From Regulation to Resilience: Developing an Integrated Vulnerability Assessment Framework for EU NIS2 Directive Compliance in Critical Infrastructure Sectors

This thesis presents the development of a cybersecurity assessment framework aimed at determining compliance score of companies with NIS2 regulation and assisting companies in achieving compliance with the European Union’s NIS 2 Directive (Directive (EU) 2022/2555). As cybersecurity threats grow in complexity, the need for structured and effective regulatory compliance mechanisms becomes increasingly critical, especially for essential and important entities operating in the EU. The project begins with an in-depth analysis of the NIS 2 Directive and other relevant Italian and European cybersecurity regulations to establish a strong legal and technical foundation. The proposed framework combines manual assessment methods such as questionnaire with automated security verification tools—including vulnerability scanning software—to evaluate an organization's security posture. It features a structured questionnaire aligned with NIS 2 requirements, supported by a local web application developed in Python (Flask), which collects and stores responses in a MySQL database and provides compliance scoring. The system also integrates tools such as Nmap for technical vulnerability assessments. Based on the evaluation results, the framework provides actionable guidelines to help organizations improve their security maturity and close identified gaps. This work contributes to bridging the gap between regulatory requirements and practical implementation, offering a scalable and adaptable tool to support small and medium-sized enterprises in achieving cybersecurity resilience and compliance under NIS 2.