Evidenza tecnica firmata
per 6 framework normativi.
NIS2, ENS, ISO 27001, PCI-DSS, HIPAA e DORA. Itamite genera automaticamente l'evidenza tecnica di conformità dai dati dell'agente, firmata con SHA-256 e verificabile pubblicamente.
Il problema della conformità manuale
Un audit NIS2 o ENS richiede evidenza tecnica concreta: che ogni dispositivo ha cifratura disco attiva, antivirus aggiornato, patch correnti, account admin controllati, log immutabili… per ogni asset della tua flotta.
Farlo a mano significa: fogli di calcolo, screenshot, assumere consulenza a 10.000-30.000 €, ripetere a ogni rinnovo.
Itamite lo fa automaticamente e in tempo reale. Quando arriva l'auditor, generi il report firmato in 30 secondi.
I 6 standard più richiesti in Europa
Ogni framework ha i suoi controlli mappati ai dati raccolti dall'agente.
NIS2 (EU Directive 2022/2555)
Mandatory since October 2024 for essential and important entities: energy, transport, healthcare, banking, digital public sector, water, food, chemicals, critical manufacturing, ICT managers.
Itamite covers:- Art. 21.2.a — Risk analysis (full inventory)
- Art. 21.2.b — Incident management (immutable audit)
- Art. 21.2.d — Supply chain security (SBOM)
- Art. 21.2.e — Maintenance (patches, EOL)
- Art. 21.2.f — Effectiveness of measures (measurable posture)
- Art. 21.2.g — Basic hygiene (AV, firewall, screen lock)
- Art. 21.2.h — Encryption (disk_encrypted, TPM, Secure Boot)
- Art. 21.2.i — Access control (admin accounts, MFA)
ENS (Spanish RD 311/2022)
National Security Scheme. Mandatory for Spanish public sector and critical providers. Three categories: Basic, Medium, High.
Covered families:- mp.eq — Equipment protection
- op.exp — Operations
- mp.com — Communications protection
- op.acc — Access control
- mp.s — Service protection
Reports valid for CCN-CERT audit and ENS certification by accredited body.
ISO/IEC 27001:2022
International information security management standard. Voluntary certification by accredited body.
Annex A — Controls covered:- A.5.10, A.5.16, A.5.18 — Access and authentication
- A.8.1 — Asset inventory
- A.8.7 — Malware protection
- A.8.8 — Technical vulnerability management
- A.8.9 — Configuration management
- A.8.11 — Data encryption
- A.8.16 — Monitoring activities
PCI-DSS v4.0
Mandatory for any company that processes, stores or transmits payment card data.
Requirements covered:- Req. 5 — Antimalware protection (AV, EDR)
- Req. 6 — Secure systems and apps (patches)
- Req. 7 — Function-based access restriction
- Req. 8 — Identification and authentication
- Req. 10 — Access logging and monitoring
- Req. 11.5 — Unauthorized change detection
HIPAA Security Rule
For US entities managing health information (PHI): hospitals, clinics, medical insurers and their business associates.
Technical safeguards covered:- §164.312(a) — Access control
- §164.312(b) — Audit controls
- §164.312(c) — Integrity
- §164.312(d) — Person/entity authentication
- §164.312(e) — Transmission security
DORA (EU Regulation 2022/2554)
Digital operational resilience. In force since January 2025 for EU financial entities.
Itamite covers:- Art. 5-15 — ICT risk management framework
- Art. 9 — Protection and prevention
- Art. 10 — Detection
- Art. 11 — Response and recovery
- Art. 17-23 — ICT incident management
- Art. 28-30 — Third-party ICT risk
Dai dati dell'agente al PDF firmato
4 passi automatici. Zero fogli di calcolo.
Agent reports 25+ technical controls
On every heartbeat (15 min by default), the Itamite agent sends the real status of 25+ security controls: disk encryption, AV installed and updated, pending patches, firewall, admin accounts, screen lock, TPM, Secure Boot, SMB config, RDP NLA, USB storage, Office macros, BitLocker.
Itamite maps each control to the active framework
When you activate a framework (e.g. NIS2 + ENS + ISO 27001), Itamite automatically maps each agent data point to the corresponding article/control. One technical data point, multiple compliance.
Real-time status with percentage and gaps
The console shows current status: for each regulatory control, how many assets comply and which fail, with the exact technical value. Continuous preventive audit.
Generate the signed PDF in 30 seconds
Button "Generate report" → select framework + period → downloadable PDF with: global compliance percentage, status of each control with technical evidence per asset, documented exceptions, and SHA-256 signature publicly verifiable at itamite.com/verify.
SHA-256 verificabile dall'auditor
Ogni PDF generato da Itamite porta a piè di pagina un hash SHA-256.
Per verificare l'integrità di un report:
- Your auditor goes to https://itamite.com/verify (public access without login).
- Drags the PDF to the verification area or enters the hash manually.
- Itamite confirms if the hash matches the immutable audit record and shows: tenant that generated it, user who requested it, UTC timestamp.
Se qualcuno manipola anche un solo carattere del PDF, l'hash non corrisponde più.
Accettato come evidenza tecnica dai principali organismi certificatori.
Cosa Itamite NON copre
Non vendiamo fumo. Questo devi apportarlo tu.
- Written policies: NIS2/ENS/ISO require organizational documentation (security policy, acceptable use policy, incident policy). Itamite handles the technical part; written policies are provided by you or your DPO.
- Personnel training and awareness: frameworks require demonstrable employee training. Itamite is not a training platform.
- Risk analysis: formal risk analysis (MAGERIT, ISO 27005) is done by your team or consultant.
- Business continuity (BCM): continuity and recovery plans are out of Itamite's scope.
- External audit: Itamite generates technical evidence. The audit itself (ISO 27001, ENS) is performed by an independent accredited body.
In sintesi: Itamite è il pezzo tecnico della conformità. Copriamo ~70% di un progetto NIS2/ENS tipico.
Audit NIS2 o ENS quest'anno?
Demo 45 min con caso reale del tuo settore.