Synced 16 Jun 2026 15:24 UTC Account
← Home
NIS2 Directive · EU 2022/2555 · essential & important entities

Evidence the supply-chain & vulnerability measures NIS2 expects

NIS2 requires essential and important entities to manage cyber risk — including supply-chain security and vulnerability handling (Article 21). IsItPatched gives you the inputs for those measures: which components have known and actively-exploited vulnerabilities, the minimum safe version, end-of-life risk, and exportable evidence.

Scan your SBOM → Monitor your components Export NIS2 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for entities in scope — and their suppliers

Essential entities

Large operators in critical sectors (energy, transport, health, water, digital infrastructure…). Run a defensible, risk-based vulnerability-handling process and keep the evidence.

Important entities

Medium-sized operators in the wider in-scope sectors. Get the same supply-chain visibility without standing up new tooling.

Their suppliers

NIS2 pushes security down the supply chain. Show customers a clean component inventory, vulnerability status and remediation plan.

NIS2 Article 21 measures → what IsItPatched gives you

Supply-chain security (Art. 21(2)(d))

Know your third-party & open-source components. Drop in a CycloneDX or SPDX SBOM for a per-component verdict, and export a CycloneDX VEX to share up and down the chain.

Scan an SBOM →

Vulnerability handling (Art. 21(2)(e))

A continuous, risk-based process: IsItPatched flags actively-exploited (CISA KEV) and high-EPSS CVEs and the minimum safe version, giving you a defensible "fix these first" queue.

See actively-exploited CVEs →

Maintenance & end-of-life

NIS2 expects systems to be kept secure over their lifecycle. End-of-life tracking flags components that can no longer be patched and need a migration plan.

End-of-life calendar →

Evidence for auditors

Export a software risk register (CSV / PDF) and a VEX document — a record of the supply-chain and vulnerability-handling measures, citing the versions you run.

Open your dashboard →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — evidence of risk-based vulnerability handling

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: NIS2 is a broad organisational cybersecurity regime — it also covers governance, incident reporting (24h/72h), business continuity, cryptography, access control and staff training, which a vulnerability tool does not address. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps you evidence two specific Article 21 measures — supply-chain security and vulnerability handling & disclosure. It is not legal advice and not a NIS2 certification or audit. Confirm your full obligations with a qualified advisor. Disclaimer.

NIS2 — frequently asked

What is the NIS2 Directive?

NIS2 (Directive (EU) 2022/2555) is the EU's baseline cybersecurity law for "essential" and "important" entities across critical sectors — energy, transport, banking, health, drinking & waste water, digital infrastructure, public administration, manufacturing, food, postal, chemicals and more. It requires risk-management measures (Article 21), incident reporting within 24h/72h (Article 23), and management accountability, transposed into each member state's national law. It is far broader than product-maker rules: it governs how whole organisations manage cyber risk.

How does IsItPatched help with NIS2?

It directly supports two of the Article 21(2) measures: supply-chain security (d) and vulnerability handling and disclosure (e). Drop in a CycloneDX/SPDX SBOM or monitor your stack to know which third-party and open-source components carry known vulnerabilities, which are actively exploited (CISA KEV) so you can prioritise on risk, the minimum safe version, end-of-life components, and export a risk register / VEX as evidence of the process. That is the software-component slice of NIS2 — the part SBOMs and vulnerability tooling are built for.

Does IsItPatched make us NIS2-compliant?

No. NIS2 is a broad organisational regime — it also covers governance, incident reporting, business continuity, cryptography, access control, staff training and more, none of which a vulnerability tool addresses. IsItPatched helps evidence the supply-chain-security and vulnerability-handling measures specifically. It is informational, built on public data — not legal advice, and not a certification or audit.

Also a maker of products with digital elements? The EU CRA edition → dovetails — set up for one and you're ahead on the other. See all compliance editions →