NIS2 Analyzer

Training obligation

Do the management bodies This overarching term refers to the various organizational governance entities, including holding companies or executive departments. According to Article 32, §6, member states need to ensure that the natural persons responsible for or acting as a legal representative of an essential entity have the power to ensure its compliance with the NIS2 Directive. Member States shall ensure that it is possible to hold such natural persons liable for breach of their duties to ensure compliance with this Directive. Additionally according to Article 20, §2, the members of the management bodies of essential and important entities must follow training to identify risks and assess cybersecurity risk-management practices. It is encouraged for essential and important entities to offer similar training to their employees on a regular basis. receive training that enables them to acquire sufficient knowledge and skills to recognize cybersecurity risks and assess their impact on the services provided by the organization?

Duty of care

Do you periodically By "periodic" it is meant: at least once a year and when a cybersecurity incident has occurred, changes have taken place in the business environment, or changes have been made to the IT infrastructure. conduct a risk analysis regarding cybersecurity and subsequently take/adapt measures based on the results to improve security?

Duty of care

Does your organization have a procedure in place to appropriately By "appropriate," it is meant that the response to an incident should be in line with the severity and nature of that incident. follow up on cybersecurity incidents?

Duty of care

Does your organization have policies, procedures, and measures in place to ensure the continuity of your organization in the event of unforeseen circumstances or disasters?
This includes: backup management, emergency provisions, business continuity plans, and incident response plans.

Duty of care

Do you have visibility into the state and level of cybersecurity of your suppliers and service providers and actively By "actively" it is meant that you evaluate and keep track of the state of your suppliers and service providers, for example through periodic audits or assessments, requesting reports on cybersecurity and incidents, and monitoring security measures and performance. keep track of this?

Duty of care

Is cybersecurity structurally By "structurally" it is meant that cybersecurity is not just a one-time action, but is part of the standard way of working and embedded in all processes related to the acquisition, development, and maintenance of network and information systems. For example, are security risks already taken into account during the design, construction, and/or acquisition of systems? embedded in the acquisition, development, and maintenance of network and information systems?

Attack surface

Based on the domain name you provided, we have found the subdomains listed in the table below. Are you aware of all these domain names?

Found domains
You have not (yet) entered a domain name

Duty of care

Does your organization have procedures for identifying and addressing vulnerabilities A "vulnerability" is a weakness in an asset (such as a computer, network, or other system) or security measure that can be exploited by one or more threats (such as a hacker).?

Duty of care

Does your organization regularly By "regularly" it is meant, for example, annually, quarterly or monthly, and after a cybersecurity incident has occurred, changes have taken place in the business environment, or changes have been made to the IT infrastructure. It is important to adjust the frequency of evaluation to the risks your organization faces and the speed at which threats are developing. evaluate whether the cybersecurity measures taken are effective By "effective" it is meant that the cybersecurity measures are not only designed and implemented (design and existence), but that they also actually provide the intended protection (operation). The control measures taken must be accurate in their detection and prevention methods (accuracy), as well as cover all relevant risks and vulnerabilities (completeness). ?

Duty of care

Does your organization have an appropriate By "appropriate" it is meant that the policy is up-to-date, regularly evaluated, and proportionate to the risks your organization faces. For example, if your organization works with sensitive information, the policy regarding cryptography and encryption must also comply with the standards for protecting the information processed within the organization. policy regarding cryptography "Cryptography" is the science of encrypting data and communication to secure them against unauthorized access or misuse. and encryption "Encryption" is a technique within cryptography in which readable data is converted into an unreadable form (a code) to ensure confidentiality. ?

Duty of care

Does your organization have procedures for managing user access and resources?
This includes: physical & logical access policy, asset overview, onboarding, movement, and offboarding procedures.

Duty of care

Is multifactor authentication Multifactor authentication (MFA) is a security method used to verify that a user is who they claim to be. Instead of using only a username and password, MFA requires at least two different forms of authentication. For example, in addition to a password, a card must be used or a confirmation code sent to the mobile phone must be entered. applied where possible?

Reporting obligation

Does the organization have an appropriate By "appropriate" it is meant that the procedure is up-to-date and regularly evaluated to ensure that it is still effective in reporting cyber incidents to regulators within the prescribed timeframes. Additionally, the procedure must be clear and understandable to all employees responsible for reporting cyber incidents. Are you aware of who the regulator is? procedure to report cyber incidents to regulators within prescribed timeframes The following timeframes are set for reporting cyber incidents to the supervisory authority:

Within 24 hours: An early warning & initial suspicions regarding the type of incident;
Within 72 hours: A complete notification report with the assessment of the incident, its severity and impact, and danger indicators;

Upon request: An interim report;

Within 1 month: A final report.

Additionally, you must also notify your customers of incidents that are likely to have a negative impact on the services provided. ?

What is the domain name of your organization?

Training obligation

Duty of care

Duty of care

Duty of care

Duty of care

Duty of care

Attack surface

Duty of care

Duty of care

Duty of care

Duty of care

Duty of care

Reporting obligation

One moment please while we process your answers

Your organization appears to be working in compliance with NIS2 guidelines!

Why is NIS2 compliance important?

What's next?

Stay in touch

Cybersecure and prepared for NIS2.

Key points to consider:

Why is NIS2 compliance important?

What's next?