Deterministic verification for NIS2

NIS2 Compliance: Code-Verified Evidence, Not Policy Documents

NIS2 (Directive (EU) 2022/2555) requires essential and important entities to implement cybersecurity risk-management measures (Article 21), report incidents within 24/72 hours (Article 23), and hold management accountable (Article 20). Cortex AIF replaces manual checklists and LLM-based guesses with deterministic code that checks each claim against live sources and stamps VERIFIED/PARTIALLY_VERIFIED/UNVERIFIED/GAP. No fabricated numbers. No confidence scores. Only structured evidence an auditor can accept.

Run a free check →See pricing

The NIS2 compliance challenge: from policy to proof

NIS2 demands more than a signed policy. Article 21 requires proportionate technical and organisational measures—access control, encryption, supply-chain security, incident handling. Article 23 mandates a 24-hour early warning and a 72-hour detailed notification. Most organisations rely on self-assessments or generic checklist suites that produce a to-do list, not proof. An auditor needs evidence that a control was actually implemented and is working. Cortex AIF bridges that gap by verifying each claim against real sources—your configuration files, logs, and vendor attestations—and producing a structured evidence package you can hand to an auditor.

Evidence, not policy documents - what an auditor accepts

An auditor does not accept a PDF that says 'we have access controls.' They want to see the actual access control list, the timestamp of the last review, and the identity of the reviewer. Cortex AIF uses code to check each claim against live sources: it reads your cloud IAM policies, firewall rules, and incident logs, then stamps each claim as VERIFIED (source matches), PARTIALLY_VERIFIED (some evidence missing), or GAP (no source found). No LLM judges another LLM. No probabilistic confidence scores. The result is a deterministic evidence report that satisfies Article 21 and 23 requirements.

How Cortex verifies - code is the judge, not the model

Common industry approaches use one LLM to judge another—probabilistic, opaque, and prone to hallucination. Cortex AIF is different: a deterministic code engine checks each factual claim against a source (e.g., a configuration file, a log entry, a vendor API response). If the source does not exist or does not match, the claim is marked UNVERIFIED or GAP. The code never invents a number or a control. This anti-fabrication layer ensures that every figure in your compliance report is backed by real evidence. For NIS2, that means you can prove to an auditor that your 24-hour early warning system actually fired, or that your supply-chain risk assessment covered all critical vendors.

Covering the full NIS2 scope: essential and important entities

NIS2 applies to medium-sized and larger organisations (50+ staff or EUR 10M+ turnover) in sectors like energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and manufacturing of critical products. Cortex AIF can be configured to verify controls across any of these sectors. The same deterministic engine that checks access controls for a bank can verify incident reporting for a hospital. The evidence format is consistent, so you can scale compliance across multiple subsidiaries or supply-chain partners without re-inventing the process.

Incident reporting under Article 23: 24-hour early warning and 72-hour notification

Article 23 requires an early warning within 24 hours of becoming aware of a significant incident, followed by a detailed notification within 72 hours. Cortex AIF can ingest your incident management system logs and verify that the early warning was sent within the required window. It checks the timestamp of the first alert against the incident detection time and stamps the claim as VERIFIED or GAP. No manual tracking. No reliance on an LLM to 'remember' the regulation. The code reads the regulation text and your logs side by side.

Management accountability and liability under Article 20

Article 20 holds management bodies accountable for cybersecurity risk-management measures and requires them to approve training and oversee compliance. Cortex AIF can verify that management review meetings occurred, that training completion records exist, and that risk acceptance decisions are documented. Each claim is checked against your HR system, meeting minutes, and risk register. The output is a structured evidence package that demonstrates management oversight—not a signed policy, but actual proof of action.

Run a free Home > Solutions > NIS2 Compliance check

Describe your setup or paste your documentation. Get a sourced, per-requirement status in minutes.

Start free check

Frequently asked questions

How does Cortex AIF differ from using ChatGPT for NIS2 compliance?
ChatGPT answers from old memory and cannot cite the live regulation or check your actual controls. It reassures you with plausible-sounding text but may fabricate numbers or policies. Cortex AIF uses deterministic code to check each claim against real sources—your configuration files, logs, and vendor attestations. It never invents a fact. If a control is missing, it says GAP. An auditor can verify every claim independently.
Can Cortex AIF verify supply-chain security under NIS2?
Yes. Article 21 requires supply-chain security measures. Cortex AIF can check that you have assessed critical vendors, that contracts include security clauses, and that vendor attestations are current. It reads your vendor management system and contract repository, then stamps each claim as VERIFIED or GAP. No manual spreadsheet tracking needed.
What happens if a claim is marked UNVERIFIED or GAP?
Cortex AIF does not give a confidence score—it deletes any number or fact with no source proof. An UNVERIFIED or GAP stamp means the evidence does not exist or does not match the claim. You can then investigate and remediate. The report shows exactly which source was missing, so you know what to fix. This is the anti-fabrication layer: an unproven figure never appears in your compliance output.
Is Cortex AIF suitable for organisations that are not yet in scope of NIS2?
Yes. Many suppliers to essential entities are indirectly affected. Cortex AIF can help you build a compliance posture that will satisfy future audits. The deterministic verification approach works for any regulatory framework—GDPR, SOC 2, ISO 27001—so you can reuse the same evidence engine across multiple standards.