The NIS2 Directive (EU 2022/2555) and its national implementations — including Czech Zákon 264/2025 Sb. — do not contain a dedicated chapter on WiFi security. Instead, wireless networks fall under the broader network security requirements of Article 21, which mandates that regulated entities implement "appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems."
The absence of specific WiFi language doesn't mean regulators won't scrutinize wireless security. It means they will evaluate it against the general network security framework — which, for wireless networks, translates into a specific set of controls and evidence requirements.
The NIS2 Article 21 Framework for Wireless
Article 21(2) lists the minimum measures that entities must implement. The subsections most relevant to wireless security are:
- 21(2)(a): Policies and procedures for risk analysis and information system security
- 21(2)(e): Policies and procedures regarding the use of cryptography and encryption
- 21(2)(h): Policies on access control and asset management, including human resources security
- 21(2)(i): Use of multi-factor authentication or continuous authentication solutions
Together, these create a concrete checklist for wireless network security. Below we break down each requirement and its practical WiFi implications.
Requirement 1: Access Control
NIS2 requires that access to network resources is controlled, documented and auditable. For wireless networks, this means being able to answer: which devices are authorized to connect, how is authorization verified, and what happens when a device is lost or an employee leaves?
WPA2-Personal (PSK) provides limited answers here — the single shared password offers no per-device accountability. WPA2-Enterprise with per-user certificates or credentials provides the auditability NIS2 expects.
Written access control policy for wireless networks. Device inventory listing authorized devices and their authorization method. Record of access revocations (e.g., when employees depart). Guest network policy with credential rotation schedule.
Requirement 2: Encryption Standards
NIS2 cryptography requirements mean that deprecated wireless encryption standards — WEP, WPA (TKIP), WPA2 with weak cipher suites — are not acceptable for networks handling regulated data. WPA2 with AES-CCMP is the current minimum; WPA3 is the recommended standard for new deployments.
Beyond the protocol, NIS2 requires that encryption is actively managed — not just configured at deployment and forgotten. This includes password strength testing for PSK networks and certificate validity management for Enterprise networks.
Configuration documentation showing encryption protocol and cipher suite for each SSID. For WPA2-PSK networks: periodic password strength testing results (this is where wifiaudit.io reports serve as direct compliance evidence). For WPA2-Enterprise: certificate validity records and RADIUS server configuration documentation.
Requirement 3: Network Monitoring and Incident Detection
NIS2 requires entities to detect cybersecurity events and respond to them. For wireless networks, this means monitoring for rogue access points, deauthentication attacks, unauthorized clients, and anomalous traffic patterns — not just inspecting the known, authorized network.
A wireless IDS/IPS (Intrusion Detection/Prevention System) capability — whether integrated into enterprise-grade access points (Cisco, Aruba, Fortinet) or implemented via dedicated sensors — is expected for regulated environments. Logging and alert documentation must be retained.
WIDS/WIPS configuration documentation. Logs showing monitoring coverage (time periods, locations). Records of detected events and response actions. Rogue AP scan results with disposition (authorized/unauthorized).
Requirement 4: Incident Response for Wireless Events
If a rogue AP is detected, an unauthorized device connects, or a WPA2 handshake is captured by an attacker, your incident response plan must cover how to respond. NIS2 requires that significant incidents are reported to the national supervisory authority (NÚKIB in Czech Republic) within 24 hours of discovery.
The wireless-specific incident response procedures should include: isolation of compromised network segments, PSK rotation procedures, certificate revocation steps, and the criteria that trigger reporting to regulators.
Written incident response plan with wireless-specific scenarios. Records of any past wireless incidents and actions taken. Documented reporting thresholds and NÚKIB notification procedures.
Requirement 5: Documentation and Audit Evidence
This is where many organizations fall short. NIS2 requires not just that controls exist, but that their effectiveness is regularly tested and the results documented. For wireless networks, this creates a specific documentation requirement that goes beyond configuration screenshots.
NIS2 supervisors will ask for:
- Evidence that wireless encryption strength is periodically tested — not just configured
- Results of wireless penetration testing or vulnerability assessments
- Records showing the testing methodology, scope, and findings
- Authorization declarations confirming testing was conducted on networks you are authorized to test
- Remediation records showing that findings were addressed
How wifiaudit.io addresses this directly: Each audit report generated by the wifiaudit.io API includes the test date, SSID, methodology (dictionary attack against 14M+ passwords), result (found/not found), audit duration, and an authorization declaration field. This structure maps to NIS2 Article 21 documentation requirements and is accepted as compliance evidence by auditors working across EU member states.
Practical NIS2 Wireless Audit Checklist
Use this checklist to assess your current NIS2 wireless compliance posture:
- SSID inventory: All SSIDs documented, purpose defined, encryption protocol recorded for each
- Encryption standard: No WEP, no WPA/TKIP; WPA2-AES minimum, WPA3 where possible
- Access control: WPA2-Enterprise for networks carrying sensitive data; PSK networks with documented rotation policy
- Password strength testing: WPA2-PSK networks tested against current wordlists, results documented
- WPS status: WPS disabled on all production access points; tested and confirmed
- Rogue AP detection: Regular scans conducted, results logged, unauthorized devices investigated
- Coverage perimeter: Signal tested at building boundaries, findings documented
- Guest network isolation: Guest SSID network-isolated from production, credential rotation schedule enforced
- Monitoring: WIDS/WIPS coverage documented, alert thresholds configured
- Incident response: Wireless-specific scenarios covered in IR plan, reporting thresholds defined
Getting Started with NIS2 Wireless Compliance
For most organizations, the first gap to close is documentation of encryption strength. If you run WPA2-PSK networks, you need to demonstrate that the password is not dictionary-crackable — and you need that evidence in a format that satisfies an auditor.
The wifiaudit.io API provides this in two steps: capture the WPA2 handshake with airodump-ng or Wireshark, then POST the file to the API. You receive a compliance-ready PDF with your findings, methodology documentation, and authorization section — ready to append to your NIS2 evidence package.
For a broader NIS2 compliance framework — covering not just wireless but the full scope of Article 21 requirements for your organization — the free self-assessment tool at nis2ok.cz is a useful starting point. It covers all 13 security domains of the Czech implementing regulation and produces a structured gap report.