PProfessNet Academy
ZEUS Platform — from zero to operator/06core10 min

COMPLIANCE — prove compliance

The COMPLIANCE pillar translates the technical state into the language of regulations — with evidence, article by article. This is the difference between "we have some security" and "here is proof of compliance with NIS2 Art. 21(2)(e)".

NIS2 and DORA — article level

ZEUS scores the live posture against every article of the directive/regulation:

  • NIS2 — Art. 21(2)(a)–(j) (10 sub-points) + Art. 23 (incident reporting),
  • DORA — Art. 5-15 (ICT risk management framework), 17-23 (resilience testing), 28-31 (third-party risk).

Each control has an evidence trail (signal name + threshold + status) and a "worst-of" aggregation (status = the worst of the signals), so the result is defensible to an auditor:

Art. 21(2)(e)  Vulnerability handling and disclosure
status: partial
evidence:
  - { signal: critical_vulns,     status: partial,   text: "2 critical CVE (threshold 3)" }
  - { signal: monitoring_active,  status: compliant, text: "47 active Wazuh agents" }

ISO 27001 + CIS

ISO 27001:2022 (Annex A control families), CIS Critical Security Controls v8 and CIS Benchmarks per-OS. Evidence linked in real time from signals (Wazuh SCA, CNAPP scans, cloud posture). Plus UKSC mapping (the Polish implementation of NIS2).

Custom Frameworks (SCAP / OSCAL)

You upload your own framework — industry (HIPAA, IEC 62443) or internal:

  • ingest SCAP XCCDF (.xml) and OSCAL (JSON),
  • mapping controls to signal queries,
  • multi-tenant (each customer has their own set of frameworks).

Reports & Audit Exports

On-demand and scheduled reports — PDF/JSON/CSV for auditors, regulators, the board:

  • NIS2 Art. 23 incident report (24h/72h/final),
  • DORA "Major ICT Incident" report,
  • ISO 27001 management review package,
  • monthly executive summary for the CISO.

Demo tip: show the Articles tab in the Compliance studio — this is our differentiator. The competition usually maps to "domains", we drill down to the article with live evidence.

Compliance in ZEUS is continuous, not once-a-quarter. This turns the "pre-audit fire drill" into an exportable PDF refreshed daily.