The NCSC performs scanning to identify vulnerabile and compromised devices and warns their owners in order for them to take appropriate measures. The NIS2 directive and its implementation in the “Cyberbeveiligingswet” tasks the NCSC with “proactive non-intrusive scanning of publicly accessible network and information systems of essential and important entities”. There is however no legal definition of non-intrusive scanning. So the questions rises, what is non-intrusive scanning? What measures can be taken to make scans non-intrusive?
