NIS2
OnTrackio is an IT asset-management (ITAM) platform, not a governance, risk, and compliance (GRC) suite. It contributes ITAM-derived evidence to your NIS2 programme — it does not make you NIS2-compliant on its own. This page explains exactly what the platform evidences for NIS2 Article 21(2), and where the boundary sits.
NIS2 (Directive (EU) 2022/2555) requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures." Article 21(2) lists ten cybersecurity risk-management measures, lettered (a) to (j). OnTrackio's evidence pack scores each one honestly against the actual feature set, informed by Commission Implementing Regulation (EU) 2024/2690 and the ENISA Technical Implementation Guidance.
:::note Why honest labelling matters An earlier version of the pack labelled sub-controls "implemented" when OnTrackio only shipped a proxy metric or a hygiene baseline. The current pack caps those at "partial" and names what you still owe. Auditors discount a self-graded "implemented" with no control behind it — telling the truth is what makes the evidence usable. :::
How OnTrackio classifies coverage
Every sub-control is tagged with a coverage class that sets a ceiling on its status. The class is the single most important thing to understand before reading any number in the pack.
| Coverage class | What it means | Status ceiling |
|---|---|---|
itam_native_evidence | The platform produces full evidence for this sub-control. The status reflects real measurements. | implemented |
itam_hygiene_floor | The platform contributes a necessary precondition, not the full control. | partial |
itam_proxy | The platform reports a coverage metric, not an effectiveness measurement. | partial |
outside_itam_scope | You must produce this evidence yourself. | customer_provided |
Only two sub-controls reach itam_native_evidence: the Article 23 notification half
of incident handling (b), and the MFA half of secure authentication (j). Everything else
is a precondition, a proxy, or out of scope — and the pack says so on the page.
Coverage by Article 21(2) sub-control
The table below reflects the mapping in the generated evidence pack. Status depends on your own data and settings, so the values you see in the PDF can be higher or lower than the floor shown here.
| Sub-control | Coverage class | What OnTrackio evidences | What you must provide |
|---|---|---|---|
| (a) Risk analysis & IS policies | itam_hygiene_floor | Asset register size, classification %, serial-tracking %. | Risk register linking assets to threats, treatment plan, written management acceptance of residual risk, board-approved IS policy. |
| (b) Incident handling | itam_native_evidence | Article 23 24h / 72h / 30d notification workflow with structured CSIRT email; incident counts by state; 30-day audit-log volume. | Internal incident-response policy and runbooks, detection (SIEM / log management), root-cause and post-incident review process. |
| (c) Business continuity & backup | outside_itam_scope | Platform availability and audit-log retention only — the vendor's continuity for the SaaS, not yours. | Business-continuity plan for your production systems (MES, ERP, OT/SCADA), disaster-recovery test reports, crisis-management playbook. |
| (d) Supply-chain security | itam_hygiene_floor | Software and hardware vendor inventory; active-licence count. | Supply-chain security policy, vendor selection criteria, mandatory contract clauses, per-vendor risk assessment, per-supplier vulnerability assessment. |
| (e) Acquisition, development & maintenance | itam_proxy | Procurement records: purchase dates, invoices, transfer agreements, wipe certificates. | SDLC documentation, secure-baseline registry, change management, vulnerability-management programme, annual penetration test. |
| (f) Effectiveness assessment | itam_native_evidence | The Effectiveness Assessment module: documented policy with tamper-check, cadenced metric snapshots, quarterly review with management sign-off. | Extension of the metric catalogue to non-ITAM controls, and your own policy text (the platform supplies the workflow and storage). |
| (g) Cyber hygiene & training | itam_hygiene_floor | TOTP and passkey enrolment %; org-wide MFA enforcement state. | Awareness-training programme, sign-in sheets and completion certificates, phishing-simulation results, role-based training matrix, board training records. |
| (h) Cryptography | itam_proxy | Endpoint-agent coverage as a proxy for managed-endpoint footprint; AWS-managed encryption for the SaaS. | Cryptography and key-management policy, endpoint encryption inventory (BitLocker / FileVault), algorithm allow-list. |
| (i) HR security & access control | itam_hygiene_floor | Offboarded users still holding assets; RBAC with default roles; scoped, expiring API tokens. | Access-control policy, joiner-mover-leaver workflow with sign-off, privileged-account management, background-verification records. |
| (j) MFA & secure communications | itam_native_evidence | TOTP, passkey, and SSO enrolment and policy state across password, Google, Microsoft, and SAML sign-in; agent HMAC-SHA256 signing. | Out-of-band crisis-communications plan for when primary channels are unavailable, documented in the BCP. |
:::tip The split sub-controls Two sub-controls are deliberately split. For (b), OnTrackio owns the regulator-facing Article 23 timer and workflow, but your internal response policy is out of scope. For (j), OnTrackio measures MFA natively, but the "secured emergency communications" half belongs in your business-continuity plan. The pack states both halves so the boundary is explicit. :::
What "implemented" requires for (f)
Sub-control (f) is the one place where OnTrackio's status is strict by design. The pack
marks it implemented only when all three primitives are present and fresh:
| Primitive | Requirement |
|---|---|
| Documented policy (§7.1) | A current effectiveness-assessment policy on file with a tamper-check. |
| Signed review | A management-signed review dated within 400 days. |
| Metric snapshots | At least one active metric measured within 45 days. |
If any primitive is missing or stale, the status drops to partial and the pack lists
what is outstanding. A single 18-month-old snapshot cannot hold the "implemented" label —
the freshness gate exists so auditors trust the score.
Where this lives in the product
The evidence pack lives in the admin console under Admin → Compliance, where the NIS2 — Article 21(2) card summarises the implemented, partial, and planned counts and exposes the Article 21 PDF covering all ten sub-controls. The pack is deliberately read-only: every figure is queried live from your existing data, with no editable intermediate state, which is why it is safe to regenerate during an audit call. For the step-by-step procedure, see the evidence packs guide.
Two related surfaces sit in the same section of the sidebar, and each produces one of the two native-evidence sub-controls. NIS2 incidents is the Article 23 notification register behind (b), with 24h / 72h / 30d deadline tracking. Effectiveness is the Article 21(2)(f) module behind (f).
:::warning Regenerate, don't archive a stale copy The pack prints its generation timestamp and reflects your data at that moment. Hand an auditor a freshly generated PDF rather than an old one — counts, coverage percentages, and the (f) status can all change as your inventory and settings change. :::
How OnTrackio's own platform measures up
NIS2 also applies to OnTrackio as a service provider. Technical controls are strong: per-tenant database isolation, encryption at rest (AES-256) and in transit (TLS 1.3), RBAC, MFA, SSO, and an audit log. Data is processed in the EU (Frankfurt) today, with additional regions planned as we expand. The remaining work is process and attestation — the platform's own SOC 2 observation window has not started yet. None of that changes the evidence the platform produces for your programme; it is context for your vendor assessment.