NIS2 · Article 21

NIS2 Checklist 2026: 20 requirements you must document

NIS2 Article 21 requires all essential and important entities to implement concrete technical and organisational security measures. This checklist makes those requirements actionable — with a direct focus on certificates, TLS, and PKI — and shows exactly which 13 items CertControl covers automatically, and which 7 require your organisation to take a position.

Applies from: October 2024 (EU member state transposition) · Supervisory authority: your national NIS2 authority · Last updated: May 2026

ARTICLE 21(2)(a)

Risk analysis and information system security

☐

Complete asset register of certificates

All TLS certificates recorded with expiry date, issuer, system owner, and associated endpoints. The register is updated continuously on every scan — not only ahead of a scheduled audit.

CertControl ✓

☐

Documented risk assessment for certificate lifecycle

The risk assessment explicitly addresses certificate expiry, weak TLS configuration, and compromised keys. It is a living document updated when the infrastructure changes — not a one-time exercise.

CertControl ✓

☐

Systems classified by criticality

Systems within NIS2 scope are identified and classified as critical, important, or other. Certificates on critical systems are flagged and monitored with tighter thresholds.

Manual

ARTICLE 21(2)(b)

Incident management

☐

Defined procedures for certificate incidents

Who is contacted when a certificate expires unexpectedly? Who has the authority to decide on revocation? The escalation path is written down, tested, and accessible to all relevant parties.

Manual

☐

Continuous audit log of certificate events

All certificate changes, alerts, renewals, and configuration changes are logged with a timestamp and user. The audit log is the prerequisite for meeting NIS2 Article 23's 24-hour reporting deadline.

CertControl ✓

☐

Clear threshold for when a certificate expiry constitutes a NIS2 incident

An internal decision procedure that defines when downtime caused by a certificate expiry qualifies as a significant incident under Article 23 and triggers a mandatory reporting obligation.

Manual

ARTICLE 21(2)(h)

Security in acquisition and maintenance of systems (TLS/PKI)

☐

No expired certificates on production systems

CertControl scans continuously and detects expired or soon-to-expire certificates before they cause outages. Alerts are sent at a minimum of 30 days before expiry — and with ACME integration the renewal request is handled automatically.

CertControl ✓

☐

TLS configuration scanned — no weak protocols

CertControl detects TLS 1.0 and 1.1, weak cipher suites such as RC4 and 3DES, and assigns each endpoint a grade. The documentation is audit-ready without any manual effort.

CertControl ✓

☐

Certificate chains validated and complete

CertControl validates that all certificate installations include the correct intermediate certificates. Incomplete chains cause errors in older clients and are a documented security weakness under NIS2.

CertControl ✓

☐

OCSP revocation status monitored

CertControl checks OCSP status continuously and detects revoked certificates before browsers and API clients start rejecting them. Revocation checking is active across all endpoints.

CertControl ✓

☐

Secure key management documented

Private keys are encrypted at rest (AES-256 minimum). Access is restricted, logged, and auditable. Key rotation procedures are written down and available to relevant personnel.

CertControl ✓

ARTICLE 21(2)(d) + 22

Supply chain security

☐

Monitoring of key suppliers' TLS certificates

Critical suppliers' endpoints are added directly in CertControl. You detect a certificate problem at the supplier before it causes operational disruption in your own organisation.

CertControl ✓

☐

Supplier register with security assessment

Critical suppliers are identified and risk-assessed. Contractual security requirements — including certificate management — are in place and documented for new supplier relationships.

Manual

ARTICLE 23

Incident reporting to supervisory authority

☐

Root cause can be identified within 24 hours

In the event of an outage: CertControl's audit log and certificate register tell you immediately whether an expired certificate caused the incident — before your 24-hour reporting deadline to the national supervisory authority.

CertControl ✓

☐

Reporting flow to supervisory authority is defined

Who in the organisation is responsible for notifying your national NIS2 supervisory authority? Contact details are current, and templates for the early warning and incident notification are prepared.

Manual

AUDIT DOCUMENTATION

Documentation for supervisory authorities and leadership

☐

Executive report with compliance score

CertControl generates a report with an overall TLS compliance score, number of active issues, expiry forecasts, and historical trends. Ready to download and present to the board or supervisory authority.

CertControl ✓

☐

Operational Risk Report

Detailed report of active findings, risk score per endpoint, and prioritised action items. Documents that your organisation is actively addressing known risks — not merely recording them.

CertControl ✓

☐

Expiry Forecast — next 90 days

CertControl shows all certificates expiring within 30, 60, and 90 days with system owner and expected renewal date. Used for planning and demonstrating to auditors that your processes are proactive.

CertControl ✓

☐

Certificate management policy approved by leadership

A written policy describing processes, responsibilities, and minimum requirements for certificate handling. Dated and signed by management. Reviewed at least once a year and after significant infrastructure changes.

Manual

Checklist status

Covered by CertControl

Require manual action

Total items

CertControl covers 13 of 20 items automatically — asset register, TLS scanning, OCSP monitoring, audit log, and reporting. The remaining 7 require organisational decisions: classification, procedures, and policy documents. CertControl provides the data — your organisation makes the call.

Start free trial

Questions & answers

Frequently asked questions about the NIS2 checklist

Is there an official NIS2 checklist from the authorities?

No, there is no single official checklist. NIS2 Article 21 sets out eight security categories that all essential and important entities must implement. Your national NIS2 supervisory authority has published guidance, but it remains high-level. This checklist operationalises the requirements with a direct focus on TLS certificates, PKI, and the documentation that supervisory authorities expect to see.

When must my organisation be NIS2-compliant?

NIS2 was transposed into national law across EU member states by October 2024 (Denmark's Cybersecurity Act came into force in November 2024). Requirements apply from the date of entry into force — not from a future audit date. Your national supervisory authority can request documentation now. Asset registers and audit logs take time to establish — start immediately.

What happens if we fail to meet the NIS2 requirements?

Important entities can be fined up to €7 million or 1.4% of global turnover. Essential entities can be fined up to €10 million or 2% of global turnover. In addition, senior management can be held personally liable for failure to implement the requirements. Supervisory authorities can demand documentation at any time — not only in connection with an actual incident.

Get started

Ready to cover 13 requirements automatically?

Start your free trial and see in 5 minutes which certificates are in order — and which ones need action today.

Start free trial Book a walkthrough

14-day free trial · EU Hosted · NIS2 Article 21 ready