NIS2 TLS Audits
Article 21 Evidence for In-Scope Entities

NIS2 Article 21 requires “state of the art” cybersecurity measures for essential and important entities, and enforcement penalties run up to €10 million or 2% of global turnover. The directive doesn’t publish a cipher list, but national competent authorities use current NIST and ENISA standards as the reference. SSLBoard maps your TLS surface to those expectations before your supervisory authority does.

One scan covers the requirements that matter

Enter a domain and SSLBoard discovers every hostname and TLS endpoint across your infrastructure using Certificate Transparency logs and active server probing. Each finding maps to Art. 21:

  • Article 21, state-of-the-art cryptography: Full TLS version and cipher suite analysis across every endpoint. TLS 1.0, TLS 1.1, SSL, and deprecated cipher suites fail the “state of the art” standard explicitly cited in Art. 21, each one a potential enforcement finding carrying penalties up to €10M or 2% of global turnover.
  • Article 21(2)(e), application hardening: Security headers, including CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and secure cookie attributes, are part of the hardening measures NIS2 requires of in-scope entities. Missing or misconfigured headers are a regulatory finding against Art. 21(2)(e).
  • Article 21, network integrity and DNSSEC: Unsigned DNS zones and DNSSEC validation failures are an Art. 21 network integrity finding. NIS2 supervisory authorities treat DNS security as part of the baseline for essential and important entities.

Scope is broader than most entities expect

NIS2’s scope catches subsidiaries, acquired domains, and subdomains running old infrastructure that many entities don’t initially account for. CT logs surface all of them. If a certificate was ever issued for a hostname in your domain, it appears in the report, whether or not it’s in your asset register.

Competent authority assessments use the same external view. There’s no installed agent and nothing changes on your servers.

The report shows what’s currently deployed. If something was patched last quarter but a forgotten endpoint wasn’t included, the scan finds it.

From scan to evidence

  1. Enter the apex domain. SSLBoard finds every hostname and probes every TLS endpoint.
  2. The summary report shows your TLS score and a ranked list of every issue found. It’s free.
  3. Unlock the full report for host-level detail. Download CSV data or share a link with your CISO or compliance team.

The full report covers certificate chains, issuer distribution, protocol versions, cipher suites, key strength, HSTS status, OCSP revocation, security headers, DNSSEC status, and adjacent-domain discovery, all mapped to specific hostnames and IP:port combinations.

Fits the compliance workflow

Share a link with your CISO, legal team, or the external consultant handling your NIS2 gap analysis. The report is the same view for everyone.

Group structures with multiple operating entities scan each apex domain separately. Results are ready in seconds regardless of how many you run.

One email confirmation unlocks the full report. Distribute the link to whoever needs to review it across your organization.

Info

Need to see what the report looks like for your domain? Run a free scan — the summary report is instant, and the full report unlocks after email confirmation.

Run a free scan Read the FAQ