Compliance crosswalk · NIS2
NIS2 (EU Directive 2022/2555) - email + domain controls, mapped to Wiredepth
Framework version: Directive (EU) 2022/2555 - national transpositions 2024-2025, in force since October 2024
Who this is for."Essential" and "important" entities under NIS2 (energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, space, plus digital providers like cloud + online marketplaces + search engines). Threshold: medium-large size in essential sectors automatically; smaller entities can be designated. Estimated ~100k organizations across the EU.
Where email + domain controls fit. Article 21(2) lists 10 minimum risk-management measures entities must implement. Several touch the email + domain surface directly: multi-factor authentication (21(2)(j)), supply-chain security (21(2)(d)), vulnerability handling (21(2)(c)), and basic cyber- hygiene + training (21(2)(g)). Member states' national-level implementing acts vary; we map to the Directive text. Verify against your member state's transposition.
Enforcement bite. NIS2 introduced administrative fines up to €10M or 2% of global annual turnover for essential entities (whichever is higher), and €7M or 1.4% for important entities. That has driven faster vendor + posture-review cycles in 2025-2026.
Clause-by-clause mapping
Each row maps a specific NIS2requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Art. 21(2)(a) Authentication | Policies on risk analysis and information system security. For email-bearing systems, the policy needs to address sender authentication. | Spoofability check + DMARC analyzer give a scoreable posture for the policy text. Scorecard PDF documents the policy decision + current state. |
Art. 21(2)(c) Monitoring | Business continuity. Includes the ability to detect and respond to changes in the security posture of email-delivery infrastructure. | Wiredepth Pro continuous monitoring tracks DMARC / SPF / DKIM / MTA-STS posture and alerts on regressions. Change history covers business-continuity audit needs. |
Art. 21(2)(d) Inventory | Supply-chain security. Entity must address security in the supply chain - including direct suppliers and service providers. Email-sending vendors are part of the chain. | Vendor consolidation audit inventories every third party authorized to send mail as your domain. Per-vendor blast-radius rating quantifies supply-chain exposure. |
Art. 21(2)(e) Transport | Security in network and information system acquisition, development and maintenance, including vulnerability handling and disclosure. Mail-transport hardening lives here. | MTA-STS + TLS-RPT checker + generator address the transport posture. TLS / cert revocation tools cover the broader vulnerability surface for the same domain. |
Art. 21(2)(f) Monitoring | Policies and procedures to assess the effectiveness of the cybersecurity risk-management measures. Periodic posture assessment. | Scorecard PDF + DMARC report viewer + posture-change history provide the periodic-assessment artifacts. Timestamped, watermarked, attestable. |
Art. 21(2)(j) Authentication | Use of multi-factor authentication or continuous-authentication solutions, secured voice / video / text communications where appropriate. Sender authentication (DMARC alignment) is the email analogue. | DMARC analyzer scores authentication strictness. DKIM checker confirms cryptographic sender authentication is published + valid. |
What auditors actually look at
Member-state competent authorities (CSIRTs and national regulators) and contracted assessors are still working through what NIS2 evidence packages look like in practice. From 2025 enforcement actions in Germany, France, and the Netherlands, here's what comes up most:
- Risk-analysis documentation that names email phishing + spoofing as a specifically-addressed risk. Article 21(2)(a) language. A scorecard PDF makes this concrete.
- Supplier list with risk-grading. Article 21(2)(d) is the most-tested clause. Entities are expected to know who their email vendors are and have a position on the residual risk.
- Phish-incident reporting workflow. Article 23 obligates significant-incident reporting to the CSIRT within 24 hours of awareness. A clickable workflow in the mailbox demonstrates the awareness loop is closed.
- Posture monitoring + change-detection. Article 21(2)(f) effectiveness-assessment expectation. Continuous-monitoring alerts on DMARC regression are direct evidence.
- Cross-border-aware evidence. If you operate in multiple member states, your evidence package may be reviewed by different competent authorities. Standardized, machine-readable artifacts (PDF + JSON exports) travel better than bespoke reports.
Generate a NIS2-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a NIS2 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.