CertMate CertMate /

NIS2 TLS Readiness Check

An interactive checklist that maps your TLS / cert posture to NIS2 Art. 21(2)(h) and Italian D.Lgs. 138/2024.

1 — Answer

Yes / No / N/A on every item. Answers stay local (localStorage).

2 — Evidence

Open “how to verify” on each item — links to internal and external tools.

3 — Export

Download a Markdown or JSON evidence pack to attach to your audit file.

Notice: this checklist reflects a technical reading of the cited regulations (NIS2, Italian D.Lgs. 138/2024, DORA) and is a working aid. It does not replace formal legal assessment or audit.

Score
0%
Audit metadata (optional, included in export)

NIS2 Art. 21(2)(h) — Cryptography

  • 1.1

    All public-facing services accept TLS 1.2+ only, with TLS 1.3 enabled and preferred.

    p0
    How to verify

    Scan every public endpoint with SSL Labs or internet.nl: the 'Protocols' row must show only TLS 1.2 and TLS 1.3 as enabled.

  • 1.2

    TLS 1.0 and 1.1 disabled on every internet-exposed endpoint.

    p0
    How to verify

    Same scans must show 'TLS 1.0' and 'TLS 1.1' as not negotiable. Also verify behind load balancers and CDNs.

  • 1.3

    Legacy cipher suites (RC4, 3DES, NULL, EXPORT) disabled.

    p0
    How to verify

    In the SSL Labs 'Cipher Suites' section no entry must contain RC4, 3DES, NULL, EXPORT, DES, MD5.

  • 1.4

    Full certificate chain served (no client-side AIA chasing required).

    p0
    How to verify

    Run Chain Builder against your server's chain — it must report 'chain valid' with no 'missing intermediate'.

  • 1.5

    HSTS enabled on all sites, with max-age ≥ 31536000.

    p1
    How to verify

    curl -sI https://host | grep -i strict-transport-security. max-age must be ≥ 31536000 (1 year). Consider HSTS preload submission.

Italian ACN det. 379907/2025 — Inventory & lifecycle

  • 2.1

    Centralized inventory of public certificates with expiry tracking.

    p0
    How to verify

    Provide the inventory source (CMDB, spreadsheet, dashboard). For external posture, crt.sh lists all your public certs.

  • 2.2

    Automatic expiry alerts at T-30 and T-7 days.

    p1
    How to verify

    Show the monitoring config (Prometheus, Nagios, cron) or a CT-based monitor service with notifications.

  • 2.3

    Documented renewal procedure (who, how, which CA).

    p1
    How to verify

    Provide the procedure document: must name the owner, the CA(s) in use, and the renewal trigger.

  • 2.4

    Documented fast-revocation procedure, tested in the last 12 months.

    p1
    How to verify

    Provide the procedure + last drill report (date, outcome, people involved).

NIS2 Art. 23 — Incident reporting

  • 3.1

    PKI incident runbook for ACN notification (24h early warning, 72h notification, 1-month final report).

    p0
    How to verify

    Provide the runbook. Verify timing alignment with NIS2 Art. 23 and that the ACN notification channel is named.

  • 3.2

    Emergency contacts for CA / registrar documented and reachable 24×7.

    p1
    How to verify

    Show the contact roster with H24 phone/email for CA and registrar. Annual reachability test recommended.

  • 3.3

    Private-key rotation procedure tested for compromise scenarios.

    p0
    How to verify

    Provide procedure + last drill report (full rotation: revoke, reissue, redeploy, HSTS/HPKP fallout).

DORA / eIDAS — Resilience & qualified

  • 4.1

    Documented encryption policy (data at rest / in transit / in use) aligned to RTS 2024/1774 art. 6.

    p0
    How to verify

    Provide the policy. It must explicitly map the three data states and reference art. 6(2) of Commission Delegated Regulation (EU) 2024/1774.

  • 4.2

    For PSD2 / eIDAS Art. 45a-targeted services: QWAC from a qualified TSP.

    p1
    How to verify

    Only if applicable (PSD2 / open banking). The certificate must come from an EU Trust List TSP and include the PSD2 QcStatement.

  • 4.3

    At least one secondary CA fallback for public certificates (multi-CA).

    p1
    How to verify

    Show contractual or operational evidence of a secondary CA usable on primary outage (e.g., Let's Encrypt + ZeroSSL).

Beyond the checklist

Need continuous posture management, not just a self-assessment?

nis2-public is the open-source platform (AGPL-3.0) for NIS2: governance, technical validation and incident response under one roof, self-hosted. Scan data never leaves your infrastructure.

nis2-public on GitHub →