NIS 2 21.2.d
Cryptography and encryption
UnveilScan findings mapped to this control
The scanner emits 14 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
dns.dnssec_chain_broken
⏱ 2h
DNS — Dnssec chain broken
Risk if ignored: Validating resolvers return SERVFAIL — some users (and a growing share of them) cannot reach the site at all.
operational security
Also maps to 1 other control
dns.hosting_asn_bulletproof
⏱ 15 min
DNS — Hosting asn bulletproof
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
email.dkim_legacy_key
⏱ 15 min
EMAIL — Dkim legacy key
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.dkim_weak_key
⏱ 15 min
EMAIL — Dkim weak key
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.mta_sts_missing
⏱ 1h
EMAIL — Mta sts missing
Risk if ignored: Mail in transit can be passively intercepted (STARTTLS stripping) between your MX and the recipient.
security legal
Also maps to 1 other control
email.mta_sts_mode_testing
⏱ 15 min
EMAIL — Mta sts mode testing
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.mta_sts_mx_mismatch
⏱ 15 min
EMAIL — Mta sts mx mismatch
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.mta_sts_policy_unreachable
⏱ 15 min
EMAIL — Mta sts policy unreachable
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.tls_rpt_missing
⏱ 15 min
EMAIL — Tls rpt missing
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
tls.cert_expired
⏱ 30 min
TLS — Cert expired
Risk if ignored: Every visitor sees a browser error page. Traffic, trust and SEO collapse until the certificate is renewed.
operational reputational
tls.legacy_protocol
⏱ 30 min
TLS — Legacy protocol
Risk if ignored: TLS 1.0/1.1 enable POODLE / BEAST / sweet32 attacks and fail every modern compliance audit (PCI-DSS 4.0, ANSSI).
security legal
tls.legacy_protocol_enabled
⏱ 15 min
TLS — Legacy protocol enabled
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
tls.weak_cipher_suite
⏱ 15 min
TLS — Weak cipher suite
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.secrets_in_html
⏱ 4h
WEB — Secrets in html
Risk if ignored: A cloud/SaaS token is visible on every page load. Attackers scrape homepages at scale for exactly this — rotation within hours is the bare minimum.
security financial legal