VERSION 1.0 • LAST UPDATED: JUNE 2026

Legal & Liability Disclaimer

Important clarifications regarding the nature of our automated assessment tools and your compliance obligations.

1. Nature of This Service

NIS2Engine is an automated technical assessment tool. It is not a law firm, a certified security auditor, an accredited certification body, or a regulatory authority.

Nothing on this Platform, in any generated report, in any remediation letter, or in any communication from us constitutes legal advice, legal opinion, regulatory guidance, or a guarantee of compliance with any law or regulation.

2. Reports Are Informational Only

Reports, scorecards, grades, and scores generated by the Platform are informational outputs of automated passive scanning. They represent a point-in-time assessment of publicly observable security indicators only.

A high score or Grade A does NOT mean:

  • The vendor is immune to cyberattacks
  • The vendor is NIS2 compliant under EU Directive 2022/2555
  • Your organization's due diligence obligations are satisfied
  • A regulatory authority will accept this report as sufficient evidence of compliance
  • The vendor has no vulnerabilities beyond what our scanner can detect
  • The vendor will not suffer a breach in the future

A low score or Grade F does NOT mean:

  • The vendor has already been compromised
  • The vendor is acting in bad faith
  • Your organization must immediately terminate the vendor relationship
  • The vendor is incapable of meeting NIS2 requirements

3. Limitations of Automated Scanning

Our scanner performs passive external reconnaissance only. It cannot assess:

  • Internal security policies and procedures
  • Employee security training and awareness
  • Physical security controls
  • Access control and identity management systems
  • Incident response and business continuity capabilities
  • Software patching practices for internal systems
  • Contractual security obligations with sub-vendors
  • Compliance with sector-specific regulations beyond NIS2
  • Security controls not visible from the public internet

A vendor could score 95/100 on our Platform and still have significant internal security weaknesses that our scanner cannot detect. A vendor could score 30/100 and have compensating controls that adequately address their external vulnerabilities. Automated scanning is one input into your risk management program, not a replacement for it.

4. Your Compliance Obligations Remain Yours

Under EU NIS2 Directive 2022/2555 Article 21, covered entities bear full legal responsibility for managing supply chain security risks. This obligation cannot be transferred, outsourced, or delegated to NIS2Engine or any other tool or service provider.

You bear sole and exclusive responsibility for:

  • Determining whether your organization is subject to NIS2
  • Identifying which of your vendors are in scope for assessment
  • Determining what level of due diligence is sufficient for each vendor
  • Deciding what action to take based on assessment results
  • Reporting security incidents to competent authorities
  • Implementing appropriate security measures across your supply chain
  • Demonstrating compliance to your national competent authority
  • All regulatory, legal, and financial consequences of non-compliance

Using this Platform does not make you NIS2 compliant. It provides documentation that supports your compliance program.

5. Remediation Letters Are Templates

Remediation letters generated by the Platform are AI-generated template documents based on scan findings. They are starting points for vendor communication, not final legal documents.

Before sending any remediation letter to a vendor you should:

  • Have your internal legal counsel review the letter
  • Verify that all technical findings cited are accurate
  • Ensure the tone and demands are appropriate for your vendor relationship
  • Confirm the letter aligns with any contractual obligations between you and the vendor
  • Consider the regulatory context of the vendor's jurisdiction

We are not liable for any consequences arising from sending AI-generated remediation letters without legal review.

6. Third-Party Data Accuracy

Threat intelligence data is sourced from third-party providers including Shodan, AbuseIPDB, AlienVault OTX, Google Safe Browsing, IPInfo, and URLScan. We do not control and cannot guarantee the accuracy, completeness, or currency of data from these sources.

False positives are possible. A vendor flagged by a threat intelligence source may have been incorrectly listed or may have already resolved the issue. Always verify significant threat intelligence findings through additional means before acting on them.

7. Scan Authorization

You represent and warrant that you have the legal right or contractual authority to initiate security assessments of any domain you submit to the Platform. We are not responsible for any legal consequences arising from your submission of domains for which you lacked authorization.

8. No Liability for Outcomes

We are not liable for regulatory fines, enforcement actions, findings of non-compliance, business losses arising from vendor security failures, or damages arising from reliance on Platform reports. Our liability is limited as set out in the Terms of Service.

9. Seek Professional Advice

For advice specific to your organization's NIS2 compliance obligations we strongly recommend consulting qualified legal counsel, certified auditors, and your national competent authority. Automated tools are not a substitute for professional advice.

10. Changes to Disclaimer

We may update this Disclaimer at any time. Material changes will be notified via email at least 30 days before taking effect. The version number and date at the top reflect the current version.

11. Contact

For questions about this Disclaimer use the contact form at /contact.