HomeFix guides → Contact / vulnerability-report page reachable

nis2

How to fix: Contact / vulnerability-report page reachable

NIS2 Art. 21(2)(j)

Why this matters

Under NIS2, regulators and partners may need to notify you of incidents that affect supply chains. A clearly-published contact path is the baseline expectation.

Background

NIS2 entities must publish a contact for security incident reporting. A reachable /contact page (or /security or .well-known/security.txt) is the practical implementation. Missing it is a direct Art. 21(2)(j) gap.

References

NIS2 Art. 21(2)(j) — public contact for incident reporting

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
No server config — content page.
apache
Same.
cloudflare
Same.
wordpress
Add a /contact page with an email + (optional) a contact form. Ensure the email is monitored or aliased to a real inbox.
flask
Add /contact route + template.
express
Same.
rails
Same.

Verify it's working

curl -s https://your-site/contact | head — should return 200 with at least one reachable email address.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →