The NIS2 Directive became law across EU member states in October 2024, significantly expanding the scope of organizations required to implement cybersecurity measures. If your organization operates in the EU and falls under the “essential” or “important” entity categories, you are legally required to implement vulnerability handling procedures.

Yet as of early 2026, many small and mid-sized businesses remain uncertain about what NIS2 actually requires when it comes to vulnerability management. This article breaks it down practically.

What NIS2 Article 21 requires

Article 21 of the NIS2 Directive mandates that essential and important entities implement “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.” Specifically, Article 21(2)(e) requires:

“Vulnerability handling and disclosure”

This is deliberately broad. NIS2 does not prescribe specific tools or scanning frequencies. Instead, it requires that you can demonstrate a structured, repeatable process for identifying, assessing, and remediating vulnerabilities in your IT environment.

Who is affected?

NIS2 dramatically expanded the scope compared to the original NIS Directive. It now covers sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, manufacture of critical products, food production, and digital providers.

The key thresholds: organizations with more than 50 employees or more than €10 million in annual turnover in these sectors are likely in scope. Some entities are included regardless of size (DNS providers, TLD registries, qualified trust service providers).

What auditors will look for

During a NIS2 audit, an assessor will typically want to see evidence of:

Inventory: You know what software runs in your environment
Identification: You have a process to identify relevant vulnerabilities (not all 250,000 CVEs — but the ones that affect your specific software)
Prioritization: You can explain why you remediate certain vulnerabilities before others
Remediation tracking: You have timestamps showing when a vulnerability was identified, acknowledged, and resolved
Reporting: You can produce documentation showing your vulnerability handling over time

This is not about running a perfect security operation. It’s about demonstrating a systematic, documented approach.

A practical implementation for SMBs

Large enterprises have dedicated security operations centers and €50,000+ budgets for vulnerability management. SMBs need a more practical approach. Here’s a framework that satisfies NIS2 requirements without breaking the bank:

Step 1: Build your software inventory

Know what you have. This means cataloging the software installed across your endpoints — operating systems, business applications, security tools. Push agents or integrations with existing IT management tools (like Lansweeper, PDQ Deploy, or Microsoft Intune) can automate this.

Step 2: Focus on actively exploited vulnerabilities

You don’t need to track all 250,000+ CVEs. The CISA Known Exploited Vulnerabilities (KEV) catalog provides a curated, authoritative list of approximately 1,484 vulnerabilities confirmed to be exploited in the wild. Tracking KEV gives you the highest signal-to-noise ratio available.

Step 3: Automate the matching

Cross-referencing your inventory against the KEV catalog manually is error-prone and time-consuming. Automated matching using CPE identifiers and vendor/product combinations eliminates human error and ensures daily coverage.

Step 4: Prioritize with context

Use severity scores (CVSS), exploitation probability (EPSS), and the KEV ransomware flag to prioritize. A vulnerability flagged for ransomware use should jump to the top of your queue regardless of its CVSS score.

Step 5: Document everything

Every vulnerability identified, every remediation action taken, every decision made. This audit trail is what NIS2 auditors need to see. Automated reporting that produces PDF summaries with timestamps and risk scores is ideal.

How SentriKat addresses NIS2 compliance

SentriKat was designed with NIS2 Article 21 compliance as a core requirement. It provides:

Automated software inventory via push agents for Windows, Linux, and macOS
Daily KEV catalog sync with vendor advisory integration (OSV.dev, Red Hat, Microsoft MSRC, Debian)
NIS2 Article 21 compliance reports generated automatically as PDF with risk scores and KPIs
Audit trail with full timestamps for every vulnerability identification, acknowledgment, and resolution
On-premises deployment ensuring your inventory data never leaves your infrastructure — critical for organizations subject to GDPR and Swiss data protection laws

Penalties for non-compliance

NIS2 enforcement includes significant penalties: up to €10 million or 2% of total worldwide annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. Management bodies can also be held personally liable.

Getting started

If your organization falls under NIS2 scope, the time to implement vulnerability handling is now — not when the auditor arrives. Start with the basics: inventory your software, begin tracking KEV vulnerabilities, and document your process.

Request a demo of SentriKat to see how automated KEV tracking and NIS2 reporting works in practice. Deployment takes less than 10 minutes with Docker.

SentriKat is a Swiss on-premises vulnerability management platform. It generates NIS2 Article 21 compliance reports automatically and deploys in minutes with Docker.

NIS2 Vulnerability Management: What European SMBs Need to Know in 2026