Continuous vulnerability evidence for NIS2 compliance

NIS2 requires you to continuously manage vulnerabilities, validate security controls, and report significant incidents on narrow timelines.

Whether you’re directly in scope or responding to customer requirements under Article 21(2)(d), compliance depends on evidence. Pentest-Tools.com produces that evidence across the full lifecycle: detection, validation, remediation, and continuous monitoring.

What NIS2 actually requires

  • Exclamation triangle icon

    Article 21(2): risk management measures

    Article 21(2) lists ten cybersecurity risk management measures that essential and important entities must implement.  Pentest-Tools.com focuses on the four with the most direct technical evidence implications: (b), (d), (e), and (f).

  • Exclamation triangle icon

    Article 23: incident reporting timeline

    Article 23 requires significant incident reporting on a three-stage cadence:

    → An early warning within 24 hours of awareness.

    → An incident notification within 72 hours.

    → A final report within one month.

  • Exclamation triangle icon

    One directive, many national laws

    As a directive, NIS2 is written into each member state's national law - Germany's NIS2UmsuCG, France's LPM transposition, the Netherlands' Cyberbeveiligingswet, and others - with its own supervisory regime and deadlines. Those specifics shape how you register and file; the technical evidence you produce stays the same.

  • Exclamation triangle icon

    What non-compliance costs

    The stakes are high. Essential entities face fines up to €10 million or 2% of global annual turnover, whichever is higher, and important entities up to €7 million or 1.4%. Senior management can be held personally accountable. Documented evidence that your controls actually operate is what separates a defensible position from an exposed one.

Where the NIS2 evidence gap lives

GRC tools hold evidence, but don’t generate it

You have control mappings and policy documents in your GRC tool by design. However, these tools only store technical evidence that controls operate if someone puts it there.

It’s not enough to have a vulnerability scanner. You need an evidence chain

Supervisory authorities and auditors want to know that you have validated findings, retested them, remediated them, and documented everything.

Manual, point-in-time pentests don’t meet auditor demands

Article 21(2)(f) requires ongoing effectiveness security assessment. Manual pentests don’t provide that.

Noisy vulnerability scanners create triage work that delays remediation evidence

Cutting false positives burns valuable hours during the 24h early-warning window.

Cloud-only scanners don’t cover NIS2’s scope

Private cloud, internal services, and authenticated portals routinely fall inside the testing perimeter, and cloud-only vulnerability scanners don't reach them. NIS2 estates also include OT and industrial environments - those need a different, safety-first approach.

The ISO 27001 certification alone doesn’t cut it anymore

Vendor risk teams want current vulnerability evidence, not just certifications. While the ISO 27001 certification gives organizations a head start, it is becoming insufficient for closing NIS2-derived procurement reviews.

How Pentest-Tools.com closes the NIS2 compliance loop

Evidence a vulnerability existed

Every scan result includes a multi-dimensional severity rating, a CVE reference, asset context, and a timestamp. Auditors know you ran a scan and recorded the findings. The Article 21(2)(e) vulnerability handling baseline exists, and Article 21(2)(f) effectiveness assessment has something to assess.

NIS2’s broad sector scope also brings non-internet-facing infrastructure into the testing perimeter. The Pentest-Tools.com VPN Agent deploys inside that environment - including via AWS Marketplace - to give the cloud-based scanner a local presence, without requiring an on-premises appliance per client or facility.

Evidence it was validated

Sniper Auto-Exploiter validates findings and backs them up with HTTP request/response, PoC, or payload evidence. National authorities and buyer audit teams can examine the actual evidence, not just a CVSS score with a label.

Meanwhile, the ML Classifier reduces false positives by 50% - meaning security teams can focus on escalation and meeting NIS2 incident reporting requirements, not cutting noise.

When a high-impact CVE is published, Pentest-Tools.com's offensive security research team builds and publishes a dedicated check for it. Whether that CVE also lands in the EU Vulnerability Database (EUVD), the NVD, or a vendor advisory, the detection is what lets you test your own assets for it.

Dedicated checks for actively exploited vulnerabilities - including React2Shell CVE-2025-55182 and SessionReaper CVE-2025-54236 are the operational proof. For Article 23, this is what allows an entity to answer "are we actually exposed?" inside the 24-hour early-warning window.

Evidence it was remediated

Retest workflows run after remediation and generate a before/after comparison. This is what completes the Article 21(2)(e) chain: detected - validated - remediated - retested - closed. If a related Article 23 incident surfaces, the corrective measure record already exists.

CI/CD integration runs security scans on every PR or deployment, so remediation evidence exists at the point the fix was shipped - relevant for digital infrastructure providers and DSPs operating under continuous deployment.

Evidence the fix held

Article 21(2)(f) requires an assessment of effectiveness over time, not an annual snapshot. Scheduled rescans, run at a defined cadence, produce a continuous record and detect regressions in the next scan cycle.

Vulnerability monitoring surfaces new exposures and regression between scheduled scans - including newly disclosed CVEs flagged as actively exploited. That ensures the evidence record has no gaps that a supervisory authority could characterize as a lapse in control operation.

Audit-ready evidence exports produce the complete record - scan history, confirmed findings, retest comparisons, and remediation timestamps - in PDF, DOCX, or JSON formats that can be adapted to vendor risk responses.

Integrations turn Pentest-Tools.com into a NIS2 evidence workflow

Integrations close the loop in the systems your team already uses.

  • Automate Vanta evidence delivery

    Vanta syncs validated vulnerabilities to 32 tests and 2 controls, with scheduled scan PDFs mapping to Compliance/Documents daily at 05:00 UTC.

  • Generate Article 21 evidence natively in Jira

    Jira receives validated findings with severity scores, descriptions, and PoC attachments. Article 21(2)(e) evidence lives in Jira as a natural by-product of the remediation workflow.

  • Centralize multi-client routing in Nucleus

    Nucleus Security routes findings into centralized vulnerability management for MSPs and MSSPs running NIS2 programs across multiple client environments.

  • Capture remediation evidence in CI/CD

    GitHub Actions and CI/CD produce remediation evidence at the point of code change.

  • Sync custom platforms via universal webhooks

    Webhooks route results into any GRC, SIEM, or ticketing systems.

  • Deliver Article 23 critical alerts via chat

    Slack, Teams, and Discord alert on critical detections and actively exploited CVEs as they land, supporting the Article 23 awareness clock without manual dashboard monitoring.

See how Pentest-Tools.com produces the validated vulnerability evidence NIS2 depends on.

Built for the supply chain reality NIS2 creates

Article 21(2)(d) is the most significant expansion from NIS1 to NIS2.

In-scope entities must now manage cybersecurity risk across their direct supplier relationships - and ISO 27001 certification no longer closes a vendor review.

Buyers want current vulnerability handling evidence, which means suppliers are fielding dozens of questionnaires per quarter, none of it billable. Pentest-Tools.com serves both sides of that transaction.

  • Assess and share proof

    In-scope entities can assess their own posture and generate the supply chain evidence they send to vendors.

  • reporting

    Pass reviews faster

    Suppliers produce the vulnerability assessments their buyers ask for - in PDF, DOCX, or JSON formats that drop into vendor risk responses without manual rework.

  • One workflow, both sides

    MSPs and internal security teams get a single source of truth that handles both buyer- and supplier-side engagements without rebuilding anything between clients.

Vulnerability validation built into the scan from the start

Pentest-Tools.com starts the verification work during the scan

As web and network scanning run, findings that can prove to be exploitable get a Confirmed label, backed by request/response data, payload traces, or a proof of concept you can examine. The rest stay unconfirmed, so you always know which is which.

When a finding needs more, validation continues in the same product

Deeper exploitation confirms real impact and also captures the evidence. Assessment and validation under the same roof means that the proof an auditor or a buyer asks for is already attached to the finding.

Find the plan that best suits your compliance needs.

Why Pentest-Tools.com’s European origin matters under NIS2

Pre-solve Article 21 due diligence

Article 21(2)(d) requires in-scope entities to assess where critical service providers process and store data. Pentest-Tools.com is ISO/IEC 27001:2023 certified and processes data in the EU - meaning working with us eliminates one category of the due diligence question before the review starts.

Meet EU supply chain preferences

Moreover, the EU Cybersecurity Strategy and the ICT Supply Chain Security Toolbox both encourage regulated buyers to use EU-resident options where viable. NIS2 is the enforcement layer that turns that policy preference into a procurement criterion.

Accelerate 24-Hour reporting clocks

There’s also an operational dimension. ENISA operates the EUVD, and national CSIRTs receive Article 23 reports. Vulnerability tooling aligned with the same data sources those authorities use has a practical advantage when the question is whether a newly published CVE affects your environment, and the answer is due in 24 hours.

Proof Pentest-Tools.com supports NIS2 compliance

  • Network Vulnerability Scanner icon

    Benchmark-proven accuracy

    Our Network Scanner ranked #1 in a Network Scanners Benchmark for having the highest remote detection accuracy across 128 environments, against Qualys, Nessus, OpenVAS, and others.

  • Less false positives

    The ML Classifier cuts false positives by 50% and identifies web app endpoints with high accuracy to assess with deep scans.

  • Website Vulnerability Scanner icon

    Deep application scanning

    The Website Vulnerability Scanner covers vulnerabilities like XSS, SQL injection, HTTP Prototype Pollution, Directory Traversal, and 75+ more vulnerabilities in running web applications.

  • reporting

    Proven global scale

    In 2025, Pentest-Tools.com ran over 6M scans across 2000+ security teams in 119 countries, and sent tens of thousands of reports and exports to clients, teammates, and stakeholders.

  • assets icon

    Certified security standards

    Pentest-Tools.com is ISO/IEC 27001:2022 certified and processes data in the EU.

What customers are saying

The scans run quickly and the dashboard is easy to use. I like the attack surface feature. Organizing your scans and data is very simple to follow. Being cloud-based, you can get to the tools from anywhere without lugging around a dedicated device. The ability to generate and customize reports is very helpful.

Dr. Patrick Johnson Linkedin profile

Dr. Patrick Johnson

Business Owner at True North Consulting Group

Dr Patrick Johnson photo

See the NIS2 evidence trail in action

Collect audit-ready evidence instantly, or book a demo if you’re navigating a  complex multi-sector estate, multi-jurisdiction operations, or multiple client environments.

NIS2 compliance FAQs

Does running vulnerability scans on Pentest-Tools.com make us NIS2-compliant?

No. Pentest-Tools.com produces the technical evidence layer that Article 21(2)(e) vulnerability handling and Article 21(2)(f) effectiveness assessment depend on. It does not replace governance, risk management, business continuity, training, or incident response programmes, and it does not substitute for engagement with your supervisory authority. NIS2 compliance is a programme-level outcome; this is one technical input to it.

Is a vulnerability assessment the same as a penetration test for NIS2 purposes?

No. A vulnerability assessment scans systems to identify and report known weaknesses without exploiting them. A penetration test involves a human expert attempting to breach defences to prove real-world impact. Both have a place in a NIS2 risk-management programme - automated assessment gives you the continuous, rolling evidence Article 21(2)(f) expects, while periodic manual testing goes deeper on complex logic. Neither one, on its own, makes you compliant.

How does NIS2 differ from DORA, and do I need both?

DORA applies specifically to financial entities and their critical ICT providers, and operates as lex specialis for that sector, meaning financial entities follow DORA rather than NIS2 for ICT risk management. If your organization is a financial entity, see how we help with DORA compliance. If you supply ICT services to financial entities, you may fall under both frameworks depending on your classification.

Can the product scan internal infrastructure and private cloud assets, not just internet-facing systems?

Yes. For internal IN environments connected via VPN The VPN Agent deploys inside non-internet-facing networks without an on-premises appliance per facility, covering internal services, authenticated portals, and private VPCs - the internal IT layer in sectors like energy, healthcare, transport, and manufacturing. It’s also available on AWS Marketplace.

One thing to keep in mind: Pentest-Tools.com does not have dedicated detections for OT, ICS, or SCADA systems, and active scanning can disrupt those environments and fragile legacy devices (for example, older medical or signaling equipment). For anything in that category, assess the environment first and test in an isolated lab rather than production wherever possible.

How does Pentest-Tools.com support Article 23 incident reporting?

Two ways. First when the research team publishes a dedicated check for a high-impact or actively exploited CVE, you answer "are we actually exposed?" from a scan result instead of mapping the CVE to your assets by hand - the slow work that eats the early-warning window. Second, Slack, Teams, and webhook alerts deliver relevant detections to responders the moment they land, not on the next scheduled scan. Pentest-Tools.com does not submit Article 23 reports to national CSIRTs on your behalf - the directive requires you to do that through national channels.

We're a supplier to a NIS2-regulated company, not directly in scope ourselves. How can you help us?

Article 21(2)(d) requires in-scope entities to manage direct supplier cybersecurity risk. Vendor questionnaires now specifically ask for evidence of vulnerability management processes. Pentest-Tools.com lets suppliers produce that evidence continuously, in formats that close procurement reviews without manual rework.

What does a NIS2 evidence package from Pentest-Tools.com actually look like?

Four layers: 

  • Detection (scan with severity, CVE reference, timestamp) 

  • Validation (Confirmed finding with PoC)

  • Remediation (retest with before/after comparison)

  • Ongoing monitoring (scheduled rescans; new CVE alerts)

Penetration test reports can export as read-only PDFs for the executive board or fully editable DOCX reports for internal compliance teams who need to copy-paste findings into their own tools. You can export vulnerability assessment results as CVS, JSON, and XLSX reports for external analysis.