research

NIS2 Directive: What M&A IT Due Diligence Must Cover After January 2025

NIS2 became mandatory for essential entities in January 2025. In M&A, the target's compliance gaps become the acquirer's liability. Here's the Article 21 checklist.

Luna ·
nis2 compliance it-due-diligence regulation m-and-a

The Network and Information Security Directive 2 (NIS2) became mandatory for EU essential entities on October 17, 2024, with enforcement beginning January 2025. In the context of M&A, this creates a compliance liability that transfers from seller to buyer at close.

If you’re acquiring a company that falls under NIS2’s scope (energy, transport, banking, health, drinking water, digital infrastructure, and several others), the target’s Article 21 security measures are now a material due diligence item.

The Acquirer’s Liability Transfer Problem

Under NIS2, the competent authority can hold an essential entity liable for security breaches originating from any supplier or third-party service provider in their supply chain. When you acquire a company, you inherit its supply chain. You also inherit its NIS2 compliance status.

A target company that has not performed a NIS2 gap assessment — or that has documented gaps it’s chosen not to remediate — transfers those gaps to the acquirer on Day 1. If a breach occurs in month 3 post-close and the gap existed pre-acquisition, the acquirer bears joint liability.

This is different from most other compliance frameworks. NIS2 explicitly extends liability up the ownership chain.

Article 21 Security Measures: The 10 Categories

Article 21 of NIS2 specifies 10 categories of security measures that essential entities must have in place. These are not checkboxes — they’re operational requirements:

  1. Risk analysis and information security policies — Documented security policies reviewed annually. The risk analysis must cover supply chain risks, not just internal systems.

  2. Incident handling — A documented incident response plan. 24-hour notification to the national CSIRT for significant incidents. The clock starts when the entity becomes aware of an incident.

  3. Business continuity and crisis management — Backup and recovery procedures. Crisis communication plans. Testing of recovery procedures at least annually.

  4. Security across the supply chain — Supplier risk assessments. Contractual security requirements for all third parties with access to the entity’s networks. Evidence that these are actually enforced.

  5. Security in network and information system acquisition — All hardware and software must be procured from legitimate sources. Software Bill of Materials (SBOM) for critical systems recommended.

  6. Vulnerability disclosure and disclosure — A published vulnerability disclosure policy. A process for receiving and triaging vulnerability reports from external parties.

  7. Cybersecurity training — All employees with network access must receive cybersecurity awareness training. Annual refresh required.

  8. Data security — Encryption of sensitive data at rest and in transit. Access control policies with least-privilege principles. MFA for all accounts with access to sensitive data.

  9. Use of MFA and encryption — Not optional. MFA is explicitly required for any account with access to the entity’s network or to administrator accounts.

  10. Multi-factor authentication — Similar to item 9 but specifically for critical functions. Must cover both human and machine identities.

The NIS2 M&A Due Diligence Checklist

Supply Chain Risk (Category 4)

  • Request the target’s supplier risk register. Does it cover all IT vendors, cloud providers, and managed service providers?
  • Are there contractual security SLAs with key suppliers? Are they enforced?
  • What is the target’s visibility into sub-supplier security? (This is a major gap in most organizations)
  • Does the target have a complete list of all third parties with network access?

Incident Response Capability (Category 2)

  • When was the incident response plan last tested? Ask for the test report.
  • Has the target notified any incidents to the national CSIRT in the past 24 months? Ask for the log.
  • Does the 24-hour notification process actually exist, or is it documented but not operational?

Security Training (Category 7)

  • What percentage of employees completed cybersecurity training in the last 12 months?
  • Is there a phishing simulation program? What was the last reported click rate?

MFA Coverage (Categories 8 and 9)

  • Run ACQI’s Entra ID / Azure AD discovery module. What percentage of user accounts have MFA enabled?
  • Are service accounts excluded from MFA policies? (A common configuration error — service accounts with MFA disabled are a primary attack vector)

Vulnerability Management (Category 6)

  • Does the target run vulnerability scanning? On what cadence? (Monthly minimum for critical infrastructure)
  • Are critical vulnerabilities patched within 24 hours? High severity within 72 hours? (These are NIS2 expectations for essential entities)
  • Is there an SBOM for any critical software?

The NIS2 Compliance Gap Remediation Timeline

If you identify gaps during due diligence, the remediation timeline is not quick. NIS2 compliance is not a software installation — it’s an organizational security program.

A realistic remediation timeline for a mid-size company with significant gaps: 18-24 months to reach full compliance, assuming dedicated resources and budget.

This has direct implications for deal structure:

  • Representations and warranties — The seller should represent that they are in compliance with NIS2 as of close. If gaps exist, the buyer needs a specific indemnity for NIS2 remediation costs.
  • Escrow holdback — A portion of deal consideration held in escrow for 18-24 months to cover remediation costs if gaps are found post-close.
  • Reps and warranties insurance — NIS2 gaps may not be covered under standard R&W policies if they constitute known pre-existing conditions. Disclose them specifically.

ACQI’s Role in NIS2 Due Diligence

The discovery platform’s 89-module scan covers the technical infrastructure components of Article 21 compliance. Specifically:

  • MFA coverage across all Entra ID / Azure AD accounts
  • Vulnerability scanning results across all discovered endpoints
  • Supply chain visibility — what SaaS applications, cloud providers, and network dependencies exist in both companies’ environments
  • Security event logging coverage — are SIEM tools covering the critical systems?

The ACQI report becomes Exhibit A in the NIS2 gap assessment — the technical evidence that supports the compliance opinion.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team