Shadow IT and NIS2: how do you manage and secure unknown digital assets?
Published on June 12, 2026
Introduction
In 2023 a marketing agency sets up promo.yourcompany.com for a campaign, linked to an external platform. The campaign ends, the platform subscription is cancelled — but the DNS record remains. Two years later someone else registers the same platform name, and from that moment serves content under your domain name. Phishing emails "on behalf of" your company suddenly look completely legitimate.
This scenario is called a subdomain takeover, and it illustrates the core problem of this article: the most dangerous systems are not the systems you manage, but the systems you no longer know you have. That is shadow IT — and under NIS2 it is no longer just a technical problem, but a compliance problem. Shadow IT is therefore part of a larger whole: managing your entire external attack surface, or EASM.
Why shadow IT is the biggest blind spot under NIS2
NIS2 and the Dutch Cybersecurity Act require appropriate measures for all network and information systems that affect services — not just the systems that happen to be in the CMDB. Asset management is explicitly part of the duty of care in Article 21. A risk analysis based on an incomplete asset register is therefore a finding in itself.
And registers are incomplete. Shadow IT does not arise from unwillingness but from speed: a team connects a SaaS tool, a developer puts a demo environment online, an agency sets up a campaign site, an acquired business unit brings its own domains along. Each time the external attack surface grows, and the register is almost never updated. The formal picture and reality structurally drift apart — and an attacker scans reality, not the register.
The dangers of an unmanaged external attack surface
Subdomain takeover
The scenario from the introduction. A DNS record (often a CNAME) points to an external service — a hosting platform, a cloud bucket, a SaaS tool — that has since been cancelled. Whoever re-claims the external service thereby controls content under your subdomain: for phishing, malware distribution or stealing session cookies valid for *.yourcompany.com. Prevention: clean up DNS records as part of the cancellation process of every external service, and continuously monitor for records pointing to unclaimed services.
Exposed admin panels
A database admin tool that was opened up "just temporarily" for a supplier. A router interface on an expired IP allowlist. A CI/CD environment of a departed developer. Admin panels exposed directly to the internet are the shortest route in for attackers — often equipped with default passwords or known vulnerabilities, and by definition unwatched if nobody knows they are there. Prevention: management interfaces belong behind a VPN or IP restriction; continuous port scans of your own address space show when something appears anyway.
Expired and forgotten SSL/TLS certificates
An expired certificate on a forgotten subdomain seems harmless — nothing important runs there anyway, right? But the signal is twofold. To your customers and chain partners: this organisation does not have its housekeeping in order. To an attacker: nobody is looking here, this is unmanaged territory. Moreover, Certificate Transparency logs (public) reveal every certificate you ever requested — attackers use them as a free inventory list of your subdomains. You can use those same logs to recover your own forgotten assets.
A proactive approach: continuous attack surface management
The common denominator of these three dangers: they arise after the last audit and do not wait for the next one. An annual inventory therefore always loses to reality. The alternative is to manage the external attack surface continuously, in a cycle of four steps:
| Step | What happens | Result |
|---|---|---|
| 1. Discover | Continuously search for domains, subdomains, IPs and services — from the outside, like an attacker | The real attack surface, including shadow IT |
| 2. Compare | Lay the discovered picture next to the formal register | The blind spots, made explicit |
| 3. Assess | Per unknown asset: whose is this, should it be online, is it vulnerable? | Owner and decision per asset |
| 4. Re-verify | Confirm in a verified way that clean-up or remediation has happened | Demonstrably closed findings |
Step 1 is exactly the reconnaissance an attacker performs too — DNS enumeration, Certificate Transparency logs, port scans — but commissioned by you and with the results in your dashboard. Steps 2 through 4 turn it into a management process: every discovered asset gets an owner and a decision, and that decision is recorded traceably. This feeds not only your security but also your NIS2 file: an organisation that can show unknown assets are discovered and assessed within days gives exactly the substance to asset management that the duty of care requires — see also scanning is not NIS2 compliance on how scan results become compliance evidence.
Conclusion
Shadow IT does not disappear through policy; every company with more than a handful of employees builds it up. The difference lies in discovery time: at organisations that continuously monitor their external attack surface, a forgotten subdomain lives for days — at organisations that take annual inventories, for years. And it is exactly those years in which a subdomain takeover, an open admin panel or an expired certificate turns from theoretical risk into incident.
Curious what is really attached to your domain? Exposentry maps your external attack surface from the outside — subdomains, open ports, certificates, software versions — and monitors it continuously, with traceable evidence per finding. Start a first scan or see the plans and pricing: the forgotten assets the scan will find are already out there.
Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.