Important clarifications regarding the nature of our automated assessment tools and your compliance obligations.
NIS2Engine is an automated technical assessment tool. It is not a law firm, a certified security auditor, an accredited certification body, or a regulatory authority.
Reports, scorecards, grades, and scores generated by the Platform are informational outputs of automated passive scanning. They represent a point-in-time assessment of publicly observable security indicators only.
Our scanner performs passive external reconnaissance only. It cannot assess:
A vendor could score 95/100 on our Platform and still have significant internal security weaknesses that our scanner cannot detect. A vendor could score 30/100 and have compensating controls that adequately address their external vulnerabilities. Automated scanning is one input into your risk management program, not a replacement for it.
Under EU NIS2 Directive 2022/2555 Article 21, covered entities bear full legal responsibility for managing supply chain security risks. This obligation cannot be transferred, outsourced, or delegated to NIS2Engine or any other tool or service provider.
You bear sole and exclusive responsibility for:
Using this Platform does not make you NIS2 compliant. It provides documentation that supports your compliance program.
Remediation letters generated by the Platform are AI-generated template documents based on scan findings. They are starting points for vendor communication, not final legal documents.
Before sending any remediation letter to a vendor you should:
We are not liable for any consequences arising from sending AI-generated remediation letters without legal review.
Threat intelligence data is sourced from third-party providers including Shodan, AbuseIPDB, AlienVault OTX, Google Safe Browsing, IPInfo, and URLScan. We do not control and cannot guarantee the accuracy, completeness, or currency of data from these sources.
False positives are possible. A vendor flagged by a threat intelligence source may have been incorrectly listed or may have already resolved the issue. Always verify significant threat intelligence findings through additional means before acting on them.
You represent and warrant that you have the legal right or contractual authority to initiate security assessments of any domain you submit to the Platform. We are not responsible for any legal consequences arising from your submission of domains for which you lacked authorization.
We are not liable for regulatory fines, enforcement actions, findings of non-compliance, business losses arising from vendor security failures, or damages arising from reliance on Platform reports. Our liability is limited as set out in the Terms of Service.
For advice specific to your organization's NIS2 compliance obligations we strongly recommend consulting qualified legal counsel, certified auditors, and your national competent authority. Automated tools are not a substitute for professional advice.
We may update this Disclaimer at any time. Material changes will be notified via email at least 30 days before taking effect. The version number and date at the top reflect the current version.
For questions about this Disclaimer use the contact form at /contact.