EUSEC
Solution
The Problem & Solution How it works Rating Criteria Pricing Legal Assessment API
Testing Podcast About Us & Our Security Dashboard
Rating Criteria

The methodology behind every EUSEC rating.

How we rate cyber risk.

A rating is an informed opinion built on evidence — not a guarantee, and not a penetration test. EUSEC forms that opinion from two complementary perspectives: what can be observed from the outside, and what an entity discloses from the inside. Both are expressed on a single, comparable scale, alongside a forward-looking outlook.

Outside criteria Inside criteria Rating scale
How a rating is formed
Outside Rating
Non-intrusive, observed. No participation required.
Inside Rating
Self-disclosed, scored on the BSI maturity model.
Outlook
Forward-looking — where the rating is heading.
AA
Combined rating
One opinion, on a scale from AAA to C, with outlook.
Exhibit 01 — The framework

Two lenses, one rating.

Confidence is not the same as security. Each lens answers a different question, and the most valuable insight lives in the space between them — where what is claimed meets what can be observed.

Lens 01 — Observed

The Outside Rating

What an entity already exposes to the public internet. Assessed entirely from the outside, with no onboarding and no cooperation from the entity. It answers: what can an attacker see today?

Lens 02 — Declared

The Inside Rating

What an entity states about its own controls, captured through a structured self-disclosure scoped to its NIS2 status and scored on the BSI maturity model. It answers: how mature does the entity say it is?

Forward-looking

The Outlook

A directional view layered onto every rating: whether posture is improving, holding or eroding over time — and, for the Inside view, whether the self-assessment is borne out by what is observed.

Exhibit 02 — The Outside Rating

What the world can already see.

The Outside Rating is assembled from observable evidence across nine risk dimensions. Every signal is collected without intrusion and without the entity's involvement, which is why a full portfolio can be graded from day one.

Method principle — passive & lawful by design

We read only what is public or voluntarily disclosed. No exploitation, no break-in — only what a server, a record or a document already reveals on its own.

Legal Opinion — lawful in Germany & the EU
§ 202a / 202b / 303a StGB

No criminal-law violation: no data is specially protected or intercepted, no access safeguard is circumvented, and no data is altered.

GeschGehG · Dir. (EU) 2016/943

No trade-secret breach: the observed system data is general technical information the server provides voluntarily — not a protected secret.

DE & EU compliant

The method is lawful throughout Germany and meets EU compliance requirements — unlike many international providers.

EUSEC's legal opinion on the lawfulness of its methodology.

Dimension 01

Domain & email authentication

Low cost

Whether the entity can be impersonated by email, and how rigorously its naming infrastructure is governed.

SPF DKIM DMARC Mail server / service DNS security DNSSEC WHOIS ownership Domain transfer lock Subdomain naming Subdomain enumeration Certificate Transparency (crt.sh) CAA records DNS zone transfer (AXFR) Domains in use
Dimension 02

Transport encryption

Time-intensive

The quality and currency of the cryptography protecting data in transit, evaluated endpoint by endpoint.

HTTPS configuration HTTP fallback reachable Certificate validity TLS versions (1.0 / 1.1) Cipher suites (RC4 / 3DES) HSTS OCSP stapling Certificate chain Certificate expiry Wildcard certificates Certificate Transparency Forward secrecy
Dimension 03

Web application surface

Mixed depth

What the public web presence reveals — from protective response headers to unintentionally exposed paths, documents and metadata.

Software versions Source code Harvestable email addresses Email address patterns Exposed sensitive documents Document metadata (FOCA / EXIF) Exposed phone numbers security.txt WordPress / wp-admin Admin paths Bug bounty programme Vulnerability disclosure policy sitemap.xml Content-Security-Policy X-Frame-Options X-Content-Type-Options Referrer-Policy Permissions-Policy HttpOnly cookies Homograph / IDN exposure WAF / CDN detection Public webmail
Dimension 04

Data exposure & breach history

Up to deep

Whether the entity's credentials, code or storage have leaked — and its track record as a target.

Total breach count (domain) Exposed data classes Prior breach history Public GitHub repositories Open S3 / Azure buckets Ransomware victim history Google dorking
Dimension 05

Social engineering surface

Low cost

How much of the organisation's human attack surface is publicly enumerable and targetable.

Publicly visible employees Title & department exposure Contactable individuals
Dimension 06

Reputation & infrastructure

Low cost

Whether the entity's addresses, routing and brand are clean — or implicated in abuse and impersonation.

IP / domain blacklisting BGP routing (Hurricane Electric) Typosquatting & look-alikes Fake shops / brand abuse DNS history Hosting provider & ASN IP net blocks
Dimension 07

Vulnerability signals

Passive

What services disclose voluntarily — versions and banners correlated against known weaknesses, without ever probing for them.

Version-to-CVE correlation Banner grabbing / service identification Voluntarily disclosed service data HTTP response headers
Dimension 08

Business profile & assurance

Low cost

The structural context that calibrates every other signal — scale, complexity, footprint and independent certifications.

Business model (complex vs. singular) Headcount ISO/IEC 27001 SOC 2 reporting Imprint completeness Locations & international footprint Corporate structure
Dimension 09

Data protection posture

Moderate

How the entity handles personal data, judged from its public privacy disclosures and observable tracking behaviour — following EUSEC's published privacy-policy assessment method.

Data protection officer Visible data-handling staff Policy change history Encryption commitments Potentially unfair terms Automated decision-making Data subject rights Tracking technologies Provider location Policy language Data sales Third-country sub-processors Controller identification Comprehensibility Readability Currency Accessibility Versioning Technical & organisational measures Processing scope & purposes App installation App information Cookies on service site
Dimension 10

Sector & entity calibration

Analyst overlay

Applied after the evidence dimensions, a rating may carry sector- and entity-specific adjustments. Different sectors face different threat models and regulatory baselines, and an entity's criticality, structural complexity or verified compensating controls can warrant an up- or downward step. These adjustments follow documented, consistently applied criteria — they refine the evidence, they never override it.

Sector threat model Regulatory baseline Criticality Structural complexity Verified compensating controls Documented & consistent

Signal families shown are representative, not exhaustive. Weighting of each dimension is calibrated against the entity's business profile, threat landscape and benchmarking.

Exhibit 03 — The Inside Rating

Measured against what is declared.

The Inside Rating is built from a structured self-disclosure. The questions an entity is asked depend on its standing under the NIS2 Directive (EU) 2022/2555, and every answer is scored on the maturity model of the German BSI assessment framework (RUN). Higher obligations mean more criteria — never fewer.

Scoping — which criteria apply
Outside NIS2 scope 7

Baseline cyber-hygiene criteria. Applied to entities not in scope, and where status is not yet established.

Important entity 11

Adds supply-chain, cryptography and the statutory registration and reporting duties.

Very important entity 15

The full criteria set, including effectiveness review, management oversight, board training and audit readiness.

The 15 criteria & their scope
Applies Out of scope
# NIS2 article Criterion Non-NIS2 Important Very imp.
a Art. 21(2)(a) Risk management & risk analysis
b Art. 21(2)(b) Incident handling
c Art. 21(2)(c) Business continuity, backup & crisis management
d Art. 21(2)(d) Supply chain security
e Art. 21(2)(e) Secure acquisition, development & vulnerability management
f Art. 21(2)(f) Assessing the effectiveness of measures
g Art. 21(2)(g) Cyber hygiene & training / awareness
h Art. 21(2)(h) Use of cryptography & encryption
i Art. 21(2)(i) HR security, access control & asset management
j Art. 21(2)(j) Multi-factor authentication & secured communications
k Art. 3(4) / 27 Registration with the competent authority
l Art. 23 Reporting of significant incidents (24h / 72h / 1 month)
m Art. 20(1) Management approval & oversight
n Art. 20(2) Training of the management body
o Art. 31–34 Evidence & audit readiness
Criteria in scope 7 11 15

National transpositions vary — e.g. in Germany under the BSIG (sec. 30, 32, 33, 38, 39). Article references follow Directive (EU) 2022/2555.

The scoring scale — BSI maturity model (RUN)

Each applicable criterion is rated on a six-step maturity scale. A criterion may also be marked N/A where it is genuinely out of scope for the entity. The same scale is applied whether the underlying theme is a management system, an implementation control, or a statutory obligation.

5
Continuously improved
Established and continuously improved.
4
Measurable
Effectiveness is measured against defined indicators.
3
Established
Documented and implemented.
2
Managed (partial)
Initial procedure or individual elements exist.
1
Planned
Planned and budgeted, not yet started.
0
Not present
The control is not addressed.

N/A — not applicable: the criterion is genuinely out of scope for the entity and is excluded from the score rather than penalised.

Exhibit 04 — The rating scale

One scale, from AAA to C.

Outside and Inside evidence resolve into a single grade, so that any two entities can be compared on the same terms. Plus and minus modifiers signal the direction of travel within a band.

AAA
Prime

No or only negligible findings were found.

AA
Strong

Minor findings only. AA+ / AA− denote trend.

A
Solid

Some weaknesses. A+ / A− denote trend.

B
At risk

Material vulnerabilities identified.

C
Critical

Substandard controls. Immediate attention.

AAA = strongest · C = critical exposure · ± shows trend within a band.
Exhibit 05 — The outlook

Where the rating is heading.

A grade captures the present; the outlook captures the trajectory. Both lenses carry one, and each is derived differently.

Outside outlook

Is the entity working on it?

Each entity is observed repeatedly over time. The outlook reflects the direction of travel across successive snapshots: are exposed surfaces being remediated, certificates renewed, leaks closed — or is the posture quietly drifting? A history of steady improvement reads very differently from one of neglect, even at the same grade today.

Basis — historical trajectory of the observed signals.
Inside outlook

Does the self-assessment hold up?

The self-reported maturity is placed alongside the observed Outside Rating. Where the two align, the self-assessment earns confidence. Where an entity rates itself markedly higher than the evidence supports, that gap is flagged as a discrepancy and weighs on the outlook — because the comfort of a questionnaire is not the same as a secure posture.

Basis — self-assessment correlated against the observed reality.
Positive — improving Stable — holding Negative — eroding or unverified
Scalable. Trusted.

See the criteria applied — 10 ratings, free.

No credit card. No account required. Zero obligation.
Results delivered straight to your inbox.