Owner tools

For the owner of NIS2 Readiness Check (dmarcguard.io).

Ownership

This launch is unclaimed.

Claim this launch to get an owner link, re-scan after fixes, track your score improvements, or remove your site from StackScope entirely.

Claim this launch

Optional improvements

These don't change your StackScope score but cover SEO, agent-readiness, security-researcher discoverability, and compliance items worth addressing.

Legal & compliance

HIGHGate analytics behind consent
Analytics set tracking cookies on our visit with no opt-in step. If you gate this for real visitors in a way our crawl didn't trigger, you can ignore it.
WhyUK/EU GDPR requires opt-in before analytics scripts fire; about half of US state privacy laws now require honouring the Global Privacy Control browser signal as a universal opt-out.
WhereDrop in Cookiebot, Usercentrics, Osano, or Iubenda Consent, or hand-roll a banner plus Google's Consent Mode v2.
Learn more
Why this matters & sources
The legal landscape: UK/EU GDPR treats analytics as personal-data processing that requires opt-in consent before scripts fire. About half the US state privacy laws now in force (California, Colorado, Texas, Connecticut, Oregon, Montana, Delaware, New Hampshire, New Jersey, Nebraska) require honouring the Global Privacy Control (GPC) browser signal as a universal opt-out, and California's January 2026 regulations require visibly indicating when a GPC signal has been honoured.
Sources: IAPP US state privacy tracker (iapp.org/resources/article/us-state-privacy-legislation-tracker), California AG on GPC (oag.ca.gov/privacy/ccpa/gpc), EDPB consent guidelines (edpb.europa.eu).

Email security

LOWMove MTA-STS from testing to enforce
MTA-STS policy is in mode: testing.
WhyTesting mode reports TLS failures but still allows plaintext fallback. Real protection only kicks in at enforce.
WhereAfter reviewing TLS-RPT reports and confirming no senders fail, change the policy file to mode: enforce.
Learn more

Page basics & SEO

LOWTrim your <title> tag to under 60 characters
Currently 71 characters: "NIS2 Email Authentication Readiness — Article 21 Scorecard | DMARCguard"
WhyGoogle truncates titles around 60 characters in search results, so anything past that gets cut off mid-sentence and costs click-through rate.
WhereAim for 50-60 characters that include your main keyword and brand.
Learn more
LOWTrim your meta description to under 160 characters
Currently 320 characters: "Check your domain against the NIS2 Article 21 email-authentication controls. NIS2 is in force EU-wide (transposition deadline was 17 Oct 2024) and national enforcement is rolling out — Germany's NIS2UmsuCG went live 6 Dec 2025. Maps DMARC, SPF, MTA-STS, TLS-RPT, and DNSSEC to the specific paragraphs auditors reference."
WhyGoogle truncates around 155-160 characters on desktop SERPs (less on mobile), so anything past that won't appear in the snippet.
WhereEdit your <meta name="description"> tag. Put the most click-worthy phrase first.
Learn more

Performance

MEDIUMSet width and height on your images
1 image render without explicit width/height.
WhyWithout intrinsic dimensions the browser can't reserve space before the image loads, so content jumps as it arrives (cumulative layout shift).
WhereAdd width and height attributes (or an aspect-ratio CSS rule). Framework image components set these for you.
Learn more
LOWAdd alt text to your images
1 image has no alt attribute.
WhyScreen-reader users get no description, and search engines lose a signal about the image content.
WhereAdd a concise alt="..." to each image (an empty alt="" is correct only for purely decorative images).
Learn more

If a tip looks wrong (for example it says "add a consent banner" and you already have one) the detection's the bug, not you. StackScope sees what's public from the outside: HTTP response, rendered HTML, cookies, and DNS. We can miss vendors that load behind consent, are self-hosted, or use an install shape we haven't fingerprinted yet. Email [email protected] and we'll look into it.

Copy into Cursor, Claude, or ChatGPT

This prompt includes the detected stack and only the fixes StackScope found. It asks the AI to make concrete file-level changes, not a vague website review.

Score-affecting basics only. Ask your AI to handle these first; come back for the optional hardening once they're done.

Everything: score-affecting fixes plus optional email security, agent metadata, and best-practice items. Longer prompt, more for an "all in one" agent run.

I own https://dmarcguard.io/tools/nis2-readiness/. StackScope (https://stackscope.dev) analysed it on 16 June 2026 and scored it 10.0/10 against their production-readiness checklist. Nothing score-affecting is currently outstanding, so use this prompt as a posture check rather than a fix list.

Tech stack StackScope detected on the site:
cloudflare, cloudflare-dns, cloudflare-insights, google-site-verification, hsts, http3, mastodon, posthog, protonmail, vue, webmention-io

Spot-check the stack above against current best practices: anything that looks deprecated, mis-configured, or like drift since the last deploy. If everything looks healthy, say so. Don't invent issues to fill the response.

Full analysis: https://stackscope.dev/launch/empd2vux/nis2-readiness-check

I own https://dmarcguard.io/tools/nis2-readiness/. StackScope (https://stackscope.dev) analysed it on 16 June 2026 and scored it 10.0/10 against their production-readiness checklist. Please help me apply the fixes below. This is a checklist, not a blocker list; Score-affecting fixes are the ones that move the number, Optional items are nice-to-haves with zero score impact that I can skip for an MVP.

Tech stack StackScope detected on the site (use this when suggesting where each fix lives in the codebase):
cloudflare, cloudflare-dns, cloudflare-insights, google-site-verification, hsts, http3, mastodon, posthog, protonmail, vue, webmention-io

Optional best-practice improvements (no score impact):
- [HIGH] Gate analytics behind consent. Analytics set tracking cookies on our visit with no opt-in step. If you gate this for real visitors in a way our crawl didn't trigger, you can ignore it. Why: UK/EU GDPR requires opt-in before analytics scripts fire; about half of US state privacy laws now require honouring the Global Privacy Control browser signal as a universal opt-out. Where: Drop in Cookiebot, Usercentrics, Osano, or Iubenda Consent, or hand-roll a banner plus Google's `Consent Mode v2`. (https://iapp.org/resources/article/us-state-privacy-legislation-tracker)
- [MEDIUM] Set width and height on your images. 1 image render without explicit width/height. Why: Without intrinsic dimensions the browser can't reserve space before the image loads, so content jumps as it arrives (cumulative layout shift). Where: Add `width` and `height` attributes (or an `aspect-ratio` CSS rule). Framework image components set these for you. (https://web.dev/articles/cls)
- [LOW] Trim your <title> tag to under 60 characters. Currently 71 characters: "NIS2 Email Authentication Readiness — Article 21 Scorecard | DMARCguard" Why: Google truncates titles around 60 characters in search results, so anything past that gets cut off mid-sentence and costs click-through rate. Where: Aim for 50-60 characters that include your main keyword and brand. (https://developers.google.com/search/docs/appearance/title-link)
- [LOW] Trim your meta description to under 160 characters. Currently 320 characters: "Check your domain against the NIS2 Article 21 email-authentication controls. NIS2 is in force EU-wide (transposition deadline was 17 Oct 2024) and national enforcement is rolling out — Germany's NIS2UmsuCG went live 6 Dec 2025. Maps DMARC, SPF, MTA-STS, TLS-RPT, and DNSSEC to the specific paragraphs auditors reference." Why: Google truncates around 155-160 characters on desktop SERPs (less on mobile), so anything past that won't appear in the snippet. Where: Edit your `<meta name="description">` tag. Put the most click-worthy phrase first. (https://developers.google.com/search/docs/appearance/snippet)
- [LOW] Move MTA-STS from testing to enforce. MTA-STS policy is in `mode: testing`. Why: Testing mode reports TLS failures but still allows plaintext fallback. Real protection only kicks in at enforce. Where: After reviewing TLS-RPT reports and confirming no senders fail, change the policy file to `mode: enforce`. (https://datatracker.ietf.org/doc/html/rfc8461)
- [LOW] Add alt text to your images. 1 image has no alt attribute. Why: Screen-reader users get no description, and search engines lose a signal about the image content. Where: Add a concise `alt="..."` to each image (an empty `alt=""` is correct only for purely decorative images). (https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#alt)

For each item, tell me exactly which file to create or which code to change, and where it lives in a project using the stack above. If my framework has a native API for the task (e.g. Next.js metadata exports, `app/sitemap.ts`, Astro layouts, Nuxt `useHead`), prefer that over raw HTML or server config.

Full analysis: https://stackscope.dev/launch/empd2vux/nis2-readiness-check

Using an autonomous agent?

Point the agent at this SKILL.md URL and ask it to follow the skill. The framing stops agents defaulting to an open-ended page review.

https://stackscope.dev/launch/empd2vux/skill.md

Share your score

Your score card renders automatically when you share the link.

Or embed a badge

Two badge options. Pick whichever fits your story.

Current score

Shows the latest score and updates within a few minutes of any recrawl. Best for ongoing display: if you fix something and recrawl, the badge reflects the new score automatically.

<a href="https://stackscope.dev/launch/empd2vux/nis2-readiness-check"><img src="https://stackscope.dev/badge/empd2vux/current.svg" alt="StackScope score for NIS2 Readiness Check" height="24" /></a>

Launch score

Pinned to your launch-day snapshot and never changes. Marked with a small gold corner ribbon. Best for press kits, launch retrospectives, or anywhere you want a permanent record of how you shipped.

<a href="https://stackscope.dev/launch/empd2vux/nis2-readiness-check"><img src="https://stackscope.dev/badge/empd2vux.svg" alt="StackScope launch score for NIS2 Readiness Check" height="24" /></a>

Using a Content-Security-Policy? Both badges are <img> tags from our domain, so your CSP needs to allow them. Add stackscope.dev to your img-src directive (example: img-src 'self' stackscope.dev;). Without it, browsers silently block the badge and visitors see a broken image.