Security check

NIS2 for GitHub: the technical controls, concretely

NIS2's requirements on risk management, secure development and supply chain land directly in how you run GitHub. We show exactly which technical controls are affected and where you stand.

Run a free domain scan All checks →
Relates to: NIS2 · art. 21 — risk-management measures ISO 27001 · A.8.28 / A.8.8 SOC 2 · CC8.1

What we check

We map NIS2's technical requirements to concrete GitHub controls: branch protection and review requirements (secure development), secrets handling (access control), vulnerable dependencies (supply chain) and CI/CD permissions (integrity of the development pipeline).

Why it matters

NIS2 is principle-based and rarely names the exact GitHub setting required — but in practice that's where the requirements land for a software company. We translate the requirements into measurable technical controls you can prove.

How Security Guru tests it

Common mistakes

  • Treating NIS2 as pure documentation with no technical evidence
  • Missing that NIS2 reaches you as a supplier, not just operators
  • No link between policy and actual GitHub configuration
  • Compliance work disconnected from the real code

What you get in the report

  • NIS2-relevant GitHub controls with status per repo
  • Technical gaps mapped to art. 21 requirements
  • Prioritised fix list with evidence
  • Material to show management and auditors

FAQ

Does NIS2 affect us as a subcontractor?

Often yes — NIS2 extends through the supply chain to those delivering to essential and important entities. The requirements can reach you via customer contracts.

Does this give a NIS2 certification?

No — NIS2 isn't certified like ISO 27001. We provide the technical evidence showing your GitHub controls meet the requirements.

Does code have to leave us?

No — the review can run self-hosted.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan