Physical Compliance with NIS2 Directive Requirements
NIS2 requires essential and important entities to implement appropriate technical measures for network security, access control, and incident handling. Firevault Control provides physical enforcement that demonstrably exceeds directive requirements.
Key threats addressed
NIS2 raises the bar from configured controls to demonstrably effective controls, with personal accountability at board level. Firevault Control replaces software-only segmentation with hardware-enforced zone boundaries and produces continuous, signed evidence of separation, access governance and incident handling that auditors can verify directly.
NIS2
NIS2 requires appropriate and proportionate measures. For essential services that underpin national infrastructure, appropriate means physical, not just logical.
Art. 21
Full Article 21 requirements coverage
100%
Physical network segmentation enforcement
24hr
Incident notification capability support
Full
Automated compliance evidence generation
NIS2 demands demonstrable security measures.
Proportionate Measures
NIS2 requires measures proportionate to the risk. For essential services, this means demonstrating that security measures go beyond standard software controls.
Network Segmentation
Article 21 requires network segmentation, but many organisations rely on VLAN-based separation that can be bypassed through misconfiguration.
Management Accountability
NIS2 introduces personal liability for management bodies. Demonstrating appropriate measures requires evidence that goes beyond compliance checklists.
Pain points
- Firewall rule sets drift between audits, leaving unmonitored gaps in segmentation.
- VLAN-based separation cannot be evidenced as continuously effective.
- Incident reporting timelines collapse without out-of-band recovery infrastructure.
- Boards face personal liability and need verifiable proof, not policy attestations.
The Scenario
Scenario: NIS2 Audit with Physical Evidence
An essential entity faces its first NIS2 compliance audit. The assessor examines network segmentation controls and finds that existing firewall-based segmentation, while configured correctly today, has experienced three misconfiguration incidents in the past year that temporarily created paths between zones. Each incident violated NIS2 requirements for the duration it existed. The organisation cannot demonstrate continuous compliance. With Firevault Control, the organisation presents physical zone boundary evidence showing continuous, unbroken zone separation. Conduit activations are logged with multi-party authorisation records. The assessor can verify that physical boundaries were maintained at all times, providing evidence of continuous compliance.
"Our auditor asked us to prove that our network segmentation had been continuously effective for the past twelve months. With firewall logs, we could show configuration at a point in time. We could not prove there had been no gaps between audits."
Where NIS2 Article 21 measures meet Control modules.
NIS2 Article 21 names the measures essential and important entities must implement. Firevault Control provides the physical enforcement layer that turns those measures into evidence rather than intent.
Reference: Directive (EU) 2022/2555 (NIS2), Article 21(2)(a) to (j), with cross-reference to NCSC CAF outcomes.
Risk and security policies (Art. 21(2)(a)-(b))
-
21(2)(a)
Risk analysis and information security policies
Continuous attestation of conduit state provides the evidence behind the policy.
ValidateArchive -
21(2)(b)
Incident handling
Firebreak severs governed conduits on alert; restoration is an evidenced Execute event.
FirebreakExecute
Continuity and supply chain (Art. 21(2)(c)-(d))
-
21(2)(c)
Business continuity and crisis management
Offline recovery copies remain reachable even when the live network is gone.
ArchiveTransfer -
21(2)(d)
Supply chain security
Vendor reach is severed by default and opened only as a time-bound, scoped session.
FirebreakRelayLock
Acquisition, development, vulnerability (Art. 21(2)(e)-(f))
-
21(2)(e)
Security in acquisition, development, and maintenance
Maintenance windows are governed Relay sessions with multi-party approval.
RelayExecute -
21(2)(f)
Effectiveness of measures
Validate provides continuous, signed evidence that boundaries hold.
Validate
Hygiene, cryptography, access (Art. 21(2)(g)-(i))
-
21(2)(g)
Cyber hygiene and training
Named access removes shared, evergreen credentials from the workflow.
LockUnlink -
21(2)(i)
Human resources security and access control
Trust is revoked at the boundary when relationships end.
UnlinkLock
Authentication and communications (Art. 21(2)(j))
-
21(2)(j)
Multi-factor and secured communications
Cross-zone reach uses named, scoped, time-bound conduits.
LockRelayIsolate
Modules & symbols
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
EU Data Sovereignty
Data residency within UK and EU jurisdictions supports NIS2 requirements for appropriate data handling and sovereignty.
Management Accountability
Documented multi-party authorisation and governance processes demonstrate management oversight required by Article 20.
Continuous Evidence
Automated compliance logging generates continuous NIS2 evidence, eliminating gaps between point-in-time assessments.
Incident Response
Physical zone isolation capabilities support the rapid incident containment required by NIS2 notification timelines.
Audit-Ready Records
Tamper-proof logs provide complete audit trails for every network boundary state, access authorisation, and incident response action.
Recovery Assurance
Verified control-plane baselines demonstrate business continuity capability that exceeds NIS2 operational restoration requirements.
Demo to Live
Adoption Guide
NIS2 Gap Assessment
Map your current security measures against NIS2 Article 21 requirements to identify where physical enforcement strengthens your compliance position.
Compliance Architecture Design
Design physical zone boundaries and access controls that satisfy and exceed NIS2 requirements for your entity classification.
Evidence Validation
Deploy Control in a representative environment to validate compliance evidence generation and prepare for your first NIS2 assessment.
Full Compliance Deployment
Organisation-wide deployment with continuous compliance evidence, multi-party governance, and verified control-plane baseline assurance.
NIS2 Gap Assessment
Map your current security measures against NIS2 Article 21 requirements to identify where physical enforcement strengthens your compliance position.
Compliance Architecture Design
Design physical zone boundaries and access controls that satisfy and exceed NIS2 requirements for your entity classification.
Evidence Validation
Deploy Control in a representative environment to validate compliance evidence generation and prepare for your first NIS2 assessment.
Full Compliance Deployment
Organisation-wide deployment with continuous compliance evidence, multi-party governance, and verified control-plane baseline assurance.
Explore More
DORA Framework
Digital operational resilience for financial services.
Learn more about DORA FrameworkControl for Critical Infrastructure
National-grade security for essential services.
Learn more about Control for Critical InfrastructureISO 27001 Framework
Information security management and Annex A controls.
Learn more about ISO 27001 FrameworkQuestions