Ansvar docs
ansvar.eu →

Your first gap analysis

The fastest way to feel what the gateway does is to run one gap analysis start to finish. It's the right first pick because it works for every customer — privacy, security engineering, GRC, in-house counsel — and produces a coverage matrix you can hand to a CEO without translation.

There are two ways to run one, and your tier decides which. Premium drives it by hand: your agent pulls each control's text, case law, and agency guidance through the search tools and you assess control by control. Team and Company run the structured gap_analysis workflow, which threads the same lookups through staged quality gates. This page walks both. Open Claude Desktop (or any MCP client you have connected to the gateway), keep this page on a second screen, and follow along.

What you'll have at the end

A coverage matrix listing every control in your chosen framework with a compliance level (not_implemented, partial, largely_compliant, fully_compliant), an evidence tier (authoritative, documentary, supplemental), and a gap list with the regulatory citation behind each finding. On the workflow path the report exports as JSON or rendered Markdown; on the search-driven path your agent assembles the same matrix in the conversation and renders it on request.

How long this takes

Both paths share the same per-control loop, so timings match. On the workflow path the scoping, document-collection, and findings-review stages together take roughly 30 to 60 minutes. The middle stage — control assessment — runs one prompt per control in your framework, so the total time scales with the framework's size.

This tutorial uses the NIS2 Article 21 essential-entity controls — about ten controls covering risk management, incident handling, supply chain, business continuity, and reporting. End to end, expect about 90 minutes for the worked example. A full GDPR pass against Articles 5, 6, 25, 28, 32, and 35 runs three to five hours; that's normal for the framework, not a fit for a tutorial.

Tier

Premium does not include workflow tools. It includes everything the workflow queries: multi-source search with fan-out into case law (search_case_law), preparatory works (search_preparatory_works), and agency guidance (search_agency_guidance). The search-driven path below uses exactly those. Team and Company add the structured gap_analysis workflow — plus DPIA, STRIDE threat model, and tender review — with stage validation the agent can't skip. See Pricing.

Free tier accounts get single-MCP search (100 calls per day) — enough to look up individual provisions, not to run an assessment. Tools outside your tier are absent from tools/list and return JSON-RPC -32601 if called anyway; quota overruns return JSON-RPC -32000 with code cap_exceeded. If your agent reports "method not found" for start_workflow, that's the tier gate, not an outage.

The Premium path — gap analysis by hand

Paste this into your connected agent:

We're a Swedish digital-infrastructure operator, an essential
entity under NIS2. Run a gap analysis of the Article 21(2)
risk-management measures with me:
1. Pull each measure's text with get_provision and cite it.
2. For each measure, run search_agency_guidance and
   search_case_law for how it's applied in Sweden.
3. Ask me what we have in place and what evidence exists.
4. Build a coverage table: control, compliance level
   (not_implemented / partial / largely_compliant /
   fully_compliant), evidence, citation. Flag any control you
   couldn't ground in a tool result.

The agent works the same loop as the workflow: provision text, interpretation sources, your evidence, one row in the matrix. Use the example controls under stage 3 below as the model for your answers — a compliance level, an evidence tier, and at least one evidence reference per control.

What this path lacks is the engine: stage gates that refuse to advance until required fields are filled, the enforced findings-review step, and the report quality check. Your agent's discipline is the quality gate. If you're producing these for auditors or repeating them quarterly, that's the reason to move to Team.

The workflow path (Team and Company tiers)

Everything from here to the end of the report section describes the structured gap_analysis workflow. The stages and prompts below are what the workflow actually returns.

Before you start

  1. A Team or Company subscription. The workflow tools (start_workflow, get_current_step, submit_response, generate_report) appear in tools/list on those tiers only — if your client doesn't list them, use the search-driven path above.
  2. MCP client connected to gateway.ansvar.eu. See Setup if not.
  3. A regulatory framework picked. The worked example below uses NIS2; gdpr, dora, and iso27001 are common alternatives.
  4. One jurisdiction picked. The worked example uses Sweden (essential entity in digital infrastructure).
  5. Optional but useful: a few policy documents — ISMS policies, incident response plans, supplier inventory — ready to attach at stage two. Skip if you don't have any; the workflow handles empty document sets.

Stage 1 — scoping (about 15 minutes)

Three steps in one stage: classify the entity, confirm the jurisdictions, then approve the scope summary before the control catalogue loads.

You ask the agent

Start a NIS2 gap analysis for our company.
We're a Swedish digital-infrastructure operator subject to
Art. 21 risk-management requirements as an essential entity.

The agent calls start_workflow(workflow_type="gap_analysis", framework="nis2", jurisdictions=["SE"]). The gateway validates the tier — workflow tools are Team and Company — then forwards to the workflow MCP. You get back a workflow_id and the first step's prompt.

Step 1.1 — entity classification

The workflow asks for entity type and sector. The prompt expects a short, structured answer; the agent will summarise your reply before calling submit_response.

What type of entity is the organisation?
   (essential / important / other)
What sector(s) does the organisation operate in?

Example answer: essential entity; digital infrastructure. The agent translates this into the required fields (entity_type, sectors) and submits.

Common pitfall: NIS2's essential / important distinction determines the supervisory regime and the reporting deadlines. If you don't know which applies, look up your sector in the Annex of the NIS2 Directive (2022/2555) before answering — a wrong classification here cascades into the wrong control catalogue.

Step 1.2 — jurisdiction confirmation

Confirm the jurisdictions where the organisation
operates or provides services.

List every jurisdiction where the organisation operates or provides services. The worked example sticks with ["SE"].

Step 1.3 — scope review

The workflow shows the scope it locked in (entity type, sectors, jurisdictions, framework) and asks for explicit user approval before the control catalogue loads. The pattern is user_review: true in the workflow YAML — changing the framework after this step requires restarting the workflow, so the gate is intentional.

Stage 2 — document collection (about 5 minutes, often less)

The agent asks for policy documents and lets you upload them. The minimum is zero — the workflow accepts an empty document set and continues — but attached documents make later citations much stronger.

Please upload relevant security policies,
procedures, and certifications.

Documents go in via register_document_init and register_document_finalize (presigned upload), then bind to the workflow with register_document. If you've got nothing to upload, tell the agent "no documents available" and the stage closes.

Stage 3 — control assessment (the main loop)

This stage is dynamic. The workflow materialises one control prompt per control in your framework and loops until every control is assessed. For NIS2 essential-entity controls that's around ten iterations; for full GDPR it's six articles worth.

For each control the workflow fetches the regulatory text via get_provision and a related search via search against the jurisdiction's sector MCP before prompting you. Your job per control: pick a compliance level, pick an evidence tier, and cite at least one piece of evidence.

We'll walk three example controls from the NIS2 list. The remaining seven follow the same shape.

Example control: risk management

Article 21(2)(a) — policies on risk analysis and information
system security.

How does the organisation currently address risk analysis and
information system security? What evidence exists for this
implementation?

Example answer:

compliance_level: largely_compliant
evidence_tier: documentary
evidence:
  - "ISMS Policy v3.2 §4 (risk management framework)"
  - "Annual ISO 27001 internal audit report 2026-02"
notes: "Quarterly risk register reviewed by infosec steering
        committee; risk treatment plan signed off by CISO."

Common pitfall: declaring fully_compliant without an authoritative evidence tier (an external audit, a regulator inspection report) usually under-resolves at the findings-review gate. Pick largely_compliant with documentary evidence when an internal artifact is all you have — that's a more honest baseline.

Example control: incident handling

Article 21(2)(b) — incident handling.

What incident-detection, response, and post-incident review
processes are in place? What's the evidence?

Example answer:

compliance_level: partial
evidence_tier: documentary
evidence:
  - "Incident Response Plan v2.0 (runbook covers detection +
     containment + eradication; recovery section incomplete)"
notes: "Tabletop exercises run twice in 2025 but post-incident
        review template not formalised; gap to close before
        October 2026 transposition deadline."

Example control: supply chain

Article 21(2)(d) — supply chain security, including
security-related aspects concerning the relationships between
each entity and its direct suppliers or service providers.

How does the organisation manage supplier security? What's
the evidence?

Example answer:

compliance_level: not_implemented
evidence_tier: supplemental
evidence:
  - "Supplier inventory exists but security-clause review
     not started"
notes: "No DPAs or security schedules in current supplier
        contracts. Highest-priority gap."

The remaining seven controls (business continuity, supply chain security in acquisition / development / maintenance, policies on effectiveness assessment, cyber hygiene + training, cryptography, access control + asset management, MFA + secure communications) follow the same prompt shape. Work through them at your own pace — the workflow remembers state, so you can resume_workflow the next morning if you want.

Stage 4 — findings review (about 10 minutes)

A user-review gate. The workflow presents a summary table — control ID, title, compliance level, evidence tier — and asks you to confirm or revise. This is the last point to raise the evidence tier on weak controls before the report freezes.

Common pitfall: the temptation is to wave the table through because you already filled it in. Read each partial row carefully — those are the rows the report will surface as recommended remediations, and the evidence reference attached here is what auditors will inspect.

Stage 5 — report (automatic, under two minutes)

Two automatic steps: a quality check (every control assessed; at least 30% must carry documentary or authoritative evidence) and the report generation. You'll see something like this:

{
  "workflow_id": "wf-7a9c1b...",
  "framework": "nis2",
  "jurisdictions": ["SE"],
  "scope": {
    "entity_type": "essential",
    "sectors": ["digital_infrastructure"]
  },
  "coverage_matrix": [
    {
      "control_id": "art21_2_a",
      "title": "Policies on risk analysis and IS security",
      "compliance_level": "largely_compliant",
      "evidence_tier": "documentary",
      "regulatory_basis": [
        {
          "source_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555",
          "publisher": "EUR-Lex",
          "license": "CC-BY-EU-OJ-202312"
        }
      ]
    }
  ],
  "gaps": [
    {
      "control_id": "art21_2_d",
      "severity": "high",
      "recommended_remediation": "DPIA + supplier security review"
    }
  ]
}

How to use the report

  1. Export to Markdown: ask the agent "render the gap analysis report as Markdown." The workflow's generate_report output already includes the rendered text alongside the JSON; the agent surfaces whichever you ask for.
  2. Import to your GRC tool: each gap row is keyed by control ID. Most tools (OneTrust, Vanta, Drata, Hyperproof) accept either a JSON import or a CSV the agent can produce on request.
  3. Action the gaps: each not_implemented or partial control maps to a follow-up workflow that actually closes the gap. Examples from this worked run:
    • Supply-chain gap (Art. 21(2)(d)) → DPIA workflow for the supplier processing activities, plus a tender review on next supplier renewal.
    • Incident-handling gap → STRIDE threat model on the systems most likely to be in scope, to feed the response plan with realistic scenarios.
    The DPIA and threat-model workflows run on the same Team and Company tiers as the gap analysis workflow itself.

Stuck?

Two paths. Email team@ansvar.eu — paste the prompt the workflow gave you and the answer you're considering, and you'll get a useful reply within a business day. Or book a 30-minute onboarding call (included in Premium and above) — we'll drive one run live with you on Zoom (the search-driven path on Premium, a full workflow on Team and Company) and you walk away with a finished report.