# NIS2 gap analysis — Baltika Freight Systems OÜ (fictional), policy attached

**Run:** `gap_analysis_nis2` server-enforced workflow · **Scope:** NIS2 Art. 21(2)(a)–(j), jurisdictions EU + EE · **Subject:** Information Security Policy POL-BLTK-2026-02 v2.1, uploaded and paragraph-segmented (source SHA-256 `9d2b8e4a…a84f12`) · **Standards dimension:** SS-EN ISO/IEC 27001:2023, licensed clause rows fetched from SIS during the run · **Client is fictional; every regulatory and standards row is real, fetched this session.**

The attached policy is the organisation's only security governance document. The workflow classified Baltika as an **important entity** (transport-logistics SaaS, 90 people, Estonia), bound the policy as evidence, then assessed each Article 21(2) measure through five enrichment passes — primary provision, horizontal regimes, sector routing, case law, authority guidance — plus an ISO/IEC 27001 control mapping from the SIS-licensed corpus.

## Verdict register

| Art. 21(2) | Measure | Policy anchor | Verdict |
|---|---|---|---|
| (a) | Risk analysis & infosec policies | §2 [1], §3 [2] | **Partial** — policy approved, but no risk methodology or acceptance criteria (ISO 27001 6.1.2); annual-only cadence (8.2) |
| (b) | Incident handling | §6 [5] | **Largely compliant** — report → classify (4 h) → respond → post-incident review; caveat: no authority chain, no exercises, single-role dependency |
| (c) | Business continuity & crisis management | §7 [6] | **Partial** — daily backups + runbook, but no crisis organisation, no RTO/RPO, annual-only restore test (A.5.30 expects *tested* readiness) |
| (d) | Supply chain security | — (§11 [10] only names a "certified" cloud provider) | **Not implemented** — no supplier inventory, no flowed-down requirements, key management delegated with no contract terms (A.5.19, A.5.22, A.5.23) |
| (e) | Secure acquisition, development & maintenance | §8 [7] | **Partial** — real patching + CI scanning; no vulnerability *disclosure* channel, no first-party secure-development rules (A.8.25, A.8.28) |
| (f) | Effectiveness assessment | §2 [1], §12 | **Partial** — annual policy re-approval is not measure testing; no metrics, no internal audit (9.1, 9.3.2) |
| (g) | Cyber hygiene & training | §9 [8], §4 [3] | **Largely compliant** — onboarding + annual training, password discipline; management-body training missing (NIS2 Art. 20(2)) |
| (h) | Cryptography & encryption | §5 [4] | **Partial** — TLS 1.2+ in transit is firm; at-rest "where technically feasible" is unverifiable, key-management rules absent (A.8.24) |
| (i) | HR security, access control, asset management | §4 [3], §10 [9] | **Partial** — access control and HR security genuinely covered; **asset management absent** (A.5.9) |
| (j) | MFA & secured communications | — | **Not implemented** — MFA appears nowhere; password-only production access; no out-of-band emergency channel (A.8.5) |

**0 fully compliant · 2 largely compliant · 6 partial · 2 not implemented.**

## The two findings that matter most

**Supply chain security is absent, not weak — Art. 21(2)(d).** The directive names "security-related aspects concerning the relationships between each entity and its direct suppliers" as a minimum measure, and Art. 21(3) requires weighing each supplier's vulnerabilities. Baltika's policy answers with one sentence about a "certified" cloud provider [10] — while §5 quietly hands that same provider the encryption keys with no contractual security requirement [4]. NIS Cooperation Group guidance expects the policy to "identify the entity's role in the supply chain and state network and information security requirements accordingly to direct suppliers". Three ISO 27001 controls fetched from the SIS corpus this run (A.5.19, A.5.22, A.5.23) are all unaddressed.

**Password-only production access — Art. 21(2)(j).** The policy's password rules are good [3] — and stop there. MFA appears nowhere in the document. For staff holding production access to customer freight data, MFA is squarely inside "where appropriate": ENISA's NIS2 implementation guidance expects access "governed through strong logical access controls, such as multi-factor authentication", and its 2025 threat landscape names MFA as the counter to the dominant intrusion vector. This is the highest-impact, lowest-cost fix in the register.

## Out-of-register finding: Article 23 reporting

The adversarial-review stage flagged what the register alone would have missed: §6 notifies **customers** within 72 hours [5] — and nobody else. NIS2 Art. 23 requires an early warning to the CSIRT or competent authority within **24 hours**, an incident notification within **72 hours**, and a final report within one month. Baltika could handle an incident competently end-to-end and still breach the directive by never telling the authority. No compliant notification chain exists in the document.

## What stayed unresolved — marked, not papered over

The Estonian corpus was unavailable for **8 of 10** sector-routing passes in this run ("EE temporarily unavailable"), so the Estonian transposition (küberturvalisuse seadus / E-ITS baseline) was **not verified against fetched text**. Every affected control carries that status instead of an assumed answer, and no case-law pass returned an on-point ruling (`case_law_unconfirmed` on all ten controls — never substituted with fabricated authority).

## The ISO 27001 dimension — licensed, fetched, attributed

Twenty-one clause and control rows of **SS-EN ISO/IEC 27001:2023** were fetched during the run from the SIS-licensed corpus (`sources=['sis-27001']`) and drove the per-control mappings above — among them 6.1.2 and 8.2 (risk assessment), 9.1/9.3.2 (effectiveness), A.5.9 (asset inventory), A.5.19/A.5.22/A.5.23 (suppliers and cloud), A.5.24 (incident planning), A.5.30 (ICT readiness), A.8.5 (secure authentication), A.8.8 (technical vulnerabilities), A.8.24 (cryptography), A.8.25/A.8.28 (secure development). The clause text itself was served into the session and is reproduced here only by identifier and title: under the SIS licence, reproduced standard text reaches logged-in customers through the gateway, not public pages.

> This text has been reproduced from Standard SS-EN ISO/IEC 27001:2023 with the due permission for Ansvar Systems AB from the Swedish Institute for Standards, which is the owner and copyright holder of the Standard and also sells the complete Standard at www.sis.se, Tel: +46 (0)8 555 523 10.

## Where to start

1. **Mandate MFA** on production, admin, and remote access — days, not weeks (j).
2. **Author the supplier-security policy**: inventory, minimum requirements per supplier, contractual clauses incl. key management, annual review (d).
3. **Add the Art. 23 notification chain** to §6: 24 h early warning → 72 h notification → 1-month final report, with the competent authority named.
4. Define RTO/RPO and a crisis-management role set; test beyond annually (c).
5. Replace "where technically feasible" with a definitive at-rest encryption statement plus a documented exception list (h).

## References

Uploaded document (paragraph-level, tamper-evident — cite-checkable via `resolve_document_segment`):

1. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p7` — §2 Governance — hash `896ae2bed39c683b69a1fdb2f915feef11877d82d2feb1b14e8e144b282286f9`
2. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p9` — §3 Risk management — hash `414bf5bb5727c7f9f178f675882a1104a28256a1316770e28a9cbbd52fd521ea`
3. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p11` — §4 Access control — hash `179416fc27789bd39eb83a057a44bf83ac142d6070876c96c08684a074db486d`
4. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p13` — §5 Cryptography — hash `e26b9673e733068a15c1577a61cb7b6cf4425c6bd7f15ea048e552d8c26765c4`
5. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p15` — §6 Incident management — hash `17e411fdc438c0dd504d95c5281b81576ec310a3ecc53a8ca1bc952a2bae5962`
6. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p17` — §7 Business continuity — hash `fc9575de4319c6c6b13c13ff6e047ebb80ab929e3ab81dcee788972fd2ba5fde`
7. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p19` — §8 Vulnerability management — hash `4d50cb0b973410b82b0641e523e19d344e055d1644661cf261e9b5aca1a3909d`
8. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p21` — §9 Training — hash `403e1ec1aa6e952b08f975aa688162c5e1cc41270083b06fbcec1cc47ac3471c`
9. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p23` — §10 HR security — hash `dad3617f2238b78bed545962958de920e14f986b83a06e8618d4e868f51a0f03`
10. `doc://fe2dc6df-3a15-4d8e-bc98-df8f95f128a7/segment/paragraph/0.p25` — §11 Physical security — hash `6af302baf6a1a8509c7223733448f40a188695e2abe51670eda9f4c65e16b320`

Regulatory and standards sources (fetched through the gateway this run): NIS2 Art. 21 · Implementing Regulation (EU) 2024/2690 Annex I · SS-EN ISO/IEC 27001:2023 (SIS) · ENISA NIS2 Technical Implementation Guidance · ENISA roles & skills for NIS2 entities · NIS Cooperation Group security measures · Commission Art. 4 Guidelines · ENISA Threat Landscape 2025 — full list with URLs in the citations panel.

The fictional subject policy is downloadable: [baltika-information-security-policy.md](/use-cases/baltika-information-security-policy.md). The branded report renders (PDF/DOCX) were produced by the workflow's own `generate_report` step, SHA-256-verified on download.
