Turning NIS2 Article 21 into one evidence export

NIS2 Article 21 reads like a checklist, and that is the problem. Ten categories of risk-management measures, each phrased broadly enough that two auditors will ask for different proof. The work is not understanding the article. The work is producing evidence that a specific measure was in place on a specific date, without spending the week before the audit screenshotting portals.

Here is how we map the ten measures to records you can pull on demand.

The ten measures, and what proof actually satisfies them

Article 21(2) lists policies on risk analysis, incident handling, business continuity, supply-chain security, secure acquisition and development, effectiveness measurement, cyber hygiene and training, cryptography, access control and asset management, and multi-factor authentication.

Most of these resolve to data your Microsoft tenant already holds. Access control and MFA are Entra ID configuration plus sign-in logs. Cryptography is your key and certificate state. Incident handling is your ticket and alert history. The gap is not the data. The gap is that the data lives in six consoles, each with its own export format and retention window.

Control Ledger reads those sources on a schedule and writes each result to an append-only ledger. When the audit comes, you select a date range and a framework, and you get one pack: the control, the source it came from, the value on that date, and a signature over the record.

Why “on that date” matters more than “today”

An auditor rarely asks whether MFA is enforced now. They ask whether it was enforced across the period under review, and what happened the three times it was not. A live dashboard cannot answer that. A dashboard shows the present.

The append-only ledger answers it because every collection is timestamped and kept. A drift, an exception, a temporary break-glass grant: all of it is in the record with the reason attached. The evidence pack is not a snapshot. It is the history.

What you still own

Two things stay your job, and no tool should claim otherwise. First, the policy itself: NIS2 wants documented measures, and a control collector proves the measure ran, not that you wrote it down. Second, the judgement call on what is in scope. Control Ledger maps Microsoft 365 and Azure telemetry to NIS2, DORA, and ISO 27001 clauses, but you confirm the mapping fits your estate.

What changes is the week before the audit. Instead of assembling proof, you export it. The proof was already being collected, every day, whether or not anyone asked.

Control Ledger ships with Cloud Horizons from the Growth tier. If you want to see the NIS2 mapping against your own tenant, request a security review.