NIS2
The technical evidence your NIS2 dossier needs.
Ghostpsy gives you the asset inventory, risk analysis, and posture proof that map to article 21 — so the rest of your NIS2 file fits around real evidence instead of educated guesses.
Honest mapping. Not a legal advisor. Not a NIS2 certification.
What NIS2 requires, technically
Article 21 lists ten themes of risk-management measures. The technical-posture themes are the ones Ghostpsy directly supports.
- 1Risk analysis and information system security policies
- 2Incident handling
- 3Business continuity and backup management
- 4Supply-chain security
- 5Security in acquisition, development and maintenance
- 6Effectiveness assessment of security measures
- 7Cyber-hygiene and training
- 8Cryptography
- 9Human resources security, access control, asset management
- 10MFA, secure communication, secure emergency communication
How Ghostpsy helps
Each row is a NIS2 theme. The middle column is what we collect or measure on a scanned Linux server. The right column is the artifact you can hand to an auditor.
| NIS2 theme | What Ghostpsy collects / measures | Artifact you get |
|---|---|---|
| Asset inventory (art. 21.2.g) | OS, services, packages, listening ports, users, firewall rules, scheduled tasks | Per-machine inventory in PDF and Markdown |
| Risk analysis (art. 21.2.a) | 3-layer security health score, prioritized risks P0–P3, plain-language summary | Risk dossier with severity, business impact, remediation effort |
| Vulnerability posture (art. 21.2.e) | Per-package CVE matching (OSV), end-of-life OS detection (endoflife.date) | CVE list with severity, CycloneDX SBOM (coming) |
| Access control & MFA (art. 21.2.j) | SSH posture, sudo configuration, account inventory, login policy | Section in the audit PDF and Markdown runbook |
| Network security & segmentation | iptables / nftables rules, listeners, external WAN probe to verify real exposure | Firewall posture summary and findings |
| Logging & cryptography (art. 21.2.f, 21.2.h) | fail2ban, audit, syslog, TLS / cipher posture | Posture sections in the audit report |
| Continuous improvement (art. 21.2.f) | Scan history, before/after comparison, timestamped evidence | Auditable trail across multiple scans |
What Ghostpsy does NOT do
- Replace a legal advisor or compliance officer.
- Replace a formal audit performed by an authorised auditor.
- Make you NIS2 certified. There is no "NIS2 certified" status delivered by Ghostpsy.
Frequently asked
- Is Ghostpsy NIS2 certified?
- No. NIS2 is a regulation, not a product certification. We help you produce the technical evidence side of articles 21.2.a, .e, .f, .g, .h, .i, .j. The compliance decision and the formal audit remain your responsibility.
- Does using Ghostpsy make us NIS2 compliant?
- No. NIS2 is a multi-disciplinary effort: governance, processes, training, supplier management, incident response. Ghostpsy is the fast way to cover the technical posture and inventory parts. The rest of the dossier is on you and your advisors.
- What format is the evidence?
- Each Operator scan produces a downloadable PDF and a Markdown runbook. CycloneDX SBOM export is coming in Q3 2026. Everything is timestamped and stored, so an auditor can compare scans across time.
Run a free Discovery scan
Three machines, one scan each. No card. See if the evidence we produce matches what your auditor or insurer is asking for.
Disclaimer
This page is informational. Ghostpsy is not a legal advisor and does not deliver a NIS2 certification or any equivalent attestation. Compliance decisions and formal audits remain the customer's responsibility. References to article 21 are for technical-mapping purposes only.