{
 "workflow_id": "63f045b3-1299-4057-9a5a-431b0e0fe43c",
 "framework": "nis2",
 "jurisdictions": [
  "EU",
  "EE"
 ],
 "entity_description": "Baltika Freight Systems O\u00dc \u2014 a fictional 90-person Estonian SaaS company providing freight-forwarding and customs-clearance software (Baltika TMS) to logistics operators in the Baltic region. Presumed \"important entity\" under NIS2 (digital-infrastructure-adjacent transport logistics software). Assessment subject: the company's Information Security Policy POL-BLTK-2026-02 v2.1 (uploaded, DOC-6DCN), assessed against NIS2 Article 21(2) minimum measures and Article 23 reporting obligations.",
 "generated_at": "2026-07-11T18:30:01.857645+00:00",
 "executive_summary": {
  "total_controls": 10,
  "fully_compliant": 0,
  "largely_compliant": 2,
  "partial": 6,
  "not_implemented": 2,
  "critical_gaps": 2,
  "regulatory_basis_unresolved_count": 0
 },
 "methodology": {
  "assessment_start": "2026-07-11 18:12:20.165260+00:00",
  "assessment_end": "2026-07-11 18:13:16.277548+00:00",
  "documents_reviewed": 1,
  "controls_assessed": 10,
  "framework": "nis2",
  "jurisdictions": [
   "EU",
   "EE"
  ],
  "framework_display_name": "NIS2 Directive (EU) 2022/2555 \u2014 Art. 21 cybersecurity risk-management measures",
  "per_framework_notice": "## NIS2 sector scope\n\nNIS2 Art. 21(2) measures apply to essential and important entities under\nAnnex I/II. Sector caveats (energy, transport, banking, health, digital\ninfrastructure, public administration) may add supervisory obligations \u2014\nthe sector-routing pass (Pass 3) surfaces the competent authority.\n",
  "jurisdiction_specific_obligations": "Member-state NIS2 transpositions vary in incident-notification deadlines and\nregistration. The per-control assessment cites the transposing national act\nwhere the jurisdiction's corpus provides it.\n",
  "report_footer": "Generated by Ansvar Workflow MCP \u2014 workflow `gap_analysis_nis2`. Not legal\nadvice; a structured basis for the organisation's own compliance assessment.\n"
 },
 "findings_matrix": [
  {
   "control_id": "Art.21.2.a",
   "control_title": "Risk analysis and information system security policies",
   "compliance_level": "partial",
   "evidence_tier": "documentary",
   "gap_description": "Risk analysis is informal: no documented methodology or criteria (ISO 27001 6.1.2), backlog-based risk register, annual-only cadence with no change-triggered reassessment (ISO 27001 8.2). NIS2 IR (EU) 2024/2690 Annex I additionally expects topic-specific policies and management-body information flows beyond the single policy document. Sector search returned only tangential EU rows; EE scope FAILED THIS RUN \u2014 gateway reported 'EE temporarily unavailable' (22 servers unavailable). Estonian transposition (k\u00fcberturvalisuse seadus / E-ITS baseline) NOT verified; held open as unresolved rather than assumed. NIS2 Art. 21(2)(a) 'policies on risk analysis and information system security' anchored via get_provision NIS2:art_21 (exact). resolution_method=exact (sub-point folded to parent article). Blue: NIS2:art_21 (eur-lex), IR 2024/2690 Annex I (eur-lex), SS-EN ISO/IEC 27001:2023 6.1.2/8.2/6.2 (SIS). Amber: ENISA guidance (CC-BY-4). Gray: none load-bearing. No case-law rows returned for this control (broadened search surfaced Implementing Regulation (EU) 2024/2690 Annex I instead, cited as Blue anchor). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance + ENISA 'Cybersecurity roles and skills for NIS2 entities' \u2014 both fetched, license ENISA-CC-BY-4. Adopt a documented risk-assessment methodology with acceptance criteria (ISO 27001 6.1.2), move the risk register out of the engineering backlog, add change-triggered reassessment (8.2), and derive topic-specific policies per IR 2024/2690 Annex I \u00a71. SS-EN ISO/IEC 27001:2023 (SIS-licensed, fetched this run): 6.1.2 Information security risk assessment (defined process with criteria \u2014 MISSING), 8.2 risk assessment at planned intervals or on significant change (PARTIAL: annual only), 6.2 objectives from risk-assessment results (PARTIAL). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 security of processing overlaps; customer TMS data is personal data in part). EU AI Act: not applicable (no AI system in the TMS per entity description). CSRD: not applicable at 90 employees (below thresholds). EN 301 549: not applicable to this control. NIS2: primary regime. True Policy POL-BLTK-2026-02 \u00a72 (governance: CEO accountable, security officer role, quarterly management reporting, annual re-approval) and \u00a73 (annual risk assessment covering TMS platform and corporate IT; risks recorded in engineering backlog; CEO sign-off for accepting high risks). An information-system security policy exists and is approved; a risk-analysis practice exists but has no defined methodology, no risk-acceptance criteria per ISO/IEC 27001 6.1.2, and no re-assessment trigger on material change (annual-only, contra SS-EN ISO/IEC 27001:2023 8.2 'planned intervals or when significant changes occur').",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p9",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p9",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.a\u201d. Address the identified gap: Risk analysis is informal: no documented methodology or criteria (ISO 27001 6.1.2), backlog-based risk register, annual-only cadence with no change-triggered reassessment (ISO 27001 8.2). NIS2 IR (EU) 2024/2690 Annex I additionally expects topic-specific policies and management-body information flows beyond the single policy document. Sector search returned only tangential EU rows; EE scope FAILED THIS RUN \u2014 gateway reported 'EE temporarily unavailable' (22 servers unavailable). Estonian transposition (k\u00fcberturvalisuse seadus / E-ITS baseline) NOT verified; held open as unresolved rather than assumed. NIS2 Art. 21(2)(a) 'policies on risk analysis and information system security' anchored via get_provision NIS2:art_21 (exact). resolution_method=exact (sub-point folded to parent article). Blue: NIS2:art_21 (eur-lex), IR 2024/2690 Annex I (eur-lex), SS-EN ISO/IEC 27001:2023 6.1.2/8.2/6.2 (SIS). Amber: ENISA guidance (CC-BY-4). Gray: none load-bearing. No case-law rows returned for this control (broadened search surfaced Implementing Regulation (EU) 2024/2690 Annex I instead, cited as Blue anchor). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance + ENISA 'Cybersecurity roles and skills for NIS2 entities' \u2014 both fetched, license ENISA-CC-BY-4. Adopt a documented risk-assessment methodology with acceptance criteria (ISO 27001 6.1.2), move the risk register out of the engineering backlog, add change-triggered reassessment (8.2), and derive topic-specific policies per IR 2024/2690 Annex I \u00a71. SS-EN ISO/IEC 27001:2023 (SIS-licensed, fetched this run): 6.1.2 Information security risk assessment (defined process with criteria \u2014 MISSING), 8.2 risk assessment at planned intervals or on significant change (PARTIAL: annual only), 6.2 objectives from risk-assessment results (PARTIAL). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 security of processing overlaps; customer TMS data is personal data in part). EU AI Act: not applicable (no AI system in the TMS per entity description). CSRD: not applicable at 90 employees (below thresholds). EN 301 549: not applicable to this control. NIS2: primary regime. True Policy POL-BLTK-2026-02 \u00a72 (governance: CEO accountable, security officer role, quarterly management reporting, annual re-approval) and \u00a73 (annual risk assessment covering TMS platform and corporate IT; risks recorded in engineering backlog; CEO sign-off for accepting high risks). An information-system security policy exists and is approved; a risk-analysis practice exists but has no defined methodology, no risk-acceptance criteria per ISO/IEC 27001 6.1.2, and no re-assessment trigger on material change (annual-only, contra SS-EN ISO/IEC 27001:2023 8.2 'planned intervals or when significant changes occur').",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.b",
   "control_title": "Incident handling",
   "compliance_level": "largely_compliant",
   "evidence_tier": "documentary",
   "gap_description": "The section governs internal handling and CUSTOMER notification only. It contains no CSIRT/competent-authority notification chain (NIS2 Art. 23 early warning 24h / incident notification 72h / final report) \u2014 assessed separately, but its absence also weakens the handling procedure's escalation completeness. No incident-response exercise/test cadence (ENISA NIS2 Technical Implementation Guidance expects tested procedures). ISO 27001 A.5.24 expects communicated processes, roles and responsibilities \u2014 roles beyond the security officer are not defined. EE corpus responded this pass (unlike control (a)) but broadened-query rows were tangential (agricultural-vehicle type-approval; REACH). No sector-regulator modifier surfaced for incident handling; Estonian transposition detail still unverified overall. NIS2 Art. 21(2)(b) 'incident handling' via get_provision NIS2:art_21, resolution_method=exact (sub-point folds to parent). Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.24 (SIS). Amber: ENISA guidance (CC-BY-4). Gray: none load-bearing. No on-point ruling; broadened fan-out returned an unrelated CJEU appeal-admissibility opinion (ECLI:EU:C:2024:522) \u2014 not cited as authority. case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance, 'INCIDENT HANDLING POLICY' section: define clear objectives; ensure policy complies with laws/regulations/standards. Fetched, ENISA-CC-BY-4. Add the Art. 23 authority-notification chain to \u00a76 (see reporting assessment), define incident roles beyond the security officer (A.5.24), reference GDPR Art. 33/34 breach duties, and adopt an annual incident-response exercise. SS-EN ISO/IEC 27001:2023 A.5.24 Information security incident management planning and preparation (PARTIAL: process exists; roles beyond security officer undefined, no exercise cadence). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 personal-data breaches in the TMS would trigger Art. 33/34 duties not referenced by \u00a76. EU AI Act: not applicable. CSRD: not applicable (size). EN 301 549: not applicable. NIS2: primary. True Policy \u00a76 Incident management (0.p15): immediate reporting duty to security officer, 4-hour classification on a three-level severity ladder, security-officer-led response, 72-hour customer notification for incidents affecting customer data or availability, post-incident review within two weeks for major/critical with recorded lessons learned. This covers detection, triage, response and learning \u2014 the core of Art. 21(2)(b).",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21",
    "https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21",
    "https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance"
   ],
   "remediation": null,
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.c",
   "control_title": "Business continuity and crisis management",
   "compliance_level": "partial",
   "evidence_tier": "documentary",
   "gap_description": "No crisis-management function or escalation organisation (who declares a crisis, who communicates \u2014 IR (EU) 2024/2690 Annex I \u00a74 expects crisis management distinct from backups; DORA Art. 11 illustrates the expected shape). No defined RTO/RPO. Restore testing annual-only; SS-EN ISO/IEC 27001:2023 A.5.30 requires ICT readiness 'planned, implemented, maintained and tested' based on business requirements \u2014 a single untested-in-anger runbook does not satisfy it. Verdict: partial. EE scope FAILED AGAIN this pass ('EE temporarily unavailable', 22 servers) \u2014 EE reachability is intermittent this run (down for controls a and c, up for b). Estonian transposition detail remains unverified; held unresolved. NIS2 Art. 21(2)(c) 'business continuity, such as backup management and disaster recovery, and crisis management' via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a74 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.30 (SIS). Amber: ENISA + Commission guidance. Gray: none load-bearing. No on-point ruling; broadened fan-out surfaced IR 2024/2690 Annex I \u00a74 (used as Blue anchor) and an off-topic bank-resolution opinion (ECLI:EU:C:2024:511, not cited as authority). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance 'BUSINESS CONTINUITY AND CRISIS MANAGEMENT' section + Commission NIS2 Art. 4 Guidelines enumerating 21(2) measures. Both fetched. Define RTO/RPO per service, add a crisis-management procedure with declared roles and communication plan (IR 2024/2690 Annex I \u00a74), and raise restore/failover testing beyond annual per A.5.30. SS-EN ISO/IEC 27001:2023 A.5.30 ICT readiness for business continuity (PARTIAL: backups exist, readiness not tested against business requirements; no RTO/RPO). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32(1)(c) restore availability after incident). DORA: NOT directly applicable (Baltika is not a financial entity) but fetched Art. 11 shows the crisis-function shape; noted as comparative only. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True Policy \u00a77 (0.p17): daily database backups to a separate availability zone, 35-day retention, one restore test per year, written recovery runbook, restore-from-backup strategy for regional outage. Backup management and basic disaster recovery exist.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p17",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p17",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.c\u201d. Address the identified gap: No crisis-management function or escalation organisation (who declares a crisis, who communicates \u2014 IR (EU) 2024/2690 Annex I \u00a74 expects crisis management distinct from backups; DORA Art. 11 illustrates the expected shape). No defined RTO/RPO. Restore testing annual-only; SS-EN ISO/IEC 27001:2023 A.5.30 requires ICT readiness 'planned, implemented, maintained and tested' based on business requirements \u2014 a single untested-in-anger runbook does not satisfy it. Verdict: partial. EE scope FAILED AGAIN this pass ('EE temporarily unavailable', 22 servers) \u2014 EE reachability is intermittent this run (down for controls a and c, up for b). Estonian transposition detail remains unverified; held unresolved. NIS2 Art. 21(2)(c) 'business continuity, such as backup management and disaster recovery, and crisis management' via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a74 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.30 (SIS). Amber: ENISA + Commission guidance. Gray: none load-bearing. No on-point ruling; broadened fan-out surfaced IR 2024/2690 Annex I \u00a74 (used as Blue anchor) and an off-topic bank-resolution opinion (ECLI:EU:C:2024:511, not cited as authority). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance 'BUSINESS CONTINUITY AND CRISIS MANAGEMENT' section + Commission NIS2 Art. 4 Guidelines enumerating 21(2) measures. Both fetched. Define RTO/RPO per service, add a crisis-management procedure with declared roles and communication plan (IR 2024/2690 Annex I \u00a74), and raise restore/failover testing beyond annual per A.5.30. SS-EN ISO/IEC 27001:2023 A.5.30 ICT readiness for business continuity (PARTIAL: backups exist, readiness not tested against business requirements; no RTO/RPO). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32(1)(c) restore availability after incident). DORA: NOT directly applicable (Baltika is not a financial entity) but fetched Art. 11 shows the crisis-function shape; noted as comparative only. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True Policy \u00a77 (0.p17): daily database backups to a separate availability zone, 35-day retention, one restore test per year, written recovery runbook, restore-from-backup strategy for regional outage. Backup management and basic disaster recovery exist.",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.d",
   "control_title": "Supply chain security",
   "compliance_level": "not_implemented",
   "evidence_tier": "documentary",
   "gap_description": "Entire measure missing. NIS2 Art. 21(2)(d) requires supply-chain security including 'security-related aspects concerning the relationships between each entity and its direct suppliers or service providers', and Art. 21(3) requires weighing supplier-specific vulnerabilities and overall supplier practices. NIS Cooperation Group guidance: the policy 'should identify the entity's role in the supply chain and state network and information security requirements accordingly to direct suppliers'. ISO 27001 A.5.19 (supplier relationships), A.5.22 (monitoring/review of supplier services), A.5.23 (cloud services security requirements) all unaddressed \u2014 A.5.23 is acute since the entire platform runs on one cloud provider. Verdict: not_implemented. Highest-priority gap of the register. EE corpus responded this pass; broadened rows tangential (vehicle type-approval, REACH). No sector modifier surfaced. Estonian transposition detail still unverified overall this run. NIS2 Art. 21(2)(d) + Art. 21(3) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 incl. 21(3) (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.19/A.5.22/A.5.23 (SIS). Amber: NIS Cooperation Group + ENISA/JRC guidance. Gray: none load-bearing. No on-point security ruling \u2014 the only case-law row (ECLI:EU:C:2022:923 Tilman v Unilever Supply Chain) is a jurisdiction-clause dispute matching on the words 'supply chain', not authority here; not cited. case_law_unconfirmed: true. NIS Cooperation Group security-measures guidance ('Supply chain security policy' \u2014 identify role, state requirements to direct suppliers) + ENISA/JRC CRA standards mapping. Both fetched. Author a supplier-security policy: supplier/dependency inventory (start: hosting provider, CI/CD, key third-party components), minimum security requirements + contractual clauses per A.5.19/A.5.23 and GDPR Art. 28, annual supplier review per A.5.22, and reclaim or contractually bind encryption-key management currently delegated in \u00a75. SS-EN ISO/IEC 27001:2023 A.5.19 Information security in supplier relationships (MISSING), A.5.22 Monitoring, review and change management of supplier services (MISSING), A.5.23 Information security for use of cloud services (MISSING \u2014 acute). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 the hosting provider is a processor; Art. 28 contract obligations intersect (fetched EDPB/EDPS row references Art. 28 security measures). EU AI Act / CSRD / EN 301 549: not applicable. CRA: relevant only as supplier-side context (fetched ENISA CRA standards mapping references supply-chain security standards). True None. The policy contains no supply-chain security section. The only supplier reference is \u00a711 (0.p25): production is 'hosted with a cloud provider certified to recognised security standards' \u2014 an unnamed certification claim, not a supplier-security measure. There is no supplier inventory, no security requirements flowed to direct suppliers (hosting provider, CI/CD tooling, third-party dependencies), no supplier monitoring or exit criteria, and \u00a75 even delegates encryption-key management to the hosting provider without any contractual security requirement.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p25",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p25",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Establish and document controls for \u201cArt.21.2.d\u201d. Address the identified gap: Entire measure missing. NIS2 Art. 21(2)(d) requires supply-chain security including 'security-related aspects concerning the relationships between each entity and its direct suppliers or service providers', and Art. 21(3) requires weighing supplier-specific vulnerabilities and overall supplier practices. NIS Cooperation Group guidance: the policy 'should identify the entity's role in the supply chain and state network and information security requirements accordingly to direct suppliers'. ISO 27001 A.5.19 (supplier relationships), A.5.22 (monitoring/review of supplier services), A.5.23 (cloud services security requirements) all unaddressed \u2014 A.5.23 is acute since the entire platform runs on one cloud provider. Verdict: not_implemented. Highest-priority gap of the register. EE corpus responded this pass; broadened rows tangential (vehicle type-approval, REACH). No sector modifier surfaced. Estonian transposition detail still unverified overall this run. NIS2 Art. 21(2)(d) + Art. 21(3) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 incl. 21(3) (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.19/A.5.22/A.5.23 (SIS). Amber: NIS Cooperation Group + ENISA/JRC guidance. Gray: none load-bearing. No on-point security ruling \u2014 the only case-law row (ECLI:EU:C:2022:923 Tilman v Unilever Supply Chain) is a jurisdiction-clause dispute matching on the words 'supply chain', not authority here; not cited. case_law_unconfirmed: true. NIS Cooperation Group security-measures guidance ('Supply chain security policy' \u2014 identify role, state requirements to direct suppliers) + ENISA/JRC CRA standards mapping. Both fetched. Author a supplier-security policy: supplier/dependency inventory (start: hosting provider, CI/CD, key third-party components), minimum security requirements + contractual clauses per A.5.19/A.5.23 and GDPR Art. 28, annual supplier review per A.5.22, and reclaim or contractually bind encryption-key management currently delegated in \u00a75. SS-EN ISO/IEC 27001:2023 A.5.19 Information security in supplier relationships (MISSING), A.5.22 Monitoring, review and change management of supplier services (MISSING), A.5.23 Information security for use of cloud services (MISSING \u2014 acute). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 the hosting provider is a processor; Art. 28 contract obligations intersect (fetched EDPB/EDPS row references Art. 28 security measures). EU AI Act / CSRD / EN 301 549: not applicable. CRA: relevant only as supplier-side context (fetched ENISA CRA standards mapping references supply-chain security standards). True None. The policy contains no supply-chain security section. The only supplier reference is \u00a711 (0.p25): production is 'hosted with a cloud provider certified to recognised security standards' \u2014 an unnamed certification claim, not a supplier-security measure. There is no supplier inventory, no security requirements flowed to direct suppliers (hosting provider, CI/CD tooling, third-party dependencies), no supplier monitoring or exit criteria, and \u00a75 even delegates encryption-key management to the hosting provider without any contractual security requirement.",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.e",
   "control_title": "Security in network and information systems acquisition, development and maintenance",
   "compliance_level": "partial",
   "evidence_tier": "documentary",
   "gap_description": "The measure's other half is missing: no coordinated vulnerability DISCLOSURE channel (Art. 21(2)(e) explicitly includes 'vulnerability handling and disclosure' \u2014 no security.txt, no reporting contact, no CVD procedure for external reporters). No secure-development rules for Baltika's own TMS code (ISO 27001 A.8.25 secure development life cycle, A.8.28 secure coding \u2014 the policy covers third-party dependencies but not first-party code standards), and no acquisition-security requirements for procured systems. Verdict: partial. EE scope FAILED this pass again ('EE temporarily unavailable', 22 servers). Third EE failure of the run (a, c, e); transposition detail stays unresolved. NIS2 Art. 21(2)(e) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a76 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.8/A.8.25/A.8.28 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results returned IR (EU) 2024/2690 Annex I \u00a76 (Security in acquisition/development/maintenance) \u2014 used as Blue anchor. case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance, 'SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE' section. Fetched. Publish a coordinated vulnerability disclosure channel (security.txt + CVD procedure), adopt secure-development rules for first-party TMS code per A.8.25/A.8.28, and add security requirements to system acquisition. SS-EN ISO/IEC 27001:2023 A.8.8 Management of technical vulnerabilities (LARGELY MET by \u00a78), A.8.25 Secure development life cycle (MISSING for first-party code), A.8.28 Secure coding (MISSING). Attribution: SIS-Reproduction-Licence. GDPR: applies indirectly (Art. 32 state-of-the-art maintenance). EU AI Act / CSRD / EN 301 549: not applicable. CRA: would apply to Baltika as software manufacturer once placed on the market with digital elements post-transition \u2014 flagged as forward-looking only, not assessed. NIS2: primary. True Policy \u00a78 (0.p19): monthly OS/dependency patch cycle, 72-hour patching of vendor-critical vulnerabilities, CI dependency scanning that blocks builds on known-critical findings. Maintenance-side vulnerability HANDLING is real and operational.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p19",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p19",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.e\u201d. Address the identified gap: The measure's other half is missing: no coordinated vulnerability DISCLOSURE channel (Art. 21(2)(e) explicitly includes 'vulnerability handling and disclosure' \u2014 no security.txt, no reporting contact, no CVD procedure for external reporters). No secure-development rules for Baltika's own TMS code (ISO 27001 A.8.25 secure development life cycle, A.8.28 secure coding \u2014 the policy covers third-party dependencies but not first-party code standards), and no acquisition-security requirements for procured systems. Verdict: partial. EE scope FAILED this pass again ('EE temporarily unavailable', 22 servers). Third EE failure of the run (a, c, e); transposition detail stays unresolved. NIS2 Art. 21(2)(e) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a76 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.8/A.8.25/A.8.28 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results returned IR (EU) 2024/2690 Annex I \u00a76 (Security in acquisition/development/maintenance) \u2014 used as Blue anchor. case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance, 'SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE' section. Fetched. Publish a coordinated vulnerability disclosure channel (security.txt + CVD procedure), adopt secure-development rules for first-party TMS code per A.8.25/A.8.28, and add security requirements to system acquisition. SS-EN ISO/IEC 27001:2023 A.8.8 Management of technical vulnerabilities (LARGELY MET by \u00a78), A.8.25 Secure development life cycle (MISSING for first-party code), A.8.28 Secure coding (MISSING). Attribution: SIS-Reproduction-Licence. GDPR: applies indirectly (Art. 32 state-of-the-art maintenance). EU AI Act / CSRD / EN 301 549: not applicable. CRA: would apply to Baltika as software manufacturer once placed on the market with digital elements post-transition \u2014 flagged as forward-looking only, not assessed. NIS2: primary. True Policy \u00a78 (0.p19): monthly OS/dependency patch cycle, 72-hour patching of vendor-critical vulnerabilities, CI dependency scanning that blocks builds on known-critical findings. Maintenance-side vulnerability HANDLING is real and operational.",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.f",
   "control_title": "Policies and procedures to assess the effectiveness of cybersecurity risk-management measures",
   "compliance_level": "partial",
   "evidence_tier": "documentary",
   "gap_description": "No defined policy or procedure to assess whether the risk-management measures WORK: no security metrics/KPIs (ISO 27001 9.1 monitoring, measurement, analysis and evaluation), no internal audit programme, no management review with defined inputs (9.3.2 expects nonconformities, monitoring results, audit results), no penetration testing or control-testing cadence. ENISA guidance for Art. 21(2)(f) expects an established, implemented and applied policy assessing measure effectiveness. Reviewing the policy DOCUMENT annually is not assessing the MEASURES. Verdict: partial (weak). EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Fourth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(f) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a77 (eur-lex), SS-EN ISO/IEC 27001:2023 9.1/9.3.2 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a77 (Blue anchor) + an off-topic REACH provision (not cited). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance ('establish, implement and apply a policy and procedures to assess whether the cybersecurity risk-management measures\u2026') + ENISA ECSF/NIS2 roles mapping (risk assessment reports and remediation plans to assess and improve effectiveness). Both fetched. Define an effectiveness-assessment procedure: a small KPI set (patch latency, restore-test results, incident MTTR, training completion), an annual internal audit or control self-assessment, and a management review with the 9.3.2 input list. SS-EN ISO/IEC 27001:2023 9.1 Monitoring, measurement, analysis and evaluation (MISSING), 9.3.2 Management review inputs (PARTIAL: review exists, inputs undefined), internal audit 9.2 (MISSING \u2014 surfaced as 9.2.1 in the control-a fetch). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 Art. 32(1)(d) requires 'a process for regularly testing, assessing and evaluating the effectiveness' of security measures; same gap. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary (IR 2024/2690 Annex I \u00a77 details the requirement). True Policy \u00a72 (0.p7): management reviews and re-approves the policy annually or after any material incident; quarterly security reporting to management. \u00a712 (0.p27): exception register with approvals. These are governance touchpoints, not an effectiveness-assessment procedure.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p27",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p27",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.f\u201d. Address the identified gap: No defined policy or procedure to assess whether the risk-management measures WORK: no security metrics/KPIs (ISO 27001 9.1 monitoring, measurement, analysis and evaluation), no internal audit programme, no management review with defined inputs (9.3.2 expects nonconformities, monitoring results, audit results), no penetration testing or control-testing cadence. ENISA guidance for Art. 21(2)(f) expects an established, implemented and applied policy assessing measure effectiveness. Reviewing the policy DOCUMENT annually is not assessing the MEASURES. Verdict: partial (weak). EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Fourth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(f) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a77 (eur-lex), SS-EN ISO/IEC 27001:2023 9.1/9.3.2 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a77 (Blue anchor) + an off-topic REACH provision (not cited). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance ('establish, implement and apply a policy and procedures to assess whether the cybersecurity risk-management measures\u2026') + ENISA ECSF/NIS2 roles mapping (risk assessment reports and remediation plans to assess and improve effectiveness). Both fetched. Define an effectiveness-assessment procedure: a small KPI set (patch latency, restore-test results, incident MTTR, training completion), an annual internal audit or control self-assessment, and a management review with the 9.3.2 input list. SS-EN ISO/IEC 27001:2023 9.1 Monitoring, measurement, analysis and evaluation (MISSING), 9.3.2 Management review inputs (PARTIAL: review exists, inputs undefined), internal audit 9.2 (MISSING \u2014 surfaced as 9.2.1 in the control-a fetch). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 Art. 32(1)(d) requires 'a process for regularly testing, assessing and evaluating the effectiveness' of security measures; same gap. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary (IR 2024/2690 Annex I \u00a77 details the requirement). True Policy \u00a72 (0.p7): management reviews and re-approves the policy annually or after any material incident; quarterly security reporting to management. \u00a712 (0.p27): exception register with approvals. These are governance touchpoints, not an effectiveness-assessment procedure.",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.g",
   "control_title": "Basic cyber hygiene practices and cybersecurity training",
   "compliance_level": "largely_compliant",
   "evidence_tier": "documentary",
   "gap_description": "Two-year cadence for engineering secure-development training is thin against an annual baseline; no management-body training (NIS2 Art. 20(2) expects management to follow training \u2014 ENISA roles guidance targets 'training programmes aimed at members of management bodies'); no phishing-simulation or effectiveness check on the training (ISO 27001 7.3 awareness + A.6.3 'regular updates'). Verdict: largely_compliant. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Fifth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(g) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a78 (eur-lex), SS-EN ISO/IEC 27001:2023 A.6.3/7.3 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a78 (Blue anchor) + an EIOPA supervisory statement (insurance-sector, tangential, not cited as authority). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance 'AWARENESS RAISING AND BASIC CYBER HYGIENE PRACTICES' + ENISA roles/skills (management-body training programmes). Both fetched. Add management-body cybersecurity training (NIS2 Art. 20(2)), raise engineering secure-development training to annual, and add a simple training-effectiveness check (completion tracking + periodic phishing simulation). SS-EN ISO/IEC 27001:2023 A.6.3 Information security awareness, education and training (LARGELY MET; 'regular updates' partially \u2014 annual only, no effectiveness check), 7.3 Awareness (MET in substance). Attribution: SIS-Reproduction-Licence. GDPR: applies lightly (Art. 39(1)(b) awareness-raising is DPO-side; \u00a79's data-handling module covers staff). EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary (IR 2024/2690 Annex I \u00a78 'Basic cyber hygiene practices and security training'). True Policy \u00a79 (0.p21): security awareness training at onboarding and annually (phishing, password hygiene, data handling, incident reporting), plus secure-development training for engineering every two years. \u00a74 (0.p11): password rules (12+ chars, unique, password manager, no shared production accounts) \u2014 core hygiene practices. This is the policy's second-strongest area.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p21",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p21",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": null,
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.h",
   "control_title": "Policies and procedures regarding the use of cryptography and encryption",
   "compliance_level": "partial",
   "evidence_tier": "documentary",
   "gap_description": "The at-rest commitment is conditional \u2014 'where technically feasible' is a weasel clause that makes the control unverifiable (IR 2024/2690 Annex I \u00a79 expects a policy 'ensuring adequate and effective use of cryptography'; ISO 27001 A.8.24 requires RULES for effective use of cryptography INCLUDING cryptographic key management). Key management is wholly delegated to the hosting provider with no requirements, no inventory of what is/isn't encrypted at rest, no algorithm/protocol baseline (TLS 1.2 floor is dated; no 1.3 preference stated). Verdict: partial. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Sixth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(h) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a79 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.24 (SIS). Amber: Commission guidelines, ENISA IoT crypto practices. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a79 cryptography policy text (Blue anchor). case_law_unconfirmed: true. Commission NIS2 Art. 4 Guidelines (enumerating the cryptography measure) + MDCG 2019-16 mapping row (tangential, not load-bearing). Fetched. Replace 'where technically feasible' with a definitive at-rest encryption statement plus a documented exception list; add key-management rules (ownership, rotation, escrow) per A.8.24 \u2014 or contractual requirements on the provider; state an algorithm/protocol baseline with TLS 1.3 preferred. SS-EN ISO/IEC 27001:2023 A.8.24 Use of cryptography (PARTIAL: transit rules exist; key-management rules absent, at-rest conditional), A.5.23 cloud-services security (intersects \u2014 key management delegated without requirements, same finding as control d). Attribution: SIS-Reproduction-Licence. GDPR: applies directly \u2014 Art. 32(1)(a) names encryption of personal data; the conditional at-rest clause weakens the Art. 32 posture too. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True Policy \u00a75 (0.p13): TLS 1.2+ for all customer data in transit; data at rest encrypted 'where the underlying hosting platform makes this technically feasible'; encryption keys for customer-facing services 'managed by the hosting provider'.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.h\u201d. Address the identified gap: The at-rest commitment is conditional \u2014 'where technically feasible' is a weasel clause that makes the control unverifiable (IR 2024/2690 Annex I \u00a79 expects a policy 'ensuring adequate and effective use of cryptography'; ISO 27001 A.8.24 requires RULES for effective use of cryptography INCLUDING cryptographic key management). Key management is wholly delegated to the hosting provider with no requirements, no inventory of what is/isn't encrypted at rest, no algorithm/protocol baseline (TLS 1.2 floor is dated; no 1.3 preference stated). Verdict: partial. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Sixth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(h) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a79 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.24 (SIS). Amber: Commission guidelines, ENISA IoT crypto practices. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a79 cryptography policy text (Blue anchor). case_law_unconfirmed: true. Commission NIS2 Art. 4 Guidelines (enumerating the cryptography measure) + MDCG 2019-16 mapping row (tangential, not load-bearing). Fetched. Replace 'where technically feasible' with a definitive at-rest encryption statement plus a documented exception list; add key-management rules (ownership, rotation, escrow) per A.8.24 \u2014 or contractual requirements on the provider; state an algorithm/protocol baseline with TLS 1.3 preferred. SS-EN ISO/IEC 27001:2023 A.8.24 Use of cryptography (PARTIAL: transit rules exist; key-management rules absent, at-rest conditional), A.5.23 cloud-services security (intersects \u2014 key management delegated without requirements, same finding as control d). Attribution: SIS-Reproduction-Licence. GDPR: applies directly \u2014 Art. 32(1)(a) names encryption of personal data; the conditional at-rest clause weakens the Art. 32 posture too. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True Policy \u00a75 (0.p13): TLS 1.2+ for all customer data in transit; data at rest encrypted 'where the underlying hosting platform makes this technically feasible'; encryption keys for customer-facing services 'managed by the hosting provider'.",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.i",
   "control_title": "Human resources security, access control policies and asset management",
   "compliance_level": "partial",
   "evidence_tier": "documentary",
   "gap_description": "The third component \u2014 ASSET MANAGEMENT \u2014 is absent: no inventory of information and associated assets with owners (ISO 27001 A.5.9), no asset classification, no acceptable-use rules. Also no privileged-access-specific rules beyond the general least-privilege statement (A.8.2 expects restricted allocation of privileged rights). Verdict: partial (access control and HR strong, asset management missing). EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Seventh EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(i) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.9/A.5.18/A.8.2 (SIS). Amber: NIS CG + ENISA guidance. Gray: none load-bearing. No on-point ruling (broadened rows: ENISA guidance + an unrelated batteries-regulation recital, not cited). case_law_unconfirmed: true. NIS Cooperation Group security measures ('should also address human resources security and have in place appropriate access control policies') + ENISA NIS2 Technical Implementation Guidance (access control in line with HR security procedures \u00a710.1). Both fetched. Create an asset inventory with named owners and classification (A.5.9) \u2014 for a 90-person SaaS this is a spreadsheet-day, not a programme; add privileged-access rules (A.8.2: separate admin accounts, JIT elevation where possible). SS-EN ISO/IEC 27001:2023 A.5.9 Inventory of information and other associated assets (MISSING), A.5.18 Access rights (MET by \u00a74), A.8.2 Privileged access rights (PARTIAL). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 access control; Art. 30 records intersect asset inventory). EU AI Act / CSRD / EN 301 549: not applicable. DORA RTS 2024/1774 Art. 18 fetched as comparative shape only (financial-sector, not applicable to Baltika). NIS2: primary. True Access control \u2014 policy \u00a74 (0.p11): least privilege, role-based, quarterly reviews, next-business-day revocation on exit, password rules, no shared production accounts. HR security \u2014 \u00a710 (0.p23): confidentiality clauses, reference checks for production-access hires, offboarding with equipment return. Two of the measure's three components are genuinely covered.",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p23",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p23",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.i\u201d. Address the identified gap: The third component \u2014 ASSET MANAGEMENT \u2014 is absent: no inventory of information and associated assets with owners (ISO 27001 A.5.9), no asset classification, no acceptable-use rules. Also no privileged-access-specific rules beyond the general least-privilege statement (A.8.2 expects restricted allocation of privileged rights). Verdict: partial (access control and HR strong, asset management missing). EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Seventh EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(i) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.9/A.5.18/A.8.2 (SIS). Amber: NIS CG + ENISA guidance. Gray: none load-bearing. No on-point ruling (broadened rows: ENISA guidance + an unrelated batteries-regulation recital, not cited). case_law_unconfirmed: true. NIS Cooperation Group security measures ('should also address human resources security and have in place appropriate access control policies') + ENISA NIS2 Technical Implementation Guidance (access control in line with HR security procedures \u00a710.1). Both fetched. Create an asset inventory with named owners and classification (A.5.9) \u2014 for a 90-person SaaS this is a spreadsheet-day, not a programme; add privileged-access rules (A.8.2: separate admin accounts, JIT elevation where possible). SS-EN ISO/IEC 27001:2023 A.5.9 Inventory of information and other associated assets (MISSING), A.5.18 Access rights (MET by \u00a74), A.8.2 Privileged access rights (PARTIAL). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 access control; Art. 30 records intersect asset inventory). EU AI Act / CSRD / EN 301 549: not applicable. DORA RTS 2024/1774 Art. 18 fetched as comparative shape only (financial-sector, not applicable to Baltika). NIS2: primary. True Access control \u2014 policy \u00a74 (0.p11): least privilege, role-based, quarterly reviews, next-business-day revocation on exit, password rules, no shared production accounts. HR security \u2014 \u00a710 (0.p23): confidentiality clauses, reference checks for production-access hires, offboarding with equipment return. Two of the measure's three components are genuinely covered.",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  },
  {
   "control_id": "Art.21.2.j",
   "control_title": "Multi-factor authentication, secured communication and emergency communication systems",
   "compliance_level": "not_implemented",
   "evidence_tier": "documentary",
   "gap_description": "NIS2 Art. 21(2)(j) expects MFA or continuous authentication 'where appropriate' \u2014 for a SaaS operator whose staff hold production access to customer freight data, MFA on production and admin access is squarely 'appropriate' (ENISA NIS2 guidance: access 'governed through strong logical access controls, such as multi-factor authentication'; ENISA Threat Landscape 2025 lists MFA (M1032) as the counter to credential misuse, the dominant intrusion vector). ISO 27001 A.8.5 requires secure authentication technologies based on access restrictions. Password-only production access in 2026 is a headline gap. Verdict: not_implemented. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Eighth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(j) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.5 (SIS). Amber: ENISA guidance \u00d72, ENISA ETL 2025. Gray: none load-bearing. No on-point ruling (broadened rows: UN-R10 EMC definition, off-topic; ENISA ETL access-privilege section used as guidance instead). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance ('access to corporate resources is governed through strong logical access controls, such as multi-factor authentication') + ENISA roles/skills ('security features like multi-factor authentication (MFA), and secure communications for voice, video, text, and emergencies'). Both fetched. Mandate MFA for all production, admin, and remote access immediately (highest-impact, lowest-cost fix in this register), extend to all corporate accounts, and add an out-of-band emergency communication channel to \u00a76. SS-EN ISO/IEC 27001:2023 A.8.5 Secure authentication (MISSING \u2014 'secure authentication technologies and procedures shall be implemented based on information access restrictions'). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 state-of-the-art \u2014 password-only access to personal data is below it). EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True None for multi-factor authentication: policy \u00a74 (0.p11) relies on passwords alone (12+ chars, unique, password manager) \u2014 MFA appears NOWHERE in the document, for production access, corporate IT, or the TMS platform. No continuous-authentication alternative, no secured-communications provision for incident/emergency coordination (if email/chat are down during an incident, \u00a76 has no out-of-band channel).",
   "evidence_references": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "regulatory_citations": [
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
    "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15",
    "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21"
   ],
   "remediation": "Establish and document controls for \u201cArt.21.2.j\u201d. Address the identified gap: NIS2 Art. 21(2)(j) expects MFA or continuous authentication 'where appropriate' \u2014 for a SaaS operator whose staff hold production access to customer freight data, MFA on production and admin access is squarely 'appropriate' (ENISA NIS2 guidance: access 'governed through strong logical access controls, such as multi-factor authentication'; ENISA Threat Landscape 2025 lists MFA (M1032) as the counter to credential misuse, the dominant intrusion vector). ISO 27001 A.8.5 requires secure authentication technologies based on access restrictions. Password-only production access in 2026 is a headline gap. Verdict: not_implemented. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Eighth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(j) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.5 (SIS). Amber: ENISA guidance \u00d72, ENISA ETL 2025. Gray: none load-bearing. No on-point ruling (broadened rows: UN-R10 EMC definition, off-topic; ENISA ETL access-privilege section used as guidance instead). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance ('access to corporate resources is governed through strong logical access controls, such as multi-factor authentication') + ENISA roles/skills ('security features like multi-factor authentication (MFA), and secure communications for voice, video, text, and emergencies'). Both fetched. Mandate MFA for all production, admin, and remote access immediately (highest-impact, lowest-cost fix in this register), extend to all corporate accounts, and add an out-of-band emergency communication channel to \u00a76. SS-EN ISO/IEC 27001:2023 A.8.5 Secure authentication (MISSING \u2014 'secure authentication technologies and procedures shall be implemented based on information access restrictions'). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 state-of-the-art \u2014 password-only access to personal data is below it). EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True None for multi-factor authentication: policy \u00a74 (0.p11) relies on passwords alone (12+ chars, unique, password manager) \u2014 MFA appears NOWHERE in the document, for production access, corporate IT, or the TMS platform. No continuous-authentication alternative, no secured-communications provision for incident/emergency coordination (if email/chat are down during an incident, \u00a76 has no out-of-band channel).",
   "resolution_method": null,
   "mapped_controls": [],
   "attribution": [
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    },
    {
     "source_url": "",
     "publisher": "",
     "license": "",
     "attribution_text": "",
     "attribution_notice": null
    }
   ],
   "attribution_missing": true,
   "regulatory_basis_unresolved": false
  }
 ],
 "remediation_roadmap": [
  {
   "control_id": "Art.21.2.d",
   "control_title": "Supply chain security",
   "compliance_level": "not_implemented",
   "remediation": "Establish and document controls for \u201cArt.21.2.d\u201d. Address the identified gap: Entire measure missing. NIS2 Art. 21(2)(d) requires supply-chain security including 'security-related aspects concerning the relationships between each entity and its direct suppliers or service providers', and Art. 21(3) requires weighing supplier-specific vulnerabilities and overall supplier practices. NIS Cooperation Group guidance: the policy 'should identify the entity's role in the supply chain and state network and information security requirements accordingly to direct suppliers'. ISO 27001 A.5.19 (supplier relationships), A.5.22 (monitoring/review of supplier services), A.5.23 (cloud services security requirements) all unaddressed \u2014 A.5.23 is acute since the entire platform runs on one cloud provider. Verdict: not_implemented. Highest-priority gap of the register. EE corpus responded this pass; broadened rows tangential (vehicle type-approval, REACH). No sector modifier surfaced. Estonian transposition detail still unverified overall this run. NIS2 Art. 21(2)(d) + Art. 21(3) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 incl. 21(3) (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.19/A.5.22/A.5.23 (SIS). Amber: NIS Cooperation Group + ENISA/JRC guidance. Gray: none load-bearing. No on-point security ruling \u2014 the only case-law row (ECLI:EU:C:2022:923 Tilman v Unilever Supply Chain) is a jurisdiction-clause dispute matching on the words 'supply chain', not authority here; not cited. case_law_unconfirmed: true. NIS Cooperation Group security-measures guidance ('Supply chain security policy' \u2014 identify role, state requirements to direct suppliers) + ENISA/JRC CRA standards mapping. Both fetched. Author a supplier-security policy: supplier/dependency inventory (start: hosting provider, CI/CD, key third-party components), minimum security requirements + contractual clauses per A.5.19/A.5.23 and GDPR Art. 28, annual supplier review per A.5.22, and reclaim or contractually bind encryption-key management currently delegated in \u00a75. SS-EN ISO/IEC 27001:2023 A.5.19 Information security in supplier relationships (MISSING), A.5.22 Monitoring, review and change management of supplier services (MISSING), A.5.23 Information security for use of cloud services (MISSING \u2014 acute). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 the hosting provider is a processor; Art. 28 contract obligations intersect (fetched EDPB/EDPS row references Art. 28 security measures). EU AI Act / CSRD / EN 301 549: not applicable. CRA: relevant only as supplier-side context (fetched ENISA CRA standards mapping references supply-chain security standards). True None. The policy contains no supply-chain security section. The only supplier reference is \u00a711 (0.p25): production is 'hosted with a cloud provider certified to recognised security standards' \u2014 an unnamed certification claim, not a supplier-security measure. There is no supplier inventory, no security requirements flowed to direct suppliers (hosting provider, CI/CD tooling, third-party dependencies), no supplier monitoring or exit criteria, and \u00a75 even delegates encryption-key management to the hosting provider without any contractual security requirement."
  },
  {
   "control_id": "Art.21.2.j",
   "control_title": "Multi-factor authentication, secured communication and emergency communication systems",
   "compliance_level": "not_implemented",
   "remediation": "Establish and document controls for \u201cArt.21.2.j\u201d. Address the identified gap: NIS2 Art. 21(2)(j) expects MFA or continuous authentication 'where appropriate' \u2014 for a SaaS operator whose staff hold production access to customer freight data, MFA on production and admin access is squarely 'appropriate' (ENISA NIS2 guidance: access 'governed through strong logical access controls, such as multi-factor authentication'; ENISA Threat Landscape 2025 lists MFA (M1032) as the counter to credential misuse, the dominant intrusion vector). ISO 27001 A.8.5 requires secure authentication technologies based on access restrictions. Password-only production access in 2026 is a headline gap. Verdict: not_implemented. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Eighth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(j) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.5 (SIS). Amber: ENISA guidance \u00d72, ENISA ETL 2025. Gray: none load-bearing. No on-point ruling (broadened rows: UN-R10 EMC definition, off-topic; ENISA ETL access-privilege section used as guidance instead). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance ('access to corporate resources is governed through strong logical access controls, such as multi-factor authentication') + ENISA roles/skills ('security features like multi-factor authentication (MFA), and secure communications for voice, video, text, and emergencies'). Both fetched. Mandate MFA for all production, admin, and remote access immediately (highest-impact, lowest-cost fix in this register), extend to all corporate accounts, and add an out-of-band emergency communication channel to \u00a76. SS-EN ISO/IEC 27001:2023 A.8.5 Secure authentication (MISSING \u2014 'secure authentication technologies and procedures shall be implemented based on information access restrictions'). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 state-of-the-art \u2014 password-only access to personal data is below it). EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True None for multi-factor authentication: policy \u00a74 (0.p11) relies on passwords alone (12+ chars, unique, password manager) \u2014 MFA appears NOWHERE in the document, for production access, corporate IT, or the TMS platform. No continuous-authentication alternative, no secured-communications provision for incident/emergency coordination (if email/chat are down during an incident, \u00a76 has no out-of-band channel)."
  },
  {
   "control_id": "Art.21.2.a",
   "control_title": "Risk analysis and information system security policies",
   "compliance_level": "partial",
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.a\u201d. Address the identified gap: Risk analysis is informal: no documented methodology or criteria (ISO 27001 6.1.2), backlog-based risk register, annual-only cadence with no change-triggered reassessment (ISO 27001 8.2). NIS2 IR (EU) 2024/2690 Annex I additionally expects topic-specific policies and management-body information flows beyond the single policy document. Sector search returned only tangential EU rows; EE scope FAILED THIS RUN \u2014 gateway reported 'EE temporarily unavailable' (22 servers unavailable). Estonian transposition (k\u00fcberturvalisuse seadus / E-ITS baseline) NOT verified; held open as unresolved rather than assumed. NIS2 Art. 21(2)(a) 'policies on risk analysis and information system security' anchored via get_provision NIS2:art_21 (exact). resolution_method=exact (sub-point folded to parent article). Blue: NIS2:art_21 (eur-lex), IR 2024/2690 Annex I (eur-lex), SS-EN ISO/IEC 27001:2023 6.1.2/8.2/6.2 (SIS). Amber: ENISA guidance (CC-BY-4). Gray: none load-bearing. No case-law rows returned for this control (broadened search surfaced Implementing Regulation (EU) 2024/2690 Annex I instead, cited as Blue anchor). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance + ENISA 'Cybersecurity roles and skills for NIS2 entities' \u2014 both fetched, license ENISA-CC-BY-4. Adopt a documented risk-assessment methodology with acceptance criteria (ISO 27001 6.1.2), move the risk register out of the engineering backlog, add change-triggered reassessment (8.2), and derive topic-specific policies per IR 2024/2690 Annex I \u00a71. SS-EN ISO/IEC 27001:2023 (SIS-licensed, fetched this run): 6.1.2 Information security risk assessment (defined process with criteria \u2014 MISSING), 8.2 risk assessment at planned intervals or on significant change (PARTIAL: annual only), 6.2 objectives from risk-assessment results (PARTIAL). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 security of processing overlaps; customer TMS data is personal data in part). EU AI Act: not applicable (no AI system in the TMS per entity description). CSRD: not applicable at 90 employees (below thresholds). EN 301 549: not applicable to this control. NIS2: primary regime. True Policy POL-BLTK-2026-02 \u00a72 (governance: CEO accountable, security officer role, quarterly management reporting, annual re-approval) and \u00a73 (annual risk assessment covering TMS platform and corporate IT; risks recorded in engineering backlog; CEO sign-off for accepting high risks). An information-system security policy exists and is approved; a risk-analysis practice exists but has no defined methodology, no risk-acceptance criteria per ISO/IEC 27001 6.1.2, and no re-assessment trigger on material change (annual-only, contra SS-EN ISO/IEC 27001:2023 8.2 'planned intervals or when significant changes occur')."
  },
  {
   "control_id": "Art.21.2.c",
   "control_title": "Business continuity and crisis management",
   "compliance_level": "partial",
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.c\u201d. Address the identified gap: No crisis-management function or escalation organisation (who declares a crisis, who communicates \u2014 IR (EU) 2024/2690 Annex I \u00a74 expects crisis management distinct from backups; DORA Art. 11 illustrates the expected shape). No defined RTO/RPO. Restore testing annual-only; SS-EN ISO/IEC 27001:2023 A.5.30 requires ICT readiness 'planned, implemented, maintained and tested' based on business requirements \u2014 a single untested-in-anger runbook does not satisfy it. Verdict: partial. EE scope FAILED AGAIN this pass ('EE temporarily unavailable', 22 servers) \u2014 EE reachability is intermittent this run (down for controls a and c, up for b). Estonian transposition detail remains unverified; held unresolved. NIS2 Art. 21(2)(c) 'business continuity, such as backup management and disaster recovery, and crisis management' via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a74 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.30 (SIS). Amber: ENISA + Commission guidance. Gray: none load-bearing. No on-point ruling; broadened fan-out surfaced IR 2024/2690 Annex I \u00a74 (used as Blue anchor) and an off-topic bank-resolution opinion (ECLI:EU:C:2024:511, not cited as authority). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance 'BUSINESS CONTINUITY AND CRISIS MANAGEMENT' section + Commission NIS2 Art. 4 Guidelines enumerating 21(2) measures. Both fetched. Define RTO/RPO per service, add a crisis-management procedure with declared roles and communication plan (IR 2024/2690 Annex I \u00a74), and raise restore/failover testing beyond annual per A.5.30. SS-EN ISO/IEC 27001:2023 A.5.30 ICT readiness for business continuity (PARTIAL: backups exist, readiness not tested against business requirements; no RTO/RPO). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32(1)(c) restore availability after incident). DORA: NOT directly applicable (Baltika is not a financial entity) but fetched Art. 11 shows the crisis-function shape; noted as comparative only. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True Policy \u00a77 (0.p17): daily database backups to a separate availability zone, 35-day retention, one restore test per year, written recovery runbook, restore-from-backup strategy for regional outage. Backup management and basic disaster recovery exist."
  },
  {
   "control_id": "Art.21.2.e",
   "control_title": "Security in network and information systems acquisition, development and maintenance",
   "compliance_level": "partial",
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.e\u201d. Address the identified gap: The measure's other half is missing: no coordinated vulnerability DISCLOSURE channel (Art. 21(2)(e) explicitly includes 'vulnerability handling and disclosure' \u2014 no security.txt, no reporting contact, no CVD procedure for external reporters). No secure-development rules for Baltika's own TMS code (ISO 27001 A.8.25 secure development life cycle, A.8.28 secure coding \u2014 the policy covers third-party dependencies but not first-party code standards), and no acquisition-security requirements for procured systems. Verdict: partial. EE scope FAILED this pass again ('EE temporarily unavailable', 22 servers). Third EE failure of the run (a, c, e); transposition detail stays unresolved. NIS2 Art. 21(2)(e) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a76 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.8/A.8.25/A.8.28 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results returned IR (EU) 2024/2690 Annex I \u00a76 (Security in acquisition/development/maintenance) \u2014 used as Blue anchor. case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance, 'SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE' section. Fetched. Publish a coordinated vulnerability disclosure channel (security.txt + CVD procedure), adopt secure-development rules for first-party TMS code per A.8.25/A.8.28, and add security requirements to system acquisition. SS-EN ISO/IEC 27001:2023 A.8.8 Management of technical vulnerabilities (LARGELY MET by \u00a78), A.8.25 Secure development life cycle (MISSING for first-party code), A.8.28 Secure coding (MISSING). Attribution: SIS-Reproduction-Licence. GDPR: applies indirectly (Art. 32 state-of-the-art maintenance). EU AI Act / CSRD / EN 301 549: not applicable. CRA: would apply to Baltika as software manufacturer once placed on the market with digital elements post-transition \u2014 flagged as forward-looking only, not assessed. NIS2: primary. True Policy \u00a78 (0.p19): monthly OS/dependency patch cycle, 72-hour patching of vendor-critical vulnerabilities, CI dependency scanning that blocks builds on known-critical findings. Maintenance-side vulnerability HANDLING is real and operational."
  },
  {
   "control_id": "Art.21.2.f",
   "control_title": "Policies and procedures to assess the effectiveness of cybersecurity risk-management measures",
   "compliance_level": "partial",
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.f\u201d. Address the identified gap: No defined policy or procedure to assess whether the risk-management measures WORK: no security metrics/KPIs (ISO 27001 9.1 monitoring, measurement, analysis and evaluation), no internal audit programme, no management review with defined inputs (9.3.2 expects nonconformities, monitoring results, audit results), no penetration testing or control-testing cadence. ENISA guidance for Art. 21(2)(f) expects an established, implemented and applied policy assessing measure effectiveness. Reviewing the policy DOCUMENT annually is not assessing the MEASURES. Verdict: partial (weak). EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Fourth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(f) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a77 (eur-lex), SS-EN ISO/IEC 27001:2023 9.1/9.3.2 (SIS). Amber: ENISA guidance. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a77 (Blue anchor) + an off-topic REACH provision (not cited). case_law_unconfirmed: true. ENISA NIS2 Technical Implementation Guidance ('establish, implement and apply a policy and procedures to assess whether the cybersecurity risk-management measures\u2026') + ENISA ECSF/NIS2 roles mapping (risk assessment reports and remediation plans to assess and improve effectiveness). Both fetched. Define an effectiveness-assessment procedure: a small KPI set (patch latency, restore-test results, incident MTTR, training completion), an annual internal audit or control self-assessment, and a management review with the 9.3.2 input list. SS-EN ISO/IEC 27001:2023 9.1 Monitoring, measurement, analysis and evaluation (MISSING), 9.3.2 Management review inputs (PARTIAL: review exists, inputs undefined), internal audit 9.2 (MISSING \u2014 surfaced as 9.2.1 in the control-a fetch). Attribution: SIS-Reproduction-Licence. GDPR: applies \u2014 Art. 32(1)(d) requires 'a process for regularly testing, assessing and evaluating the effectiveness' of security measures; same gap. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary (IR 2024/2690 Annex I \u00a77 details the requirement). True Policy \u00a72 (0.p7): management reviews and re-approves the policy annually or after any material incident; quarterly security reporting to management. \u00a712 (0.p27): exception register with approvals. These are governance touchpoints, not an effectiveness-assessment procedure."
  },
  {
   "control_id": "Art.21.2.h",
   "control_title": "Policies and procedures regarding the use of cryptography and encryption",
   "compliance_level": "partial",
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.h\u201d. Address the identified gap: The at-rest commitment is conditional \u2014 'where technically feasible' is a weasel clause that makes the control unverifiable (IR 2024/2690 Annex I \u00a79 expects a policy 'ensuring adequate and effective use of cryptography'; ISO 27001 A.8.24 requires RULES for effective use of cryptography INCLUDING cryptographic key management). Key management is wholly delegated to the hosting provider with no requirements, no inventory of what is/isn't encrypted at rest, no algorithm/protocol baseline (TLS 1.2 floor is dated; no 1.3 preference stated). Verdict: partial. EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Sixth EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(h) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21, IR 2024/2690 Annex I \u00a79 (eur-lex), SS-EN ISO/IEC 27001:2023 A.8.24 (SIS). Amber: Commission guidelines, ENISA IoT crypto practices. Gray: none load-bearing. No case-law rows; broadened results = IR 2024/2690 Annex I \u00a79 cryptography policy text (Blue anchor). case_law_unconfirmed: true. Commission NIS2 Art. 4 Guidelines (enumerating the cryptography measure) + MDCG 2019-16 mapping row (tangential, not load-bearing). Fetched. Replace 'where technically feasible' with a definitive at-rest encryption statement plus a documented exception list; add key-management rules (ownership, rotation, escrow) per A.8.24 \u2014 or contractual requirements on the provider; state an algorithm/protocol baseline with TLS 1.3 preferred. SS-EN ISO/IEC 27001:2023 A.8.24 Use of cryptography (PARTIAL: transit rules exist; key-management rules absent, at-rest conditional), A.5.23 cloud-services security (intersects \u2014 key management delegated without requirements, same finding as control d). Attribution: SIS-Reproduction-Licence. GDPR: applies directly \u2014 Art. 32(1)(a) names encryption of personal data; the conditional at-rest clause weakens the Art. 32 posture too. EU AI Act / CSRD / EN 301 549: not applicable. NIS2: primary. True Policy \u00a75 (0.p13): TLS 1.2+ for all customer data in transit; data at rest encrypted 'where the underlying hosting platform makes this technically feasible'; encryption keys for customer-facing services 'managed by the hosting provider'."
  },
  {
   "control_id": "Art.21.2.i",
   "control_title": "Human resources security, access control policies and asset management",
   "compliance_level": "partial",
   "remediation": "Strengthen and complete controls for \u201cArt.21.2.i\u201d. Address the identified gap: The third component \u2014 ASSET MANAGEMENT \u2014 is absent: no inventory of information and associated assets with owners (ISO 27001 A.5.9), no asset classification, no acceptable-use rules. Also no privileged-access-specific rules beyond the general least-privilege statement (A.8.2 expects restricted allocation of privileged rights). Verdict: partial (access control and HR strong, asset management missing). EE scope FAILED this pass ('EE temporarily unavailable', 22 servers). Seventh EE failure of the run; transposition detail stays unresolved. NIS2 Art. 21(2)(i) via get_provision NIS2:art_21, resolution_method=exact. Blue: NIS2:art_21 (eur-lex), SS-EN ISO/IEC 27001:2023 A.5.9/A.5.18/A.8.2 (SIS). Amber: NIS CG + ENISA guidance. Gray: none load-bearing. No on-point ruling (broadened rows: ENISA guidance + an unrelated batteries-regulation recital, not cited). case_law_unconfirmed: true. NIS Cooperation Group security measures ('should also address human resources security and have in place appropriate access control policies') + ENISA NIS2 Technical Implementation Guidance (access control in line with HR security procedures \u00a710.1). Both fetched. Create an asset inventory with named owners and classification (A.5.9) \u2014 for a 90-person SaaS this is a spreadsheet-day, not a programme; add privileged-access rules (A.8.2: separate admin accounts, JIT elevation where possible). SS-EN ISO/IEC 27001:2023 A.5.9 Inventory of information and other associated assets (MISSING), A.5.18 Access rights (MET by \u00a74), A.8.2 Privileged access rights (PARTIAL). Attribution: SIS-Reproduction-Licence. GDPR: applies (Art. 32 access control; Art. 30 records intersect asset inventory). EU AI Act / CSRD / EN 301 549: not applicable. DORA RTS 2024/1774 Art. 18 fetched as comparative shape only (financial-sector, not applicable to Baltika). NIS2: primary. True Access control \u2014 policy \u00a74 (0.p11): least privilege, role-based, quarterly reviews, next-business-day revocation on exit, password rules, no shared production accounts. HR security \u2014 \u00a710 (0.p23): confidentiality clauses, reference checks for production-access hires, offboarding with equipment return. Two of the measure's three components are genuinely covered."
  }
 ],
 "evidence_register": [
  {
   "document_id": "fe2dc6df-3a15-4d8e-bc98-df8f95f128a7",
   "title": "Untitled",
   "type": "documentary"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p9",
   "type": "authoritative"
  },
  {
   "citation": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15",
   "type": "authoritative"
  },
  {
   "citation": "https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p17",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p25",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p19",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p27",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p21",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
   "type": "authoritative"
  },
  {
   "citation": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p23",
   "type": "authoritative"
  }
 ],
 "citation_provenance": [
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7",
   "kind": "segment",
   "section_title": null,
   "text_preview": "The CEO holds ultimate accountability for information security. Day-to-day responsibility is delegated to the Head of En",
   "content_hash_at_submit": "896ae2bed39c683b69a1fdb2f915feef11877d82d2feb1b14e8e144b282286f9",
   "content_hash_now": "896ae2bed39c683b69a1fdb2f915feef11877d82d2feb1b14e8e144b282286f9",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:17:43.139970+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p9",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Baltika performs an information security risk assessment once per year, covering the TMS platform and corporate IT. Iden",
   "content_hash_at_submit": "414bf5bb5727c7f9f178f675882a1104a28256a1316770e28a9cbbd52fd521ea",
   "content_hash_now": "414bf5bb5727c7f9f178f675882a1104a28256a1316770e28a9cbbd52fd521ea",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:17:43.139970+00:00"
  },
  {
   "ref": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj#art_21",
   "kind": "external_url",
   "drift_applicable": false
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Suspected security incidents must be reported to the security officer immediately. The security officer classifies incid",
   "content_hash_at_submit": "17e411fdc438c0dd504d95c5281b81576ec310a3ecc53a8ca1bc952a2bae5962",
   "content_hash_now": "17e411fdc438c0dd504d95c5281b81576ec310a3ecc53a8ca1bc952a2bae5962",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:19:05.630899+00:00"
  },
  {
   "ref": "https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance",
   "kind": "external_url",
   "drift_applicable": false
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p17",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Production databases are backed up daily to a separate availability zone, with backups retained for 35 days. A restore t",
   "content_hash_at_submit": "fc9575de4319c6c6b13c13ff6e047ebb80ab929e3ab81dcee788972fd2ba5fde",
   "content_hash_now": "fc9575de4319c6c6b13c13ff6e047ebb80ab929e3ab81dcee788972fd2ba5fde",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:20:16.670974+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p25",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Baltika's office is access-controlled by keycard. Production infrastructure is hosted with a cloud provider certified to",
   "content_hash_at_submit": "6af302baf6a1a8509c7223733448f40a188695e2abe51670eda9f4c65e16b320",
   "content_hash_now": "6af302baf6a1a8509c7223733448f40a188695e2abe51670eda9f4c65e16b320",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:21:29.436085+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13",
   "kind": "segment",
   "section_title": null,
   "text_preview": "All data in transit between customers and the Baltika TMS platform is encrypted using TLS 1.2 or higher. Data at rest is",
   "content_hash_at_submit": "e26b9673e733068a15c1577a61cb7b6cf4425c6bd7f15ea048e552d8c26765c4",
   "content_hash_now": "e26b9673e733068a15c1577a61cb7b6cf4425c6bd7f15ea048e552d8c26765c4",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:21:29.436085+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p19",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Operating systems and third-party dependencies of the TMS platform are patched on a monthly cycle. Vulnerabilities rated",
   "content_hash_at_submit": "4d50cb0b973410b82b0641e523e19d344e055d1644661cf261e9b5aca1a3909d",
   "content_hash_now": "4d50cb0b973410b82b0641e523e19d344e055d1644661cf261e9b5aca1a3909d",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:22:35.630089+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p27",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Deviations from this policy require a written, time-limited exception approved by the security officer and recorded in t",
   "content_hash_at_submit": "372a56c1133157a007b1952ddd7094e2ac9fe4aa8cded41dee649ed786d207c4",
   "content_hash_now": "372a56c1133157a007b1952ddd7094e2ac9fe4aa8cded41dee649ed786d207c4",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:23:53.017268+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p21",
   "kind": "segment",
   "section_title": null,
   "text_preview": "All staff complete security awareness training at onboarding and annually thereafter, covering phishing, password hygien",
   "content_hash_at_submit": "403e1ec1aa6e952b08f975aa688162c5e1cc41270083b06fbcec1cc47ac3471c",
   "content_hash_now": "403e1ec1aa6e952b08f975aa688162c5e1cc41270083b06fbcec1cc47ac3471c",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:24:59.618716+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Access to production systems and customer data follows the principle of least privilege and is role-based. Access rights",
   "content_hash_at_submit": "179416fc27789bd39eb83a057a44bf83ac142d6070876c96c08684a074db486d",
   "content_hash_now": "179416fc27789bd39eb83a057a44bf83ac142d6070876c96c08684a074db486d",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:24:59.618716+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p23",
   "kind": "segment",
   "section_title": null,
   "text_preview": "Employment contracts include confidentiality obligations. References are checked for all hires with production access. O",
   "content_hash_at_submit": "dad3617f2238b78bed545962958de920e14f986b83a06e8618d4e868f51a0f03",
   "content_hash_now": "dad3617f2238b78bed545962958de920e14f986b83a06e8618d4e868f51a0f03",
   "drifted": false,
   "resolvable_now": true,
   "resolved_at_submit": "2026-07-11T18:27:11.786893+00:00"
  },
  {
   "ref": "doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7",
   "kind": "document",
   "document_title": "baltika-information-security-policy.md",
   "drift_applicable": false,
   "resolved_at_submit": "2026-07-11T18:13:48.452691+00:00"
  }
 ],
 "citation_integrity": {
  "title": "Citation Integrity",
  "summary": {
   "total_findings": 10,
   "findings_with_attribution": 0,
   "findings_attribution_missing": 10,
   "missing_ratio": 1.0,
   "refusal_threshold": 0.1,
   "report_refused": true
  },
  "explanation": "Every finding citing downloaded third-party content carries a source attribution triple (source_url, publisher, license) inherited from the gateway response. Findings flagged below cite content where the upstream gateway item did not provide a complete triple. Treat them as needing manual attribution review before publishing externally.",
  "flagged_findings": [
   "Art.21.2.a",
   "Art.21.2.b",
   "Art.21.2.c",
   "Art.21.2.d",
   "Art.21.2.e",
   "Art.21.2.f",
   "Art.21.2.g",
   "Art.21.2.h",
   "Art.21.2.i",
   "Art.21.2.j"
  ],
  "refused_reason": "attribution_missing rate 100% exceeds refusal threshold 10%; 10 of 10 findings lack the source attribution triple"
 }
}