Network and Information Security Directive 2

NIS2 Compliance Cockpit

Article-by-article visibility. Not a spreadsheet.

NIS2 Art. 21 defines ten minimum security measures every covered entity must implement. The Compliance Cockpit maps your organization’s controls against these measures continuously – drawing on live data from across the platform.

What it covers:

  • Art. 21 measure-by-measure gap analysis: policies, access control, incident handling, BCM, supply chain, encryption, HR security, MFA, asset management, vulnerability management
  • Control status updated automatically as underlying records change – risk register, incident log, vendor assessments, BIA
  • Board reporting package: NIS2 Art. 20 requires management bodies to approve security measures and oversee implementation. The Cockpit produces the governance evidence trail
  • Regulator-ready export for CSIRT, sector supervisor, and internal audit

NIS2 Supply Chain Risk

NIS2 explicitly requires covered entities to address cybersecurity in their supply chain – including security practices of direct suppliers and service providers. This is not a checkbox. Supervisors are asking for evidence of ongoing supplier assessment, not a one-time due diligence exercise.

What BCMLogic Next manages:

  • Supplier cybersecurity assessment: structured questionnaires aligned with ENISA guidelines on ICT supply chain security
  • Criticality classification: which suppliers affect essential services, which handle sensitive data, which have access to your infrastructure
  • Continuous monitoring: assessment status, contract review dates, identified gaps, remediation tracking – all in one register
  • Subcontractor visibility: who your critical suppliers depend on, and whether those dependencies introduce concentration risk
  • Integration with the Compliance Cockpit: supply chain gaps automatically reflected in your Art. 21 compliance posture

NIS2 Incident Reporting

24 hours to notify. 72 hours for the initial report. 1 month for the final report. The clock starts immediately.

NIS2 Art. 23 introduces strict incident notification timelines. An early warning to the relevant CSIRT within 24 hours of becoming aware of a significant incident. An initial notification within 72 hours. A final report within one month. Missing these deadlines is itself a reportable failure.

BCMLogic Next automates the reporting workflow from detection to submission.

How it works:

  • Incident classification engine: AI-assisted triage against NIS2 significance thresholds – impact on service continuity, number of affected users, financial loss, reputational damage
  • Automatic timeline tracking: from first detection, the system tracks each reporting deadline and alerts responsible owners
  • Structured notification templates: pre-filled with incident data already in the system, aligned with ENISA reporting format and national CSIRT requirements
  • Escalation logic: incidents that cross significance thresholds trigger automatic notification workflow to CISO and designated NIS2 reporting officer
  • Full audit trail: every classification decision, every notification, every status change – timestamped and signed