NIS2 (Directive EU 2022/2555) entered into force in January 2023 and required member state transposition by October 2024. It significantly expands the scope of its predecessor — moving from a narrow set of operators of essential services to a broader framework covering essential and important entities across 18 sectors, with stricter security requirements and meaningful enforcement mechanisms including personal liability for senior management.
Unlike compliance frameworks that operate at high abstraction — "implement appropriate technical measures" — NIS2 Article 21 enumerates specific security measures that covered entities must implement. Several of these map directly to certificate and PKI management.
The NIS2 requirements most relevant to certificates
Article 21(2)(a) — Policies on risk analysis and information system security. NIS2 requires documented risk analysis covering information systems. TLS certificates are critical infrastructure components — expired or compromised certificates represent concrete, quantifiable operational and security risk. A risk analysis that does not account for certificate lifecycle is incomplete under this requirement.
Article 21(2)(b) — Incident handling. NIS2 requires defined incident handling procedures. Certificate expiry that causes service outages is an incident. A compromised private key that enables traffic interception is a security incident with potential data breach implications. Without a certificate inventory, responding to a certificate-related incident requires first figuring out what certificates exist and where they are used — adding significant time to incident response when time matters most.
Article 21(2)(e) — Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. This includes the use of encryption and PKI. The requirement to maintain appropriate encryption practices necessarily includes maintaining valid, properly configured TLS certificates — expired certificates represent a direct failure to maintain encryption in transit.
Article 21(2)(h) — Human resources security, access control policies and asset management. Asset management under NIS2 covers information assets broadly. Certificates are information assets with defined lifecycles, clear owners, and expiry dates — exactly the kind of asset that structured asset management processes should cover.
Supply chain provisions (Article 21(2)(d) and Article 22). NIS2 places significant emphasis on supply chain security. Organisations must address security in their supplier and service provider relationships. Supplier TLS certificates — the certificates used by third parties providing services to your organisation — are part of the supply chain security picture. A supplier whose TLS certificate expires unexpectedly causes service disruptions that affect your organisation and potentially your obligations under NIS2. See also: supplier certificate compliance and how monitoring third-party endpoints gives you visibility before incidents occur.
The reporting dimension
NIS2 introduces mandatory incident reporting with short timelines: early warning within 24 hours, incident notification within 72 hours, and a final report within one month for significant incidents. A certificate expiry causing service unavailability or a compromised certificate enabling a breach can both qualify as significant incidents requiring notification to national authorities.
The 24-hour early warning requirement is particularly demanding. It assumes that when an incident occurs, the organisation has the information needed to report quickly — including understanding which systems are affected and what the impact scope is. Without a certificate inventory, establishing that a certificate expiry is the root cause and understanding what systems it affects can itself take hours.
What NIS2-ready certificate management looks like
For organisations working through NIS2 implementation, the certificate management capabilities that most directly address the directive's requirements are:
A complete, current asset inventory. Every certificate in use across the organisation's information systems should be in a managed inventory with expiry dates, owners, environments, and associated systems documented. This is the foundation for risk analysis, incident response, and demonstrating compliance to supervisory authorities.
Documented risk assessment for certificate lifecycle. The risk analysis required by Article 21(2)(a) should explicitly address certificate expiry risk, certificate compromise risk, and the organisation's controls and residual risk. This needs to be a living document, not a one-time exercise.
Defined incident response procedures for certificate events. What happens when a certificate expires unexpectedly? What happens if a private key compromise is suspected? Who is notified? Who makes the decision to revoke? What is the escalation path? These procedures should be documented and tested.
Supplier certificate monitoring. If your suppliers provide services over TLS, their certificate health is part of your supply chain security posture. Monitoring key supplier certificates for expiry and configuration issues provides early warning of third-party disruptions.
Audit-ready reporting. Supervisory authorities under NIS2 have significant powers to request information and conduct inspections. Certificate inventory reports, expiry forecasts, and historical incident records should be readily producible — not assembled from scratch in response to a regulatory request. See how CertControl supports audit-ready certificate management.
How CertControl addresses NIS2 requirements
CertControl provides the certificate inventory, monitoring, and reporting capabilities that NIS2-covered organisations need. The platform maintains a continuous, automatically updated inventory of all certificates across monitored endpoints — internal and external — with expiry tracking, TLS configuration assessment, and clear ownership assignment.
Executive and operational reports are built into the platform, covering certificate status, expiry forecasts, compliance scores, and drift detection — providing the audit-ready documentation that NIS2 supervisory oversight may require. Configurable alerts with long lead times ensure that certificate expiry approaching critical thresholds reaches the right people with enough time to act within any change management constraints.
Supplier certificate monitoring extends the same inventory and alerting to third-party services — covering the supply chain dimension of NIS2 without requiring manual tracking processes that cannot scale.