Evidência técnica assinada
para 6 frameworks normativos.
NIS2, ENS, ISO 27001, PCI-DSS, HIPAA e DORA. Itamite gera automaticamente a evidência técnica de conformidade desde os dados do agente, assinada com SHA-256.
O problema da conformidade manual
Uma auditoria NIS2 ou ENS pede evidência técnica concreta: que cada equipamento tem cifragem de disco ativa, antivírus atualizado, patches em dia, contas de administrador controladas, registos imutáveis… para cada ativo da tua frota.
Fazer isto à mão significa: folhas de cálculo, capturas, contratar consultoria a 10 000-30 000 €, repetir o processo a cada renovação.
Itamite faz isto automaticamente e em tempo real. Quando chega o auditor, geras o relatório assinado em 30 segundos.
Os 6 standards mais procurados na Europa
Cada framework tem os seus controlos mapeados aos dados que o agente recolhe.
NIS2 (EU Directive 2022/2555)
Mandatory since October 2024 for essential and important entities: energy, transport, healthcare, banking, digital public sector, water, food, chemicals, critical manufacturing, ICT managers.
Itamite covers:- Art. 21.2.a — Risk analysis (full inventory)
- Art. 21.2.b — Incident management (immutable audit)
- Art. 21.2.d — Supply chain security (SBOM)
- Art. 21.2.e — Maintenance (patches, EOL)
- Art. 21.2.f — Effectiveness of measures (measurable posture)
- Art. 21.2.g — Basic hygiene (AV, firewall, screen lock)
- Art. 21.2.h — Encryption (disk_encrypted, TPM, Secure Boot)
- Art. 21.2.i — Access control (admin accounts, MFA)
ENS (Spanish RD 311/2022)
National Security Scheme. Mandatory for Spanish public sector and critical providers. Three categories: Basic, Medium, High.
Covered families:- mp.eq — Equipment protection
- op.exp — Operations
- mp.com — Communications protection
- op.acc — Access control
- mp.s — Service protection
Reports valid for CCN-CERT audit and ENS certification by accredited body.
ISO/IEC 27001:2022
International information security management standard. Voluntary certification by accredited body.
Annex A — Controls covered:- A.5.10, A.5.16, A.5.18 — Access and authentication
- A.8.1 — Asset inventory
- A.8.7 — Malware protection
- A.8.8 — Technical vulnerability management
- A.8.9 — Configuration management
- A.8.11 — Data encryption
- A.8.16 — Monitoring activities
PCI-DSS v4.0
Mandatory for any company that processes, stores or transmits payment card data.
Requirements covered:- Req. 5 — Antimalware protection (AV, EDR)
- Req. 6 — Secure systems and apps (patches)
- Req. 7 — Function-based access restriction
- Req. 8 — Identification and authentication
- Req. 10 — Access logging and monitoring
- Req. 11.5 — Unauthorized change detection
HIPAA Security Rule
For US entities managing health information (PHI): hospitals, clinics, medical insurers and their business associates.
Technical safeguards covered:- §164.312(a) — Access control
- §164.312(b) — Audit controls
- §164.312(c) — Integrity
- §164.312(d) — Person/entity authentication
- §164.312(e) — Transmission security
DORA (EU Regulation 2022/2554)
Digital operational resilience. In force since January 2025 for EU financial entities.
Itamite covers:- Art. 5-15 — ICT risk management framework
- Art. 9 — Protection and prevention
- Art. 10 — Detection
- Art. 11 — Response and recovery
- Art. 17-23 — ICT incident management
- Art. 28-30 — Third-party ICT risk
Dos dados do agente ao PDF assinado
4 passos automáticos. Zero folhas de cálculo.
Agent reports 25+ technical controls
On every heartbeat (15 min by default), the Itamite agent sends the real status of 25+ security controls: disk encryption, AV installed and updated, pending patches, firewall, admin accounts, screen lock, TPM, Secure Boot, SMB config, RDP NLA, USB storage, Office macros, BitLocker.
Itamite maps each control to the active framework
When you activate a framework (e.g. NIS2 + ENS + ISO 27001), Itamite automatically maps each agent data point to the corresponding article/control. One technical data point, multiple compliance.
Real-time status with percentage and gaps
The console shows current status: for each regulatory control, how many assets comply and which fail, with the exact technical value. Continuous preventive audit.
Generate the signed PDF in 30 seconds
Button "Generate report" → select framework + period → downloadable PDF with: global compliance percentage, status of each control with technical evidence per asset, documented exceptions, and SHA-256 signature publicly verifiable at itamite.com/verify.
SHA-256 verificável pelo auditor
Cada PDF gerado pelo Itamite leva no rodapé um hash SHA-256.
Para verificar a integridade de um relatório:
- Your auditor goes to https://itamite.com/verify (public access without login).
- Drags the PDF to the verification area or enters the hash manually.
- Itamite confirms if the hash matches the immutable audit record and shows: tenant that generated it, user who requested it, UTC timestamp.
Se alguém manipular um só caractere do PDF, o hash deixa de coincidir.
Aceite como evidência técnica pelos principais organismos certificadores.
O que Itamite NÃO cobre
Não vendemos fumo. Isto és tu que tens de aportar.
- Written policies: NIS2/ENS/ISO require organizational documentation (security policy, acceptable use policy, incident policy). Itamite handles the technical part; written policies are provided by you or your DPO.
- Personnel training and awareness: frameworks require demonstrable employee training. Itamite is not a training platform.
- Risk analysis: formal risk analysis (MAGERIT, ISO 27005) is done by your team or consultant.
- Business continuity (BCM): continuity and recovery plans are out of Itamite's scope.
- External audit: Itamite generates technical evidence. The audit itself (ISO 27001, ENS) is performed by an independent accredited body.
Em resumo: Itamite é a peça técnica do cumprimento. Cobrimos ~70% de um projeto NIS2/ENS típico.
Auditoria NIS2 ou ENS este ano?
Demo 45 min com caso real do teu setor.