NIS2 Article 21 requires technical security measures — including control over TLS certificates and PKI. CertControl gives your organisation the register, monitoring, and reporting that supervisory authorities expect.
14-day free trial · Dedicated instance · EU hosted
TLS certificates sit at the centre of three of NIS2's eight Article 21 requirement areas. Here is exactly what each one demands — and where CertControl covers it.
Organisations must document risks associated with their information systems — including the risk of certificate expiry, weak TLS configuration, and compromised keys. A certificate asset register is the foundation for this analysis.
Organisations must have documented policies for the use of cryptography and encryption. For TLS this means: strong cipher suites, valid certificates, correct key sizes, and SHA-256 or stronger signatures — all verifiable and traceable.
The security of suppliers' and service providers' systems is part of the organisation's overall security posture. Monitoring key supplier TLS certificates provides early warning of third-party risks before they become incidents.
NIS2 introduces strict deadlines for reporting significant incidents to national authorities. A certificate expiry causing service unavailability can qualify as a significant incident — and starts the clock.
Without a complete certificate register, it can take hours just to establish whether a certificate expiry is the root cause of an outage — time you do not have under NIS2's reporting requirements. CertControl maintains a continuous audit log of all certificate events, changes, and alerts.
Automatically updated register of all certificates across monitored endpoints — internal and external. Expiry dates, ownership, environment, and associated systems documented and searchable.
Automatic scanning of TLS configuration for weak cipher suites, protocol versions, and certificate issues. Risk score per endpoint with prioritised remediation recommendations.
Configurable alerts up to 90 days before expiry. Email, webhook, and Slack notifications ensure the right people are notified in time — not when the incident has already started.
Executive and operational reports with certificate status, expiry forecasts, and compliance score — ready to download and present to supervisory authorities and management.
Monitoring of key supplier TLS certificates extends your security register to the supply chain — without manual processes that cannot scale with the number of suppliers.
Certificate Transparency monitoring and external scanning discover certificates issued for your domains that IT has not registered — shadow IT certificates that create compliance gaps.
NIS2 compliance report — certificate status, expiry forecast, and audit documentation in one view.
Yes. NIS2 Article 21(2)(h) requires documented policies for the use of cryptography and encryption — which directly covers TLS certificates, cipher suite configuration, and key management. Article 21(2)(e) further requires secure acquisition and maintenance of information systems, including vulnerability handling. Expired or misconfigured certificates represent a failure under both sub-articles. Supervisory authorities are expected to request documentation of certificate management processes during inspections.
A certificate expiry causing service unavailability, inaccessibility of critical systems, or a data breach can qualify as a significant incident under NIS2. The assessment depends on the criticality of the system and the scope of impact. The definition of "significant incident" is broadly worded — and uncertainty should always lead to reporting.
NIS2 covers essential and important entities across 18 sectors including energy, transport, banking, healthcare, digital infrastructure, and public administration. Generally, organisations with 50 or more employees or annual revenue exceeding €10 million operating in a covered sector are in scope. Member states may apply the directive more broadly to certain categories.
Important entities can be fined up to €7 million or 1.4% of global annual turnover. Essential entities can be fined up to €10 million or 2% of global annual turnover. In addition, senior management can be held personally liable for failures to implement adequate security measures.
Yes. CertControl generates executive and operational reports with complete certificate status, expiry forecasts, compliance scores, and historical incident records. The reports are designed to be presented directly to supervisory authorities or management — downloadable in one click without manual assembly.
Book a walkthrough with our team — we'll show you exactly which NIS2 requirements CertControl covers and what else you need to have in place.
14-day free trial · EU hosted · GDPR aligned
A complete walkthrough of NIS2 requirements for TLS and PKI — from asset inventory to incident reporting.
How third-party certificate failures cascade into your own NIS2 obligations — and how to get visibility before incidents occur.
What supervisory authorities specifically ask for during NIS2 inspections — and how to prepare your technical documentation.
Banks and insurers must comply with both DORA and NIS2. Here is what each regulation requires — and where they overlap.
Go through the requirements point by point — which ones does CertControl cover automatically, and which require manual action?
Sector overview and a two-question test: find out whether your organisation qualifies as an essential or important entity under NIS2.