Automated patching: the answer to NIS 2, Article 21

Executives must prove that vulnerabilities are handled “in a timely manner.” Well‑configured automated patching is today the safest and most auditable way to achieve this.

What the law requires

NIS 2 Article 21 obliges “essential” and “important” entities to implement cyber risk management measures that explicitly include “security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure.” In other words: you must detect, prioritize and remediate flaws—and be able to prove it. See the official text on EUR‑Lex (Art. 21). For a local overview, see our page on the NIS 2 directive.

In Luxembourg, ILR is the competent authority for NIS 2. Its portal states that the law of 5 May 2026 transposes NIS 2 and organizes supervision of the security measures of in‑scope entities. Expect to demonstrate your processes (inventory, patching, deadlines/SLAs, reports). Reference: ILR – NISS (NIS 2). For national operational context, also see our page on NIS 2 in Luxembourg.

The technical solution (state of the art)

“Automated patching” is not a magic click. It is a controlled chain from inventory to remediation with safeguards:

• Inventory and exposure: map workstations, servers, containers, SaaS and network equipment, and link each asset to an owner and business criticality (CMDB). Reference ISO/IEC 27001:2022 – Annex A 8.1 (inventory) and A 8.8 (vulnerability management).
• Continuous detection: authenticated scans (agent/agentless), ingestion of advisories (CVE, CISA KEV), SBOM for third‑party software, and correlation in a risk engine (CVSS modified by exposure, exploitability, asset criticality).
• Patch orchestration:
  • Windows: WSUS/Intune/ConfigMgr with rings (canary → pilot → production).
  • Linux: signed repositories (Yum/DNF/APT), live‑patching where relevant.
  • Mac: MDM (declarative management).
  • Cloud/IaC: golden images, immutable replace‑patching, and fixes managed via CI/CD pipelines.
• Quality controls: sandboxing, regression tests, maintenance windows, rollback plan, conditional approvals by criticality.
• Evidence and traceability: immutable logs, SLA dashboards (e.g., “critical CVE on critical assets remediated by T+7”), reports for the authority.

European best practices emphasize the vulnerability track: ENISA describes coordinated vulnerability management and disclosure processes and is preparing a European vulnerability database; see ENISA – Vulnerability Disclosure and the EUCC (2025) guidelines on vulnerability management/disclosure.

Germany’s BSI details a “Patch‑ und Änderungsmanagement” module formalizing roles, cycles and prioritization—useful to frame governance and operational controls. Reference: BSI IT‑Grundschutz – Kompendium (baustein OPS.1.1.3).

Reference frameworks to cite in your policies: NIST CSF 2.0 (ID.RA, PR.IP‑12, DE.CM‑8, RS.MI‑3), CIS Controls v8 (Control 7 “Continuous Vulnerability Management”, Control 4 “Secure Configuration”).

How Luxgap delivers this

Our approach aims to “prove and improve” continuously. Concretely:

• Rapid mapping and patch policy: in 2–3 weeks we consolidate inventory (AD, cloud, MDM, hypervisors, CMDB), classify assets and draft a patching policy compliant with NIS 2 Art. 21 (cycles, windows, roles, SLAs by criticality).
• Tool‑driven automation: we integrate your existing tools (WSUS/Intune, Ansible, MDM, scanners) into a risk‑based remediation pipeline (prioritization by exposure/exploitability), with deployment rings and rollback.
• Audit‑ready evidence: “ILR‑ready” dashboards and reports: patch coverage by segment, mean timelines, justified exceptions, and change traceability.

Depending on your needs, we add:

• Our managed SOC: correlate vulnerabilities with SIEM/EDR telemetry to speed prioritization and detect active exploitation (24/7). Explore our managed SOC offering.
• Our ISO 27001 governance: Lead Implementers align policies and evidence with ISO/IEC 27001 A 8.8 and internal audits.
• Our outsourced DPO and CISO: business‑risk arbitration, documented exceptions, change boards.

Concrete case in Luxembourg or the EU

A European financial services firm, in scope as a NIS 2 “important entity,” faced >20,000 open vulnerabilities and critical patches applied beyond 30 days. In 6 weeks, we:

1. Consolidated inventory (on‑prem + cloud + endpoints) and set SLAs: critical 7 days, high 14 days, medium 30 days, with approved exemptions.
2. Established patch rings and a canary per segment; standardized weekly windows.
3. Integrated vulnerability scanner ↔ patch tool ↔ ITSM for automatic tickets and deployment evidence.
4. Enabled kernel live‑patching on part of critical servers to limit reboots.

Result: 78% reduction in exploitable vulnerabilities in 45 days, zero major production incident, and compliance reports consumable by internal audit and leadership.

First concrete steps

• Set your SLAs (e.g., critical ≤ 7 days) and get executive approval. Without deadlines, you can’t steer.
• Unify inventory into a single view (CMDB): servers, endpoints, cloud, SaaS. Without reliable inventory, automation fails.
• Deploy rings (canary → pilot → prod) with a documented rollback plan.
• Link scanner ↔ patch ↔ ITSM to auto‑create, track and close remediation tickets with evidence.
• Measure and report weekly: coverage by segment, mean times, justified exceptions. Use these reports in the risk committee.

Official sources

• Directive (EU) 2022/2555 (NIS 2) – Art. 21 (EUR‑Lex)
• ILR – NISS (NIS 2 in Luxembourg)
• ENISA – Vulnerability Disclosure (process and EU database)
• ENISA – EUCC 2025: guidelines on vulnerability management/disclosure
• BSI – IT‑Grundschutz Kompendium (OPS.1.1.3 Patch & Change Management)