No tracking. No cookie wall.·EU-hosted (Hetzner) · Cloudflare edge under SCCs
Use casesSecurity

NIS2 gap analysis with the policy attached — ISO 27001 via SIS in the loop

Your CISO uploads the company's information-security policy and asks for a NIS2 Article 21 gap analysis. The server-enforced workflow pairs every Art. 21(2) measure against the actual policy paragraphs (hash-anchored), maps each to licensed ISO/IEC 27001 clauses fetched from SIS during the run, and marks what it could not verify instead of guessing.

Citations8
Tool calls18
Captured withclaude-fable-5

How the gateway answered

Captured 11 July 2026 — a point-in-time run; corpora and tools have been updated since.

Editor's note. Baltika Freight Systems OÜ is fictional; its policy was authored as the subject fixture for this capture (downloadable above) with deliberate control gaps. The gateway calls, the workflow's quality gates, every regulatory and SIS-licensed standards row, the doc:// paragraph hashes, and the rendered report are the real session output. Two run artifacts kept honest rather than edited out: the Estonian corpus was unavailable for 8 of 10 sector passes (findings say so instead of assuming the transposition), and the first control submission was rejected by the server's evidence-envelope gate before being accepted in the correct shape. ISO 27001 clause text was served into the session but appears here as identifiers only — the SIS licence scopes reproduced text to customers via the gateway, not public pages.
Captured sessionclaude-fable-5 · company tier · gateway.ansvar.eu
You

Run a NIS2 gap analysis for Baltika Freight Systems OÜ (fictional, 90-person Estonian logistics SaaS, important entity) against the attached Information Security Policy POL-BLTK-2026-02 v2.1. Assess every Article 21(2) measure, map to ISO/IEC 27001, jurisdictions EU + EE.

Ansvar gateway — 18 tool calls
register_document_init(filename="baltika-information-security-policy.md" mime_type="text/markdown" file_size=4330)presigned PUT issued; document_id fe2dc6df…, short code DOC-6DCN
register_document_finalize(document_id="fe2dc6df-3a15-4d8e-bc98-df8f95f128a7")status=ready; source SHA-256 9d2b8e4a752c0841… matches the local file byte-for-byte
get_document_segments(document_id="fe2dc6df-3a15-4d8e-bc98-df8f95f128a7")27 paragraph segments, each with char range + content SHA-256 — the doc:// anchors cited in the findings
start_workflow(workflow_type="gap_analysis_nis2" jurisdictions=[EU, EE])workflow 63f045b3… started; server-enforced scoping gates (entity classification: important entity; jurisdictions; scope review) each required explicit confirmation before controls loaded
register_document(workflow_id="63f045b3…" document_id="fe2dc6df…" role="evidence")policy bound as evidence at document_collection.request_policies
submit_response(step_id="control_assessment.Art.21.2.a" compliance_level="partial")accepted — each control step declares 6 fetches (provision, own-article, horizontal, sector, case-law, guidance) the quality gate verifies per key; + SIS 27001 clause fetch. First submit was REJECTED (fetched_data_envelope_invalid) until every key carried {status, results[]} — the gate is real
Show all 18 tool calls
submit_response(step_id="control_assessment.Art.21.2.b" compliance_level="largely_compliant")accepted — internal handling solid; no authority chain, no exercises (caveat kept in report)
submit_response(step_id="control_assessment.Art.21.2.c" compliance_level="partial")accepted — backups real; no crisis organisation, no RTO/RPO; ISO A.5.30 tested-readiness unmet
submit_response(step_id="control_assessment.Art.21.2.d" compliance_level="not_implemented")accepted — supply chain absent entirely; A.5.19/A.5.22/A.5.23 unaddressed; keys delegated to provider with no contract terms
submit_response(step_id="control_assessment.Art.21.2.e" compliance_level="partial")accepted — patching + CI scanning real; no vulnerability-disclosure channel (the measure names disclosure explicitly)
submit_response(step_id="control_assessment.Art.21.2.f" compliance_level="partial")accepted — annual policy re-approval ≠ assessing measure effectiveness; no metrics or audit (9.1/9.3.2)
submit_response(step_id="control_assessment.Art.21.2.g" compliance_level="largely_compliant")accepted — training + hygiene solid; management-body training missing (NIS2 Art. 20(2))
submit_response(step_id="control_assessment.Art.21.2.h" compliance_level="partial")accepted — 'where technically feasible' at-rest clause unverifiable; no key-management rules (A.8.24)
submit_response(step_id="control_assessment.Art.21.2.i" compliance_level="partial")accepted — access control + HR genuinely covered; asset management absent (A.5.9)
submit_response(step_id="control_assessment.Art.21.2.j" compliance_level="not_implemented")accepted — MFA appears nowhere in the policy; password-only production access
submit_response(step_id="findings_review.assessment_review")register approved by the capture author; fictional-sample status and pending senior review recorded verbatim in the audit trail
submit_response(step_id="red_team.adversarial_review")all 5 probes run — material finding: Art. 23 reporting had no register row; the 72h customer-only notification would breach the 24h/72h/1-month authority chain. Recorded as out-of-register finding
generate_report(workflow_id="63f045b3…" format="all")report assembled server-side from stored step data (10 findings, remediation roadmap, evidence register, citation provenance); PDF/HTML/DOCX rendered, SHA-256 verified on download
Cited answer

NIS2 gap analysis — Baltika Freight Systems OÜ (fictional), policy attached

Run: gap_analysis_nis2 server-enforced workflow · Scope: NIS2 Art. 21(2)(a)–(j), jurisdictions EU + EE · Subject: Information Security Policy POL-BLTK-2026-02 v2.1, uploaded and paragraph-segmented (source SHA-256 9d2b8e4a…a84f12) · Standards dimension: SS-EN ISO/IEC 27001:2023, licensed clause rows fetched from SIS during the run · Client is fictional; every regulatory and standards row is real, fetched this session.

The attached policy is the organisation's only security governance document. The workflow classified Baltika as an important entity (transport-logistics SaaS, 90 people, Estonia), bound the policy as evidence, then assessed each Article 21(2) measure through five enrichment passes — primary provision, horizontal regimes, sector routing, case law, authority guidance — plus an ISO/IEC 27001 control mapping from the SIS-licensed corpus.

Verdict register

Art. 21(2)MeasurePolicy anchorVerdict
(a)Risk analysis & infosec policies§2 [1], §3 [2]Partial — policy approved, but no risk methodology or acceptance criteria (ISO 27001 6.1.2); annual-only cadence (8.2)
(b)Incident handling§6 [5]Largely compliant — report → classify (4 h) → respond → post-incident review; caveat: no authority chain, …

Every claim traces to a source you can open

A typical AI assistant invents a citation that looks plausible. Ansvar retrieves the real one. Every finding above rests on one of these 8 sources — official legislation, guidance from standards bodies or regulators, and standards clause maps — linked wherever the source is publicly reachable; catalog rows served through the gateway are quoted as fetched. No citation is fabricated — every source was retrieved through Ansvar and can be checked.

Run this on your own data

This is available as a service: Compliance Gap Analysis. Bring your own documents and scope, and we'll run it end-to-end — every finding cited and validated by the expert who delivers it.

Read the full sample deliverable: Sample NIS2 gap analysis.