Free NIS2 quickscan for your domain
Map your DNS and email-layer evidence onto the ten NIS2 Article 21.2 measures. Score in seconds, no signup required.
Cached for 5 minutes per domain. No data is stored beyond the scan summary.
How the quickscan maps onto NIS2 Article 21.2
Each measure is weighted. Evidence comes from DNS lookups and HTTPS probes — no agents, no credentials, no impact on your servers.
Risk analysis & information security policies
Documented risk analysis and ISMS policies. Quickscan checks public-facing indicators only.
security_txt_existshas_caaIncident handling
Process for incident detection, reporting and response. Indicator: published contact channel.
security_txt_existssecurity_txt_validBusiness continuity & crisis management
Redundancy and signed DNS for service continuity.
multiple_nshas_ns_recordhas_mx_recorddnssec_signed+2 moreSupply chain security
Third-party senders, certificate authority controls and provider configuration.
spf_stricthas_caacaa_strictverification_records_reviewSecure development & maintenance
TLS configuration, secure transport and modern web protocols.
https_availablehttps_redirecthsts_enabledhsts_long_max_age+1 moreEffectiveness of cyber-risk management
Externally observable signals that policies are enforced.
security_txt_validhas_caano_critical_blacklistCyber hygiene & email security
SPF, DKIM, DMARC enforcement, MTA-STS and BIMI.
spf_existsspf_validspf_strictdkim_found+7 moreCryptography & encryption
DNSSEC, DANE, modern algorithms and HSTS.
dnssec_signeddnssec_validdnssec_modern_algorithmdnskey_algo_secure+4 moreAsset & access management
Configuration hygiene of public DNS surface. Full asset inventory is out of quickscan scope.
no_lame_nssoa_formatsoa_timersno_txt_leakageMFA & secure communications
Enforced transport security for mail and web.
mta_sts_enforcedtlsa_validhsts_long_max_agehttps_dns_recordUse it however you want
Web
Run the scan on this page and review the NIS2 tab.
Scan another domainJSON API
Pull the scorecard into your pipeline:
curl https://intodns.ai/api/scan/nis2\
?domain=example.comMCP tool
Ask Claude, Cursor or Windsurf to run the scan via the IntoDNS MCP server.
View MCP toolsWhat this scan does not cover
This quickscan evaluates the DNS and email layer of NIS2 Article 21.2. A full NIS2 readiness assessment requires audit of web applications, supply chain, organisational processes and training. Score is a readiness indicator, not a compliance certificate.
FAQ
What is the NIS2 Quickscan?
A free readiness indicator that maps observable DNS and email-layer evidence (DNSSEC, SPF, DKIM, DMARC, MTA-STS, CAA, TLS, BIMI and more) onto the ten NIS2 Article 21.2 measures. You get a weighted score from 0 to 100, per-measure detail, and concrete fix suggestions.
Does a high score mean my organisation is NIS2 compliant?
No. The quickscan only measures externally observable DNS and email-layer signals. A full NIS2 readiness assessment also requires audit of web applications, supply chain, organisational processes and training. The score is an indicator, not a compliance certificate.
Which NIS2 measures does the quickscan check?
All ten measures from Article 21.2 (a–j). Heaviest weights sit on (g) cyber hygiene & email, (c) business continuity, and (h) cryptography because those map most directly onto DNS-layer evidence.
Is there an API?
Yes. GET /api/scan/nis2?domain=example.com&lang=en returns the full NIS2 scorecard as JSON, including per-measure evidence, fix suggestions and critical gaps. The same data is exposed through the IntoDNS MCP server for AI agents.
How often is the scan refreshed?
Results are cached for five minutes and shared across requests, so re-scanning a domain is effectively free for clients while preventing upstream abuse.