Article 21 Controls → Enginsight Mapping
Complete mapping of all 10 NIS2 Article 21 security requirements to Enginsight platform modules and the audit-ready evidence each produces. Use this as your compliance roadmap.
| NIS2 Requirement | What It Means | Enginsight Module(s) | Evidence Output |
|---|---|---|---|
| Risk analysis and information system security policies | Continuous risk assessment and policy documentation | ObserverWatchdog | Risk Score Dashboard, Policy Audit Trail |
| Incident handling | Detection, response, and recovery procedures | Verity SIEMActive Shield | Incident Timeline, Forensic Trace Pack |
| Business continuity and crisis management | Backup management and disaster recovery | WatchdogObserver | System Status Reports, Availability Logs |
| Supply chain security | Third-party risk and access controls | Network ShieldPulsar Agent | Supplier Access Logs, Segmentation Evidence |
| Security in network and information systems acquisition | Secure development and maintenance | HacktorObserver | Vulnerability Scan Reports, Remediation Trail |
| Vulnerability handling and disclosure | CVE detection and patching workflows | ObserverHacktor | CVE Register, Patch Status Reports |
| Policies and procedures for cryptography | Encryption standards and key management | ObserverPulsar Agent | Encryption Compliance Reports |
| Human resources security | Access control and personnel security | Pulsar AgentVerity SIEM | User Access Logs, Privilege Reports |
| Access control policies | Least privilege and role-based access | Network ShieldVerity SIEM | Access Control Matrices, Audit Logs |
| Multi-factor authentication | Secure authentication mechanisms | Pulsar AgentObserver | MFA Compliance Reports |
| Secure communications | Encrypted voice, video, and text | Network ShieldObserver | Communication Security Audit |
| Secure emergency communications | Resilient backup communication systems | WatchdogVerity SIEM | Emergency System Status Logs |
Article 21(2)(a): Risk Analysis & Policies
Organisations must conduct continuous risk assessments and maintain documented information security policies aligned with business objectives.
Enginsight Evidence: Watchdog discovers all IT assets and generates risk scoring dashboards; Observer logs all policy-related configuration changes.
Evidence Output: Risk Score Dashboard, Policy Audit Trail, Asset Inventory Report
Implementation: 2-4 weeks
Article 21(2)(b): Incident Response
Organisations must establish incident detection, response, and recovery procedures, with ability to report within 24 hours of detection.
Enginsight Evidence: Verity SIEM correlates security events; Active Shield provides IDS/IPS data; automated incident timeline generation.
Evidence Output: Incident Timeline, Forensic Trace Pack, Event Correlation Reports
Implementation: 3-6 weeks
Article 21(2)(c): Business Continuity
Organisations must maintain backup and recovery procedures to ensure availability and timely recovery of systems and data.
Enginsight Evidence: Watchdog monitors backup success rates and recovery readiness; Observer tracks system availability and patch status.
Evidence Output: System Status Reports, Availability Logs, Recovery Test Results
Implementation: 2-3 weeks
Article 21(2)(d): Supply Chain Security
Organisations must identify and manage cybersecurity risks related to third-party suppliers and service providers.
Enginsight Evidence: Network Shield maps supplier access points and data flows; Pulsar Agent monitors third-party activity; segmentation audits.
Evidence Output: Supplier Access Logs, Segmentation Evidence, Third-Party Risk Assessment
Implementation: 4-8 weeks (depends on complexity)
Article 21(2)(e): Security in Acquisitions
Organisations must ensure cybersecurity is embedded in system acquisition, development, and maintenance processes.
Enginsight Evidence: Hacktor performs automated pentesting and vulnerability assessment; Observer scans for insecure configurations.
Evidence Output: Vulnerability Scan Reports, Remediation Trail, Secure Code Assessment
Implementation: 3-5 weeks
Article 21(2)(f): Vulnerability Management
Organisations must establish procedures for identifying, evaluating, and remediating vulnerabilities and exposures.
Enginsight Evidence: Observer continuously scans for CVEs and misconfigurations; Hacktor generates detailed vulnerability assessments.
Evidence Output: CVE Register, Patch Status Reports, Vulnerability Scorecard
Implementation: 2-4 weeks
Article 21(2)(g): Cryptography Policies
Organisations must establish policies on the use of cryptography to protect confidentiality, authenticity, and integrity of data.
Enginsight Evidence: Observer audits encryption standards and key management; Verity SIEM monitors encrypted traffic.
Evidence Output: Encryption Compliance Reports, Key Management Audit Trail
Implementation: 3-4 weeks
Article 21(2)(h): Human Resources Security
Organisations must enforce personnel security measures including access control, role-based permissions, and privilege management.
Enginsight Evidence: Pulsar Agent monitors user activity and privilege escalation; Verity SIEM logs all access events.
Evidence Output: User Access Logs, Privilege Escalation Reports, HR Security Audit
Implementation: 2-3 weeks
Article 21(2)(i): Access Control Policies
Organisations must enforce least-privilege access controls and maintain audit logs of all access decisions.
Enginsight Evidence: Network Shield enforces micro-segmentation; Verity SIEM audits all access events; Pulsar Agent monitors compliance.
Evidence Output: Access Control Matrices, Segmentation Audit Reports, Least-Privilege Compliance
Implementation: 4-6 weeks
Article 21(2)(j): Authentication & MFA
Organisations must enforce multi-factor authentication and secure authentication mechanisms for all users and services.
Enginsight Evidence: Pulsar Agent enforces MFA policies; Observer audits authentication logs; FIM monitors policy changes.
Evidence Output: MFA Compliance Reports, Authentication Audit Trail, Failed Login Analysis
Implementation: 2-4 weeks
See How Your Organisation Maps
Take our scorecard to identify which Article 21 controls you're missing and get personalised module recommendations.