Map NIS2 transpositions, IEC 62443, ISO 27001, and CIS Controls v8 to deployable control packages. Classify systems, track maturity, manage risk, generate audit-ready documentation.
437 obligations mapped across NIS2 national transpositions, IEC 62443, ISO 27001:2022, CIS Controls v8.1.2, and KRITIS-Dachgesetz. Validated against published legal texts.
Controls matched to real critical infrastructure tiers: T1 Platinum to T4 Bronze. Deployable packages, not one-size-fits-all checklists. 295 controls across 14 security domains.
Vendor assessments, right-sized vendor requirements, immutable audit trail, production readiness gates. Generate compliance reports, vendor questionnaires, and H2O handover checklists.
Your data, your deployment, your IP. On-prem on your own infrastructure or cloud-hosted. Not locked into a SaaS platform. Full source access, no vendor dependency.
Nine capabilities that cover the full compliance lifecycle.
Classify systems across three axes: business impact (T1-T4), regulatory scope, and data sensitivity (DC1-DC4). Drives the entire control framework.
Track implementation status for 295 controls across 14 security domains. Per-system, per-domain coverage with Quick Wins prioritisation.
98 risk scenarios with likelihood, impact, and exposure tracking. Structured risk acceptance with justification, owner, and review dates.
Generate tier-scoped vendor security questionnaires. Requirements auto-filtered by the procuring system's BIA tier and regulatory tags.
Produce vendor requirements as Word documents, right-sized per system. T1 Platinum includes specific timelines and liquidated damages; T4 Bronze uses best-practice language.
Generate full system compliance reports covering all 14 domains. Printable HTML with compact mode for working meetings.
Handover to Operations gate with pass, conditional, or blocked verdict per control. Action-required list for change management.
Define company-specific security standards alongside regulatory obligations. Map requirements to objectives and controls with full traceability.
Immutable audit log for every change. CEF-formatted syslog forwarding (RFC 5424) to Microsoft Sentinel, Splunk, or any SIEM.
Navigate obligations across 6 frameworks, filter by system tier and regulatory scope, and trace every obligation through objectives to technical controls.
Compliance chain view for a T1 Platinum wind park SCADA system — obligations from NIS2, IEC 62443, and KRITIS-Dachgesetz mapped through to deployable technical controls.
Every scenario scored across operational, financial, regulatory, and safety impact. Mitigation chains trace risks to specific controls.
Risk register with MITRE ATT&CK technique mapping — each scenario linked to adversary techniques, scored across four impact dimensions, with structured risk acceptance workflow.
125 objective-level requirements across 14 security domains. Clause wording adjusts to match each system's tier, from Platinum to Bronze.
Vendor requirements document generated as a Word file — language matched to system tier, audit-ready format, with NIS2 incident notification timelines and liquidated damages clauses for T1 systems.
Integration patterns included. Implementation via standard APIs, syslog, and CEF.
All integration patterns included. Implement via your own APIs and syslog infrastructure.
Where it fits in your stack
Request a live walkthrough. We'll show you the compliance chain, maturity dashboard, and document generators running against real framework data.