NIS2 gap analysis with the policy attached — ISO 27001 via SIS in the loop
Your CISO uploads the company's information-security policy and asks for a NIS2 Article 21 gap analysis. The server-enforced workflow pairs every Art. 21(2) measure against the actual policy paragraphs (hash-anchored), maps each to licensed ISO/IEC 27001 clauses fetched from SIS during the run, and marks what it could not verify instead of guessing.
How the gateway answered
Captured 11 July 2026 — a point-in-time run; corpora and tools have been updated since.
Run a NIS2 gap analysis for Baltika Freight Systems OÜ (fictional, 90-person Estonian logistics SaaS, important entity) against the attached Information Security Policy POL-BLTK-2026-02 v2.1. Assess every Article 21(2) measure, map to ISO/IEC 27001, jurisdictions EU + EE.
register_document_init(filename="baltika-information-security-policy.md" mime_type="text/markdown" file_size=4330)→ presigned PUT issued; document_id fe2dc6df…, short code DOC-6DCNregister_document_finalize(document_id="fe2dc6df-3a15-4d8e-bc98-df8f95f128a7")→ status=ready; source SHA-256 9d2b8e4a752c0841… matches the local file byte-for-byteget_document_segments(document_id="fe2dc6df-3a15-4d8e-bc98-df8f95f128a7")→ 27 paragraph segments, each with char range + content SHA-256 — the doc:// anchors cited in the findingsstart_workflow(workflow_type="gap_analysis_nis2" jurisdictions=[EU, EE])→ workflow 63f045b3… started; server-enforced scoping gates (entity classification: important entity; jurisdictions; scope review) each required explicit confirmation before controls loadedregister_document(workflow_id="63f045b3…" document_id="fe2dc6df…" role="evidence")→ policy bound as evidence at document_collection.request_policiessubmit_response(step_id="control_assessment.Art.21.2.a" compliance_level="partial")→ accepted — each control step declares 6 fetches (provision, own-article, horizontal, sector, case-law, guidance) the quality gate verifies per key; + SIS 27001 clause fetch. First submit was REJECTED (fetched_data_envelope_invalid) until every key carried {status, results[]} — the gate is realShow all 18 tool calls
submit_response(step_id="control_assessment.Art.21.2.b" compliance_level="largely_compliant")→ accepted — internal handling solid; no authority chain, no exercises (caveat kept in report)submit_response(step_id="control_assessment.Art.21.2.c" compliance_level="partial")→ accepted — backups real; no crisis organisation, no RTO/RPO; ISO A.5.30 tested-readiness unmetsubmit_response(step_id="control_assessment.Art.21.2.d" compliance_level="not_implemented")→ accepted — supply chain absent entirely; A.5.19/A.5.22/A.5.23 unaddressed; keys delegated to provider with no contract termssubmit_response(step_id="control_assessment.Art.21.2.e" compliance_level="partial")→ accepted — patching + CI scanning real; no vulnerability-disclosure channel (the measure names disclosure explicitly)submit_response(step_id="control_assessment.Art.21.2.f" compliance_level="partial")→ accepted — annual policy re-approval ≠ assessing measure effectiveness; no metrics or audit (9.1/9.3.2)submit_response(step_id="control_assessment.Art.21.2.g" compliance_level="largely_compliant")→ accepted — training + hygiene solid; management-body training missing (NIS2 Art. 20(2))submit_response(step_id="control_assessment.Art.21.2.h" compliance_level="partial")→ accepted — 'where technically feasible' at-rest clause unverifiable; no key-management rules (A.8.24)submit_response(step_id="control_assessment.Art.21.2.i" compliance_level="partial")→ accepted — access control + HR genuinely covered; asset management absent (A.5.9)submit_response(step_id="control_assessment.Art.21.2.j" compliance_level="not_implemented")→ accepted — MFA appears nowhere in the policy; password-only production accesssubmit_response(step_id="findings_review.assessment_review")→ register approved by the capture author; fictional-sample status and pending senior review recorded verbatim in the audit trailsubmit_response(step_id="red_team.adversarial_review")→ all 5 probes run — material finding: Art. 23 reporting had no register row; the 72h customer-only notification would breach the 24h/72h/1-month authority chain. Recorded as out-of-register findinggenerate_report(workflow_id="63f045b3…" format="all")→ report assembled server-side from stored step data (10 findings, remediation roadmap, evidence register, citation provenance); PDF/HTML/DOCX rendered, SHA-256 verified on downloadNIS2 gap analysis — Baltika Freight Systems OÜ (fictional), policy attached
Run: gap_analysis_nis2 server-enforced workflow · Scope: NIS2 Art. 21(2)(a)–(j), jurisdictions EU + EE · Subject: Information Security Policy POL-BLTK-2026-02 v2.1, uploaded and paragraph-segmented (source SHA-256 9d2b8e4a…a84f12) · Standards dimension: SS-EN ISO/IEC 27001:2023, licensed clause rows fetched from SIS during the run · Client is fictional; every regulatory and standards row is real, fetched this session.
The attached policy is the organisation's only security governance document. The workflow classified Baltika as an important entity (transport-logistics SaaS, 90 people, Estonia), bound the policy as evidence, then assessed each Article 21(2) measure through five enrichment passes — primary provision, horizontal regimes, sector routing, case law, authority guidance — plus an ISO/IEC 27001 control mapping from the SIS-licensed corpus.
Verdict register
| Art. 21(2) | Measure | Policy anchor | Verdict |
|---|---|---|---|
| (a) | Risk analysis & infosec policies | §2 [1], §3 [2] | Partial — policy approved, but no risk methodology or acceptance criteria (ISO 27001 6.1.2); annual-only cadence (8.2) |
| (b) | Incident handling | §6 [5] | Largely compliant — report → classify (4 h) → respond → post-incident review; caveat: no authority chain, … |
Every claim traces to a source you can open
A typical AI assistant invents a citation that looks plausible. Ansvar retrieves the real one. Every finding above rests on one of these 8 sources — official legislation, guidance from standards bodies or regulators, and standards clause maps — linked wherever the source is publicly reachable; catalog rows served through the gateway are quoted as fetched. No citation is fabricated — every source was retrieved through Ansvar and can be checked.
- NIS2 (Directive (EU) 2022/2555) Art. 21 — Cybersecurity risk-management measures (canonical ref NIS2:art_21; also Art. 20(2), Art. 23 via the same instrument)EU · regulation · eur-lex.europa.eu
- Commission Implementing Regulation (EU) 2024/2690, Annex I — technical and methodological requirements per Art. 21(2) measureEU · regulation · eur-lex.europa.eu
- SS-EN ISO/IEC 27001:2023 — 21 clause/control rows fetched from the SIS-licensed corpus (6.1.2, 6.2, 8.2, 9.1, 9.2.1, 9.3.2, 7.3, A.5.9, A.5.18, A.5.19, A.5.22, A.5.23, A.5.24, A.5.30, A.6.3, A.8.2, A.8.5, A.8.8, A.8.24, A.8.25, A.8.28); clause text served in-session, elided on this public page per the SIS licenceSE · standard · sis.se
- ENISA — NIS2 Technical Implementation Guidance (incident handling, BC/CM, acquisition & development, hygiene, effectiveness, MFA sections)EU · guidance · enisa.europa.eu
- ENISA — Cybersecurity roles and skills for NIS2 essential and important entitiesEU · guidance · enisa.europa.eu
- NIS Cooperation Group — security measures guidance (supply-chain security policy; HR security & access control)EU · guidance · digital-strategy.ec.europa.eu
- European Commission (DG CONNECT) — Guidelines on the application of Article 4(1) and (2) of Directive (EU) 2022/2555EU · guidance · digital-strategy.ec.europa.eu
- ENISA Threat Landscape 2025 — §10.5 Access & Privilege (MFA as counter to credential misuse)EU · guidance · enisa.europa.eu
Run this on your own data
This is available as a service: Compliance Gap Analysis. Bring your own documents and scope, and we'll run it end-to-end — every finding cited and validated by the expert who delivers it.
Read the full sample deliverable: Sample NIS2 gap analysis.