failures. This is a significant departure from previous EU cybersecurity legislation and mirrors the personal accountability provisions in financial regulation.

Incident Reporting Requirements

NIS2 establishes a structured three-phase incident reporting process for significant incidents:

Early warning (24 hours): Within 24 hours of becoming aware of a significant incident, the entity must submit an early warning to the competent CSIRT or authority, indicating whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have a cross-border impact.
Incident notification (72 hours):Within 72 hours, a full incident notification must be submitted including an initial assessment of the incident (severity, impact), indicators of compromise where applicable, and the entity's response measures.
Final report (1 month): Within one month of the incident notification, a final report must be submitted including a detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact if applicable.

Getting Started with NIS2 Compliance

The journey to NIS2 compliance begins with understanding your current security posture. A gap analysis against the 10 Article 21 measures reveals where you stand and what needs to be done. For most organizations, the priority areas are:

Risk assessment and policies (Measure 1): This is the foundation everything else builds on. Without understanding your risks, you cannot allocate resources effectively.
Incident handling (Measure 2): The 24-hour reporting requirement means you need detection capabilities and response procedures in place before an incident occurs.
Supply chain security (Measure 4): Often the most time-consuming to implement because it requires engaging with third parties. Start early.
Technical measures (Measures 5, 8, 10): Automated scanning tools can quickly identify gaps in your technical security posture, covering vulnerability management, encryption, and authentication.

NIS2 Compliance Checklist — 10 Mandatory Measures for EU Businesses