Practical articles on the NIS2 supply chain obligation, your digital attack surface and evidence-first vulnerability monitoring.
Published on July 7, 2026
The Dutch Senate has adopted the Cybersecurity Act and the Critical Entities Resilience Act. Both enter into force on 15 August 2026. What does this mean for your organisation and your suppliers?
Read article →Published on June 16, 2026
Your external attack surface changes constantly. What External Attack Surface Management (EASM) is, why SMEs and the supplier chain need it, and how to manage it with evidence.
Read article →Published on July 11, 2026
A scan report with dozens of findings: what comes first? EPSS predicts the likelihood of exploitation, the KEV catalogue shows confirmed exploitation. This is how you prioritise by actual risk instead of severity scores alone.
Read article →Published on June 16, 2026
A list of vulnerabilities is not evidence. Auditors, cyber insurers and large customers want traceable, dated evidence. What that is and how to build it.
Read article →Published on July 3, 2026
internet.nl is an excellent free starting point for modern internet standards. But a snapshot is not an evidence file. When a free check is enough, and when it is not.
Read article →Published on June 5, 2026
NIS2 makes cybersecurity a board-level responsibility. Read what this means for public-sector directors, liability, duty of care, training obligations and demonstrable risk management.
Read article →Published on June 16, 2026
NIS2 does not mandate any specific tool. Learn what the supply-chain duty of care really asks of you, when the Dutch Cybersecurity Act takes effect, and how to substantiate it with evidence.
Read article →Published on June 12, 2026
A NIS2 supplier questionnaire from your large customer on your desk? How to answer the four most common questions about patch management, MFA, incident response and your own suppliers — with evidence the auditor accepts.
Read article →Published on June 12, 2026
A practical NIS2 roadmap for public-sector boards: from duty of care to demonstrable compliance in five steps. With concrete actions for scope, training, monitoring, incident response and the audit trail.
Read article →Published on July 3, 2026
A security report that reaches you through your IT provider is judging that provider's own work. Why that weakens your evidence and what independent reporting means.
Read article →Published on June 26, 2026
Every Exposentry report is digitally sealed and timestamped. Here is how to confirm a report is genuinely ours and has not been altered, using our public certificate and its fingerprint.
Read article →Published on June 12, 2026
Shadow IT is the biggest blind spot under NIS2. Learn how to manage your external attack surface: prevent subdomain takeover, find exposed admin panels and track down expired certificates with continuous monitoring.
Read article →Published on July 11, 2026
Sector plus size determine whether your organisation falls under NIS2 and the Dutch Cybersecurity Act. Walk through the self-check: which sectors, which thresholds, the exceptions, and what to arrange before 15 August 2026.
Read article →Published on June 12, 2026
You don't build a cybersecurity board report by summarising a CVE list. How to filter noise using exploitability and exposure, and build a NIS2 dashboard the board can actually steer on.
Read article →Published on July 11, 2026
A penetration test and a vulnerability scan are not synonyms. What is the difference, what do they cost, what does NIS2 expect and in what order should you deploy them? A guide for boards and decision-makers.
Read article →Published on June 5, 2026
CISOs need more than a list of vulnerabilities. Discover how evidence-first vulnerability monitoring helps make attack surface, risks and remediation demonstrably governable.
Read article →Published on June 16, 2026
OpenKAT is a free, open-source vulnerability analysis tool, originally built by the Dutch Ministry of Health and now maintained by the community. Not a mandatory SaaS, not a certification.
Read article →Published on July 11, 2026
Vulnerability monitoring is the continuous surveillance of your systems for vulnerabilities. Why does a one-off scan or pentest age so quickly, what does NIS2 expect, and what should you demand from good monitoring?
Read article →Published on May 29, 2026
Prove ownership of your domain in three ways — a DNS TXT record, a file on your web server, or an HTML meta tag. One method is enough. Includes provider examples and fixes for common problems.
Read article →Published on May 12, 2026
Through the supply-chain duty of care, NIS2 and the Dutch Cybersecurity Act also affect SME suppliers. What your large customer expects of you and how to demonstrate basic cyber hygiene.
Read article →Published on May 19, 2026
Your attack surface in plain English: DNS, open ports, TLS, subdomains, exposed panels and CVEs. What an attacker sees and why monitoring matters.
Read article →Published on May 26, 2026
An honest take: scanning for vulnerabilities does not make you NIS2 compliant. But it does provide defensible evidence for vulnerability management and the supply-chain duty of care.
Read article →