Free NIS2 Readiness Checker
Check a domain's NIS2 Article 21.2 readiness at the DNS and email layer. Get an overall status and a per-measure (a-j) pass, warning, or fail breakdown derived from a live scan.
Run the check
Enter a domain to check it live against the IntoDNS.ai engine. No signup, no rate-limited trial.
What this NIS2 checker verifies
This tool maps a live DNS and email security scan of a domain onto the ten cybersecurity risk-management measures listed in Article 21.2 of the NIS2 Directive, labelled a through j. It runs the same quick scan that powers the IntoDNS.ai homepage, then translates each finding — DNSSEC signing, SPF/DKIM/DMARC posture, TLS and transport security, and related signals — into evidence for the measures those signals speak to. The output is an overall readiness status and a per-measure breakdown where each of a-j is scored and marked pass, warning, fail, or not-applicable, with concrete fixes for the gaps. It is a fast, evidence-based way to see where a domain stands on the technical, externally observable slice of NIS2.
What NIS2 and Article 21.2 are
NIS2 (Directive (EU) 2022/2555) is the EU's expanded cybersecurity law, broadening the earlier NIS directive to far more sectors and entities and raising the bar on security obligations, incident reporting, and management accountability. Article 21 requires essential and important entities to take appropriate technical, operational, and organisational measures to manage cyber risk, and Article 21.2 enumerates the baseline set of those measures: (a) risk analysis and information system security policies, (b) incident handling, (c) business continuity and crisis management, (d) supply chain security, (e) security in acquisition, development and maintenance, (f) policies to assess the effectiveness of measures, (g) basic cyber hygiene and training, (h) cryptography and encryption, (i) human resources, access control and asset management, and (j) multi-factor authentication and secure communications. This checker addresses the parts of that list that are visible in DNS and email.
What this can and cannot tell you
Be clear about scope. A domain scan sees DNS and email configuration — it can provide strong evidence for the measures that have a technical, externally observable footprint, most directly cryptography and encryption (h) and cyber hygiene around email (g), and partial signals for others. It cannot assess your internal risk-analysis process, your incident-handling runbooks, your business-continuity plans, your supply-chain governance, your HR and access-control policies, or whether MFA is enforced on your internal systems. Those are organisational and process matters that require a full audit. So a strong score here is a genuine, defensible win on the technical baseline, but it is one input to NIS2 readiness, not a certificate of compliance. The tool states this caveat explicitly alongside the result.
How to read the result
The overall status summarises the weighted score: compliant, partial, or non-compliant on the scannable measures (or unscannable when the domain yields too little to assess). The per-measure table is where the value is: each of a-j shows its score and a pass, warning, fail, or not-applicable status. Pass means the technical evidence for that measure is in good shape; warning means it is partially in place; fail means a real gap the scan can see; not-applicable means the measure has no DNS/email footprint to evaluate and is excluded from scoring rather than counted against you. The critical-gaps list highlights the heavily weighted measures that are failing — fix those first. Every failing measure comes with specific remediation steps drawn from the underlying checks.
Using this alongside a full NIS2 programme
The right way to use this checker is as the fast technical front end of a broader NIS2 effort. Start here to get the externally visible DNS and email posture into good shape, because those gaps are concrete, quick to fix, and visible to anyone — including auditors and attackers — who looks at your domain: enabling DNSSEC, getting SPF, DKIM, and DMARC to enforcement, and securing mail transport directly improve measures g and h and remove easy findings. Then take the per-measure output into your organisational assessment, where the process-heavy measures (a, b, c, d, e, f, i, j) are evaluated through documentation, interviews, and internal controls rather than a scan. Cross-reference the dedicated NIS2 overview for the legal and organisational context, and re-run this checker after each round of DNS and email fixes to confirm the technical measures are moving toward pass.
What This Checks
- Live quick scan mapped onto Article 21.2 measures a through j
- Overall NIS2 readiness status (compliant, partial, or non-compliant)
- Per-measure score with pass, warning, fail, or not-applicable
- Cryptography (h) and cyber-hygiene (g) evidence from DNSSEC and email auth
- Critical-gap highlighting for heavily weighted failing measures
Common Fix Path
- Enable DNSSEC and complete the chain of trust to strengthen cryptography (h)
- Move SPF, DKIM, and DMARC to enforcement to improve cyber hygiene (g)
- Secure mail transport with STARTTLS, MTA-STS, and DANE where possible
- Take the per-measure output into a full organisational NIS2 assessment
Frequently Asked Questions
What does the NIS2 checker actually measure?
Is a good score here the same as NIS2 compliance?
What are the Article 21.2 measures a through j?
Why are some measures marked not-applicable?
Which NIS2 gaps should I fix first?
Does NIS2 apply to my organisation?
Machine-Readable Evidence
AI assistants and automation can cite the stable explanation page, then fetch the live check result for a specific domain.
GET https://intodns.ai/api/scan/nis2?domain=example.com&lang=en