nis2
How to fix: Contact / vulnerability-report page reachable
NIS2 Art. 21(2)(j)
Why this matters
Under NIS2, regulators and partners may need to notify you of incidents that affect supply chains. A clearly-published contact path is the baseline expectation.
Background
NIS2 entities must publish a contact for security incident reporting. A reachable /contact page (or /security or .well-known/security.txt) is the practical implementation. Missing it is a direct Art. 21(2)(j) gap.
References
NIS2 Art. 21(2)(j) — public contact for incident reporting
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
No server config — content page.
apache
Same.
cloudflare
Same.
wordpress
Add a /contact page with an email + (optional) a contact form. Ensure the email is monitored or aliased to a real inbox.
flask
Add /contact route + template.
express
Same.
rails
Same.
Verify it's working
curl -s https://your-site/contact | head — should return 200 with at least one reachable email address.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →