The EU NIS2 Directive expanded mandatory cybersecurity requirements to a much broader range of organizations operating in the EU. Article 21 requires "appropriate and proportionate technical measures" — including secure software development practices. MergeGuide enforces these requirements at the code layer.
NIS2 (Directive 2022/2555) expanded the scope of the original NIS Directive to cover essential and important entities across 18 sectors — including digital infrastructure, ICT service management, and digital service providers. Organizations operating in or supplying to EU-regulated sectors must demonstrate compliance with Article 21 cybersecurity measures.
Unlike its predecessor, NIS2 imposes personal liability on management for cybersecurity failures and requires systematic risk management including supply chain security. Software suppliers to NIS2-covered entities face increasing audit and contractual requirements.
MergeGuide includes policies that guide implementation of NIS2 Article 21 technical requirements — detecting code-level security vulnerabilities that would constitute failures of the "appropriate technical measures" requirement.
MergeGuide templates cover key NIS2 Article 21 technical measures at the code level:
| NIS2 Requirement | What MergeGuide Detects | Severity |
|---|---|---|
| Art. 21(2)(f) — Secure acquisition | SQL injection and command injection patterns in application code | Critical |
| Art. 21(2)(f) — Secure acquisition | Hardcoded credentials and secrets in source code | Critical |
| Art. 21(2)(g) — Risk management | Insecure cryptography — deprecated algorithms and weak key handling | High |
| Art. 21(2)(g) — Risk management | Data transmitted without encryption or using deprecated TLS | High |
| Art. 21(2)(b) — Incident handling | Missing audit logging on security-relevant application events | High |
| Art. 21(2)(h) — Cyber hygiene | Debug mode enabled, missing security headers, insecure defaults | Medium |
| Art. 21(2)(e) — Supply chain | Known-vulnerable dependency patterns detectable in application code | High |
NIS2 and GDPR share substantial overlap in technical security requirements — both require appropriate technical measures for data protection and security. MergeGuide's PolicyMerge resolves overlapping controls, letting teams satisfy both frameworks with a single assessment.
NIS2 requires organizations to demonstrate that cybersecurity measures are in place and operational. MergeGuide generates signed evidence artifacts at every code evaluation — providing the documentation required to demonstrate continuous operation of Article 21 measures.
NIS2 Article 21(2)(e) specifically addresses supply chain security. Software vendors supplying to NIS2-covered entities can demonstrate security posture via MergeGuide evidence artifacts — satisfying customer audit requirements and vendor security questionnaires.
See how MergeGuide enforces NIS2 Article 21 technical measures and generates compliance evidence in a live demo.