Product Use Cases Pricing Guides Free tools About Book demo Start free trial
NIS2 · Article 21

NIS2 Checklist 2026: 20 requirements you must document

NIS2 Article 21 requires all essential and important entities to implement concrete technical and organisational security measures. This checklist makes those requirements actionable — with a direct focus on certificates, TLS, and PKI — and shows exactly which 13 items CertControl covers automatically, and which 7 require your organisation to take a position.

EU transposition deadline: October 2024 (national laws vary — Denmark in force since July 2025)  ·  Supervisory authority: your national NIS2 authority  ·  Last updated: June 2026

ARTICLE 21(2)(a)

Risk analysis and information system security

CertControl ✓
Complete asset register of certificates
All TLS certificates recorded with expiry date, issuer, system owner, and associated endpoints. The register is updated continuously on every scan — not only ahead of a scheduled audit.
CertControl ✓
Documented risk assessment for certificate lifecycle
The risk assessment explicitly addresses certificate expiry, weak TLS configuration, and compromised keys. It is a living document updated when the infrastructure changes — not a one-time exercise.
Manual
Systems classified by criticality
Systems within NIS2 scope are identified and classified as critical, important, or other. Certificates on critical systems are flagged and monitored with tighter thresholds.
ARTICLE 21(2)(b)

Incident management

Manual
Defined procedures for certificate incidents
Who is contacted when a certificate expires unexpectedly? Who has the authority to decide on revocation? The escalation path is written down, tested, and accessible to all relevant parties.
CertControl ✓
Continuous audit log of certificate events
All certificate changes, alerts, renewals, and configuration changes are logged with a timestamp and user. The audit log is the prerequisite for meeting NIS2 Article 23's 24-hour reporting deadline.
Manual
Clear threshold for when a certificate expiry constitutes a NIS2 incident
An internal decision procedure that defines when downtime caused by a certificate expiry qualifies as a significant incident under Article 23 and triggers a mandatory reporting obligation.
ARTICLE 21(2)(h)

Security in acquisition and maintenance of systems (TLS/PKI)

CertControl ✓
No expired certificates on production systems
CertControl scans continuously and detects expired or soon-to-expire certificates before they cause outages. Alerts are sent at a minimum of 30 days before expiry — and with ACME integration the renewal request is handled automatically.
CertControl ✓
TLS configuration scanned — no weak protocols
CertControl detects TLS 1.0 and 1.1, weak cipher suites such as RC4 and 3DES, and assigns each endpoint a grade. The documentation is audit-ready without any manual effort.
CertControl ✓
Certificate chains validated and complete
CertControl validates that all certificate installations include the correct intermediate certificates. Incomplete chains cause errors in older clients and are a documented security weakness under NIS2.
CertControl ✓
OCSP revocation status monitored
CertControl checks OCSP status continuously and detects revoked certificates before browsers and API clients start rejecting them. Revocation checking is active across all endpoints.
CertControl ✓
Secure key management documented
Private keys are encrypted at rest (AES-256 minimum). Access is restricted, logged, and auditable. Key rotation procedures are written down and available to relevant personnel.
ARTICLE 21(2)(d) + 22

Supply chain security

CertControl ✓
Monitoring of key suppliers' TLS certificates
Critical suppliers' endpoints are added directly in CertControl. You detect a certificate problem at the supplier before it causes operational disruption in your own organisation.
Manual
Supplier register with security assessment
Critical suppliers are identified and risk-assessed. Contractual security requirements — including certificate management — are in place and documented for new supplier relationships.
ARTICLE 23

Incident reporting to supervisory authority

CertControl ✓
Root cause can be identified within 24 hours
In the event of an outage: CertControl's audit log and certificate register tell you immediately whether an expired certificate caused the incident — before your 24-hour reporting deadline to the national supervisory authority.
Manual
Reporting flow to supervisory authority is defined
Who in the organisation is responsible for notifying your national NIS2 supervisory authority? Contact details are current, and templates for the early warning and incident notification are prepared.
AUDIT DOCUMENTATION

Documentation for supervisory authorities and leadership

CertControl ✓
Executive report with compliance score
CertControl generates a report with an overall TLS compliance score, number of active issues, expiry forecasts, and historical trends. Ready to download and present to the board or supervisory authority.
CertControl ✓
Operational Risk Report
Detailed report of active findings, risk score per endpoint, and prioritised action items. Documents that your organisation is actively addressing known risks — not merely recording them.
CertControl ✓
Expiry Forecast — next 90 days
CertControl shows all certificates expiring within 30, 60, and 90 days with system owner and expected renewal date. Used for planning and demonstrating to auditors that your processes are proactive.
Manual
Certificate management policy approved by leadership
A written policy describing processes, responsibilities, and minimum requirements for certificate handling. Dated and signed by management. Reviewed at least once a year and after significant infrastructure changes.
Checklist status
13
Covered by CertControl
7
Require manual action
20
Total items

CertControl covers 13 of 20 items automatically — asset register, TLS scanning, OCSP monitoring, audit log, and reporting. The remaining 7 require organisational decisions: classification, procedures, and policy documents. CertControl provides the data — your organisation makes the call.

Questions & answers

Frequently asked questions about the NIS2 checklist

Is there an official NIS2 checklist from the authorities?

No, there is no single official checklist. NIS2 Article 21 sets out ten security categories that all essential and important entities must implement. Your national NIS2 supervisory authority has published guidance, but it remains high-level. This checklist operationalises the requirements with a direct focus on TLS certificates, PKI, and the documentation that supervisory authorities expect to see.

When must my organisation be NIS2-compliant?

The EU deadline for transposing NIS2 into national law was 17 October 2024, though several member states finalised their laws later — Denmark's NIS 2 Act, for example, entered into force on 1 July 2025. Requirements apply from the date of entry into force — not from a future audit date. Your national supervisory authority can request documentation now. Asset registers and audit logs take time to establish — start immediately.

What happens if we fail to meet the NIS2 requirements?

Important entities can be fined up to €7 million or 1.4% of global turnover. Essential entities can be fined up to €10 million or 2% of global turnover. In addition, senior management can be held personally liable for failure to implement the requirements. Supervisory authorities can demand documentation at any time — not only in connection with an actual incident.

How many of the NIS2 checklist items does CertControl cover automatically?

CertControl covers 13 of the 20 checklist items automatically — including the certificate asset register, TLS scanning, OCSP monitoring, the audit log, and audit-ready reporting. The remaining 7 require organisational decisions, such as system classification, incident procedures, and policy documents. CertControl provides the underlying data, and your organisation makes the call on those items.

How does CertControl help meet the NIS2 Article 23 24-hour reporting deadline?

In the event of an outage, CertControl's continuous audit log and certificate register tell you immediately whether an expired certificate caused the incident — well within the NIS2 Article 23 24-hour reporting deadline for significant incidents. The audit log records every certificate change, alert, and renewal with a timestamp and user, giving you the documented root cause that essential and important entities must have ready when reporting to the national supervisory authority.

Get started

Ready to cover 13 requirements automatically?

Start your free trial and see in 5 minutes which certificates are in order — and which ones need action today.

14-day free trial  ·  EU Hosted  ·  NIS2 Article 21 ready

Sources

Primary sources

The regulatory facts on this page are drawn from the primary legislation and the responsible Danish authority. Confirm the current wording directly at the sources below.