Vornin
Start free
NIS2 Directive · EU 2022/2555

Walk into your NIS2 audit with the evidence already built.

Article 21 requires regular, documented vulnerability management, not a scan you run the week before the audit. Vornin maps every finding to the NIS2 measure it touches at scan time, tracks remediation against an SLA, and seals the record in a tamper-evident chain your auditor can verify.

Read-only access · Working scan data deleted after each scan · EU-hosted

The stakes

NIS2 is the lawNIS2 is an EU directive, so your obligation comes from your country's law transposing it, now in force in most EU states with a few still finalising theirs. Customers often ask for proof regardless.. The evidence is on you.

If you're an essential or important entity, or you supply one, the obligations are already live. Here's the exposure.

17 Oct 2024
NIS2 transposition deadline, now passed
€10M or 2%
of global turnover, in fines
Personally liable
company management, not only the business

Not sure if you're in scope, or what non-compliance actually costs? Read the full NIS2 compliance guide →

Control map

Article 21 measures, mapped to what the auditor sees.

Every finding auto-links to the NIS2 measure it touches at the moment it is ingested. This is the cross-walk from the law to the evidence Vornin produces for it.

NIS2 Article 21(2) measure What Vornin runs Evidence it produces
Art. 21(2)(e)Vulnerability handling and disclosure Scanner coverage across web, infrastructure, code, and cloud on a schedule, with deduplication and SLA-tracked remediation. Per-finding auditor pack ZIP carrying the full detect-to-resolved lifecycle.
Art. 21(2)(i)Asset management Continuous attack surface discovery: subdomains, exposed services, certificates, and detected technologies. Asset inventory with status history that never silently drops a tracked host.
Art. 21(2)(d)Supply-chain security Dependency scanning with reachability filtering, plus a CycloneDX software bill of materials. SBOM.cdx.json export and SCA findings mapped to the control.
Art. 21(2)(h)Cryptography and encryption SSL/TLS scanning for weak ciphers, deprecated protocols, expiring certificates, and missing HSTS. Encryption findings with severity and remediation deadlines.
Art. 21(2)(f)Effectiveness of the measures Live per-framework compliance score, a 90-day trend, and a coverage-gap report naming untested controls. Score export plus the gap report, so the number stays honest.
Art. 21(2)(a)Risk analysis Severity, exploit likelihood, and reachability combined into a single prioritised view across every finding. Ranked risk view that shows what to fix first, with the reasoning recorded.

Governance, training, business continuity, and incident-process controls under Article 21 cannot be proven by a scanner. Vornin tracks them through the manual attestation workflow with sign-off history and excludes them from the auto-tested score, so your coverage number reflects what was actually verified. Read the full NIS2 compliance guide →

Tamper-evidence

Evidence your auditor can verify themselves.

"Trust me, it was fixed" does not survive an auditor or a CFO signing off the spend. A spreadsheet of exports fails the same question: were these edited last night? A cryptographic chain answers it, and your auditor can verify the answer themselves.

§ 01Chain

Per-tenant SHA-256 chain.

Every status change, from the UI, the API, or a background job, is hashed into a per-tenant chain. Each entry links to the one before it, so altering any event invalidates every event after it.

§ 02Lock

Serialized, linear writes.

Concurrent writers serialize per tenant, so the chain stays linear even under simultaneous updates. No fork, no race.

§ 03Verify

Walk and verify on demand.

The chain can be re-hashed on demand, returning the first break if one exists. That result ships inside every auditor-pack manifest so your auditor can re-run it.

§ 04Pack

Per-finding ZIP, tenant-wide PDF.

Download a ZIP per finding with manifest, state, events, comments, compliance mappings, and evidence. Business also renders a tenant-wide auditor PDF across every chain.

§ 05Roadmap

External anchor.

Today the chain is self-anchored to Vornin and tamper-evident inside your tenant. On the roadmap: stamping tip-hashes into RFC 3161 timestamp authorities and a public transparency log.

Questions buyers ask

NIS2, answered.

The questions that come up most when an IT manager first reads Article 21.

Does NIS2 apply to my company?

NIS2 covers medium and large organisations across 18 sectors deemed essential or important, including energy, transport, banking, health, digital infrastructure, manufacturing, and public administration. The threshold is roughly 50 employees or €10 million turnover, though member states can designate smaller entities. If you supply a covered entity, its supply-chain security obligations reach you too.

What evidence do NIS2 auditors ask for?

An auditor wants proof that vulnerability management runs as a documented process, not a one-off scan: regular scanning, assigned remediation, SLA tracking, and confirmation that findings were closed. They also want assurance the records were not edited after the fact. Vornin produces this as a per-finding auditor pack with a tamper-evident chain verification result baked in.

What does Article 21 require for vulnerability management?

Article 21(2) lists risk-management measures including vulnerability handling and disclosure (e), asset management (i), supply-chain security (d), and cryptography (h). Vornin runs scanner coverage against each of these and maps every finding to the control it touches at scan time. Read the full NIS2 compliance guide.

Is NIS2 the same as ISO 27001?

No. ISO 27001 is a voluntary certification standard; NIS2 is binding EU law with national enforcement and fines reaching a maximum of at least €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important entities. The controls overlap heavily, so an ISO 27001 vulnerability management programme covers most of what Article 21 expects. Vornin maps findings to both frameworks from one source of truth.

Our customers are asking about our NIS2 posture. What do we show them?

NIS2 entities must secure their supply chain under Article 21(2)(d), so they push security questionnaires and proof-of-remediation requests down to suppliers, often before a deal closes. Hand them a per-finding auditor pack: scan, remediation, and confirmed closure, sealed in a tamper-evident chain. EU-hosted answers the data-residency line on the same questionnaire. Answer it instead of stalling the deal.

Tier note: the attestation workflow and evidence vault unlock on Team. The tamper-evidence chain, per-finding auditor ZIP, and tenant-wide auditor PDF are Business and above. Many buyers under NIS2 land on Business for exactly that machinery. Compare tiers →

Scan. Resolve. Prove.

Start your NIS2 evidence trail today.

Run a scan today and the evidence trail starts building itself. No setup fee, no sales call, no consultant.

Read-only access · Working scan data deleted after each scan · EU-hosted