REGULATORY COMPLIANCE

Signed technical evidence
for 6 regulatory frameworks.

NIS2, ENS, ISO 27001, PCI-DSS, HIPAA and DORA. Itamite automatically generates compliance technical evidence from agent data, signed with SHA-256 and publicly verifiable. No expensive external consultancy.

The problem with manual compliance

A NIS2 or ENS audit demands concrete technical evidence: that each device has active disk encryption, updated antivirus, current patches, controlled admin accounts, immutable activity logs… for each asset in your fleet.

Doing this manually means: spreadsheets, screenshots, hiring a consultancy at €10,000-30,000, repeating the process every certification renewal. And even then, the evidence is static and outdated by the time it's printed.

Itamite does this automatically and in real time. The agent reports each control on every heartbeat. The platform keeps each framework's compliance status updated to the minute. When the auditor arrives, you generate the signed report in 30 seconds.

COVERED FRAMEWORKS

The 6 most demanded standards in Europe

Each framework has its controls mapped to data the agent collects.

NIS2 (EU Directive 2022/2555)

Mandatory since October 2024 for essential and important entities: energy, transport, healthcare, banking, digital public sector, water, food, chemicals, critical manufacturing, ICT managers.

Itamite covers:
  • Art. 21.2.a — Risk analysis (full inventory)
  • Art. 21.2.b — Incident management (immutable audit)
  • Art. 21.2.d — Supply chain security (SBOM)
  • Art. 21.2.e — Maintenance (patches, EOL)
  • Art. 21.2.f — Effectiveness of measures (measurable posture)
  • Art. 21.2.g — Basic hygiene (AV, firewall, screen lock)
  • Art. 21.2.h — Encryption (disk_encrypted, TPM, Secure Boot)
  • Art. 21.2.i — Access control (admin accounts, MFA)

ENS (Spanish RD 311/2022)

National Security Scheme. Mandatory for Spanish public sector and critical providers. Three categories: Basic, Medium, High.

Covered families:
  • mp.eq — Equipment protection
  • op.exp — Operations
  • mp.com — Communications protection
  • op.acc — Access control
  • mp.s — Service protection

Reports valid for CCN-CERT audit and ENS certification by accredited body.

ISO/IEC 27001:2022

International information security management standard. Voluntary certification by accredited body.

Annex A — Controls covered:
  • A.5.10, A.5.16, A.5.18 — Access and authentication
  • A.8.1 — Asset inventory
  • A.8.7 — Malware protection
  • A.8.8 — Technical vulnerability management
  • A.8.9 — Configuration management
  • A.8.11 — Data encryption
  • A.8.16 — Monitoring activities

PCI-DSS v4.0

Mandatory for any company that processes, stores or transmits payment card data.

Requirements covered:
  • Req. 5 — Antimalware protection (AV, EDR)
  • Req. 6 — Secure systems and apps (patches)
  • Req. 7 — Function-based access restriction
  • Req. 8 — Identification and authentication
  • Req. 10 — Access logging and monitoring
  • Req. 11.5 — Unauthorized change detection

HIPAA Security Rule

For US entities managing health information (PHI): hospitals, clinics, medical insurers and their business associates.

Technical safeguards covered:
  • §164.312(a) — Access control
  • §164.312(b) — Audit controls
  • §164.312(c) — Integrity
  • §164.312(d) — Person/entity authentication
  • §164.312(e) — Transmission security

DORA (EU Regulation 2022/2554)

Digital operational resilience. In force since January 2025 for EU financial entities.

Itamite covers:
  • Art. 5-15 — ICT risk management framework
  • Art. 9 — Protection and prevention
  • Art. 10 — Detection
  • Art. 11 — Response and recovery
  • Art. 17-23 — ICT incident management
  • Art. 28-30 — Third-party ICT risk
HOW IT WORKS

From agent data to signed PDF

4 automatic steps. Zero spreadsheets.

01

Agent reports 25+ technical controls

On every heartbeat (15 min by default), the Itamite agent sends the real status of 25+ security controls: disk encryption, AV installed and updated, pending patches, firewall, admin accounts, screen lock, TPM, Secure Boot, SMB config, RDP NLA, USB storage, Office macros, BitLocker.

02

Itamite maps each control to the active framework

When you activate a framework (e.g. NIS2 + ENS + ISO 27001), Itamite automatically maps each agent data point to the corresponding article/control. One technical data point, multiple compliance.

03

Real-time status with percentage and gaps

The console shows current status: for each regulatory control, how many assets comply and which fail, with the exact technical value. Continuous preventive audit.

04

Generate the signed PDF in 30 seconds

Button "Generate report" → select framework + period → downloadable PDF with: global compliance percentage, status of each control with technical evidence per asset, documented exceptions, and SHA-256 signature publicly verifiable at itamite.com/verify.

SIGNATURE AND VERIFICATION

SHA-256 verifiable by auditor

Each PDF generated by Itamite carries at the foot a SHA-256 hash calculated over the report content + the previous tenant report hash (blockchain-style integrity chain).

To verify report integrity:

  1. Your auditor goes to https://itamite.com/verify (public access without login).
  2. Drags the PDF to the verification area or enters the hash manually.
  3. Itamite confirms if the hash matches the immutable audit record and shows: tenant that generated it, user who requested it, UTC timestamp.

If anyone tampers with even one character of the PDF, the hash no longer matches and verification fails.

Accepted as technical evidence by major certification bodies (Bureau Veritas, DNV, SGS) for ISO 27001, and by Spanish competent authorities for NIS2 and ENS.

BEING HONEST

What Itamite does NOT cover

We don't sell smoke. This is what you must provide.

  • Written policies: NIS2/ENS/ISO require organizational documentation (security policy, acceptable use policy, incident policy). Itamite handles the technical part; written policies are provided by you or your DPO.
  • Personnel training and awareness: frameworks require demonstrable employee training. Itamite is not a training platform.
  • Risk analysis: formal risk analysis (MAGERIT, ISO 27005) is done by your team or consultant.
  • Business continuity (BCM): continuity and recovery plans are out of Itamite's scope.
  • External audit: Itamite generates technical evidence. The audit itself (ISO 27001, ENS) is performed by an independent accredited body.

In summary: Itamite is the technical piece of compliance. We cover ~70% of a typical NIS2/ENS project — the remaining 30% (written policies, training, audit) is organizational work you must do.

NIS2 or ENS audit this year?

45-min demo with a real case from your sector. We show you the signed report live.

Request compliance demo See pricing