Article 21 Controls → Enginsight Mapping

Complete mapping of all 10 NIS2 Article 21 security requirements to Enginsight platform modules and the audit-ready evidence each produces. Use this as your compliance roadmap.

Filter by sector:
NIS2 RequirementWhat It MeansEnginsight Module(s)Evidence Output
Risk analysis and information system security policiesContinuous risk assessment and policy documentation
ObserverWatchdog
Risk Score Dashboard, Policy Audit Trail
Incident handlingDetection, response, and recovery procedures
Verity SIEMActive Shield
Incident Timeline, Forensic Trace Pack
Business continuity and crisis managementBackup management and disaster recovery
WatchdogObserver
System Status Reports, Availability Logs
Supply chain securityThird-party risk and access controls
Network ShieldPulsar Agent
Supplier Access Logs, Segmentation Evidence
Security in network and information systems acquisitionSecure development and maintenance
HacktorObserver
Vulnerability Scan Reports, Remediation Trail
Vulnerability handling and disclosureCVE detection and patching workflows
ObserverHacktor
CVE Register, Patch Status Reports
Policies and procedures for cryptographyEncryption standards and key management
ObserverPulsar Agent
Encryption Compliance Reports
Human resources securityAccess control and personnel security
Pulsar AgentVerity SIEM
User Access Logs, Privilege Reports
Access control policiesLeast privilege and role-based access
Network ShieldVerity SIEM
Access Control Matrices, Audit Logs
Multi-factor authenticationSecure authentication mechanisms
Pulsar AgentObserver
MFA Compliance Reports
Secure communicationsEncrypted voice, video, and text
Network ShieldObserver
Communication Security Audit
Secure emergency communicationsResilient backup communication systems
WatchdogVerity SIEM
Emergency System Status Logs

Article 21(2)(a): Risk Analysis & Policies

Organisations must conduct continuous risk assessments and maintain documented information security policies aligned with business objectives.

Enginsight Evidence: Watchdog discovers all IT assets and generates risk scoring dashboards; Observer logs all policy-related configuration changes.

Evidence Output: Risk Score Dashboard, Policy Audit Trail, Asset Inventory Report

Implementation: 2-4 weeks

Article 21(2)(b): Incident Response

Organisations must establish incident detection, response, and recovery procedures, with ability to report within 24 hours of detection.

Enginsight Evidence: Verity SIEM correlates security events; Active Shield provides IDS/IPS data; automated incident timeline generation.

Evidence Output: Incident Timeline, Forensic Trace Pack, Event Correlation Reports

Implementation: 3-6 weeks

Article 21(2)(c): Business Continuity

Organisations must maintain backup and recovery procedures to ensure availability and timely recovery of systems and data.

Enginsight Evidence: Watchdog monitors backup success rates and recovery readiness; Observer tracks system availability and patch status.

Evidence Output: System Status Reports, Availability Logs, Recovery Test Results

Implementation: 2-3 weeks

Article 21(2)(d): Supply Chain Security

Organisations must identify and manage cybersecurity risks related to third-party suppliers and service providers.

Enginsight Evidence: Network Shield maps supplier access points and data flows; Pulsar Agent monitors third-party activity; segmentation audits.

Evidence Output: Supplier Access Logs, Segmentation Evidence, Third-Party Risk Assessment

Implementation: 4-8 weeks (depends on complexity)

Article 21(2)(e): Security in Acquisitions

Organisations must ensure cybersecurity is embedded in system acquisition, development, and maintenance processes.

Enginsight Evidence: Hacktor performs automated pentesting and vulnerability assessment; Observer scans for insecure configurations.

Evidence Output: Vulnerability Scan Reports, Remediation Trail, Secure Code Assessment

Implementation: 3-5 weeks

Article 21(2)(f): Vulnerability Management

Organisations must establish procedures for identifying, evaluating, and remediating vulnerabilities and exposures.

Enginsight Evidence: Observer continuously scans for CVEs and misconfigurations; Hacktor generates detailed vulnerability assessments.

Evidence Output: CVE Register, Patch Status Reports, Vulnerability Scorecard

Implementation: 2-4 weeks

Article 21(2)(g): Cryptography Policies

Organisations must establish policies on the use of cryptography to protect confidentiality, authenticity, and integrity of data.

Enginsight Evidence: Observer audits encryption standards and key management; Verity SIEM monitors encrypted traffic.

Evidence Output: Encryption Compliance Reports, Key Management Audit Trail

Implementation: 3-4 weeks

Article 21(2)(h): Human Resources Security

Organisations must enforce personnel security measures including access control, role-based permissions, and privilege management.

Enginsight Evidence: Pulsar Agent monitors user activity and privilege escalation; Verity SIEM logs all access events.

Evidence Output: User Access Logs, Privilege Escalation Reports, HR Security Audit

Implementation: 2-3 weeks

Article 21(2)(i): Access Control Policies

Organisations must enforce least-privilege access controls and maintain audit logs of all access decisions.

Enginsight Evidence: Network Shield enforces micro-segmentation; Verity SIEM audits all access events; Pulsar Agent monitors compliance.

Evidence Output: Access Control Matrices, Segmentation Audit Reports, Least-Privilege Compliance

Implementation: 4-6 weeks

Article 21(2)(j): Authentication & MFA

Organisations must enforce multi-factor authentication and secure authentication mechanisms for all users and services.

Enginsight Evidence: Pulsar Agent enforces MFA policies; Observer audits authentication logs; FIM monitors policy changes.

Evidence Output: MFA Compliance Reports, Authentication Audit Trail, Failed Login Analysis

Implementation: 2-4 weeks

See How Your Organisation Maps

Take our scorecard to identify which Article 21 controls you're missing and get personalised module recommendations.