NIS2's First Audit Deadline Is June 30. The 21.3% Known-CVE Gap Will Be the First Finding

Five weeks from now the first NIS2 compliance audit cycle closes. Across the EU, supervisory authorities will start grading essential and important entities not on their policy PDFs but on whether they can produce timestamped, signed evidence that their cybersecurity risk-management measures actually operated during the reporting period. The first finding most of them will write up is already mapped in the ENISA Threat Landscape 2025: 21.3% of intrusions against European organisations still ride known, unpatched vulnerabilities. That is the second-largest initial-access category after phishing, and it is the one where the gap between policy and operational reality is now legally measurable.

ENISA's number, in context

The 21.3% figure comes from ENISA's analysis of 4,875 incidents observed between 1 July 2024 and 30 June 2025. Phishing and its variants account for roughly 60% of initial access. Supply-chain compromise sits at 10.6%. Public administration is the most targeted sector (38% of mapped incidents), followed by transport — particularly maritime and logistics. As Security Affairs summarised the report, vulnerability exploitation "remains a cornerstone of initial access, with adversaries often weaponising newly disclosed flaws within days."

That last clause is the operational problem. The 21.3% is not made up of obscure CVEs. It is made up of CVEs that had a patch, a regulator advisory, and a CISA KEV listing — and that the victim's vulnerability-management programme either never closed or closed too slowly.

Three concrete examples from the last seven days illustrate the cadence:

• On 20 May 2026 CISA added seven CVEs to KEV in a single batch, including CVE-2026-41091 (Microsoft Defender elevation of privilege) and a string of legacy Microsoft and Adobe CVEs from the 2008–2010 vintage that are still being weaponised in 2026.
• On 21 May, CISA added two more KEV entries, including CVE-2026-34926 in Trend Micro Apex One — a directory-traversal flaw in the very EDR many entities are using to satisfy NIS2 Article 21.
• Through the same week, ACN's bollettino flagged active exploitation of CVE-2026-20127, an authentication bypass in Cisco Catalyst SD-WAN, on top of the CVE-2026-20182 chain disclosed earlier in May.

Each of these has a patch. Each will, on 30 June, be looked at by an auditor as an open question: were you scanning for it within hours of disclosure, and what did you produce as proof?

Why "patch within 30 days" no longer survives an audit

The most common vulnerability-management commitment in policy documents reads some variation of critical CVEs are patched within 30 days, high within 60. NIS2's transposing legislation in every member state that has finalised it converts this from a self-declared target into a supervised one. The supervisory authority is entitled to ask:

1. How did you know about the CVE within 24 hours of disclosure? — i.e. show the feed, the timestamp, the ticket created.
2. Where was the affected asset in your inventory? — i.e. show the CMDB record and its version field at the time.
3. Did the patch land? — i.e. show the scan that proves the binary or container image is no longer vulnerable, dated after the patch.
4. Did you validate exploitability after the patch? — i.e. show the test, dated after the patch, that confirms a working PoC no longer succeeds.

Three of the four are inventory and ticketing questions and most mature programmes can answer them. The fourth is where the 21.3% lives. Almost no organisation routinely re-tests exploitability post-patch outside of the annual or quarterly external pentest window, and that window is now wholly out of cadence with how fast adversaries weaponise.

An auditor in a Q3 2026 NIS2 review: "You patched CVE-2026-XXXX on day 9. Good. What did you do on day 10 to verify that the patch worked in production, on the actual asset, against the actual exploit chain?"

If the answer is "we trusted the vendor advisory and waited for the next quarterly pentest," that is going into the finding column. The advisory is not the evidence; the second test is.

What auditors actually want to see

Several member-state regulators have begun publishing what they consider acceptable evidence under their NIS2 transposing law, and the pattern is converging across the Belgian NBB, the German BSI, the Dutch DNB and Italy's ACN. The Dutch AFM's May 2026 warning on DORA incident reporting — a sibling regulation, but the same regulator culture — telegraphs the wider shift: the clock starts on awareness, not on forensic certainty, and "we are investigating" is not a defence.

Translated to NIS2 vulnerability management, regulators are asking for:

• Continuous external scanning of all internet-facing assets, with the scanner's evidence stream (not its dashboard) as the audit artefact.
• Validation, not just detection. A scanner that reports "CVE-X is present" is now considered the minimum. An exploit attempt — successful or not — against the patched asset is what closes the loop.
• Cryptographically signed evidence of when each scan ran, what it produced and who saw it. Self-asserted CSV exports are no longer treated as sufficient on contested findings.
• Cross-framework traceability. The same evidence has to be reusable for ISO 27001 Annex A.8.8 (vulnerability management), SOC 2 CC7.1, and — for in-scope financial entities — DORA Article 6. An auditor who has to read three different reports for one finding will deduct.

The summary is that the documentary class of evidence (signed PDFs of a quarterly pentest report) is being superseded by the operational class (a continuous stream of signed events).

The blast radius: where the 21.3% concentrates

The 21.3% is not evenly distributed. Three concentrations matter for NIS2 in-scope entities:

Sector	Primary attack pattern	NIS2 Annex
Public administration	Edge appliance and identity CVE on exposed perimeter	Annex I
Transport (maritime, logistics, freight)	Office and document-handling CVE in spear-phishing chain	Annex I
Healthcare	Legacy clinical software and EDR CVE	Annex I
Manufacturing OT/ICS	HMI and engineering-station CVE on flat networks	Annex II
Digital infrastructure (cloud, DNS)	Cascading effect — small footprint, large blast radius	Annex I

ENISA explicitly flagged Russia-nexus intrusion sets, notably APT28, focusing on air transport, logistics and freight, particularly in Germany, France and Belgium. Trellix's January 2026 analysis documents the actor weaponising CVE-2026-21509 within 24 hours of its public disclosure and blending its command-and-control traffic into legitimate cloud storage (filen.io). That is the textbook 21.3% pattern: known CVE, public patch available, exploited at scale before the patch window closes.

When auditors look at a transport operator on 1 July, the question will not be theoretical. It will be: show me what you did between 28 January and 31 January 2026.

Continuous validation as audit-grade evidence

The mismatch between adversary cadence (hours) and assessment cadence (quarterly or annual) is not a tooling preference any more. NIS2 Article 21(2)(g) requires "policies and procedures regarding the use of cryptography" alongside vulnerability handling and disclosure, and the implementing acts of several member states are increasingly explicit that periodic pentesting alone does not discharge the obligation when the threat landscape moves faster than the cadence.

What does discharge it, by emerging consensus across regulator guidance:

• Continuous, automated reconnaissance and validation of all in-scope assets, not just a snapshot at audit time.
• Change-triggered re-validation: a new asset on the perimeter or a configuration change should trigger a fresh exploit attempt within hours, not weeks.
• An evidence stream signed at write time so that the chain of custody is verifiable to an auditor or, in the worst case, to a court.
• Cross-framework mapping so the same finding satisfies NIS2, ISO 27001, SOC 2 and DORA simultaneously, rather than producing three parallel evidence sets.

The legal question NIS2 puts to a CISO is no longer did you have a pentest report? It is can you reconstruct, in evidence, what you knew, when you knew it, and what you tested? The 21.3% statistic is the gap most programmes are about to discover they cannot reconstruct.

Where Zero Hunt fits

Zero Hunt was built specifically against this gap. The compliance engine continuously maps every scan, finding and remediation against 32 regulatory frameworks, NIS2 and its Title 13 obligations included, with ECDSA-signed reports and chain-of-custody by construction — the operational evidence class regulators are converging on. Severity-weighted scoring and cross-framework control mapping mean a single validated finding satisfies the NIS2 Article 21 obligation, the ISO 27001 Annex A.8.8 control and, for in-scope financial entities, DORA Article 6 in one bundle, not three.

That evidence stream is fed by Zero Hunt's 10-agent generative pentest swarm, which runs continuously on-prem against the customer perimeter. When a new CVE lands on CISA KEV, the swarm's exploit chain is rewritten by a local LLM and tested against the actual asset, in an ephemeral sandbox, within the hour — closing the 21.3% gap with a dated exploit attempt that the auditor can verify, not just a scanner result. Trust Center exports the bundle on demand for the 30 June audit cycle. Air-gap deployments produce the same evidence without any cloud callbacks, which matters for the public administration and defence operators most exposed to the 21.3%.

The 30 June deadline is a forcing function. It is also the first time in EU cybersecurity regulation that operational evidence outranks documentary evidence by law. For programmes still architected around the annual pentest report, the next five weeks are short.