Skip to main content
GenioCT

Platform

Azure NIS2 and CyFun compliance, with audit-ready evidence on demand

Microsoft tells you what is wrong in Azure. Governator tells you what it means for your compliance obligations, who owns it, how to fix it, and what proof you can show to an auditor.

What Governator does

Governator collects configuration, security, access, cost, and activity data from your Azure subscriptions. It maps findings to the CCB CyberFundamentals framework (748 control-evidence links) and NIS2 Article 21 requirements, then presents an integrated dashboard for continuous compliance monitoring and audit readiness.

Control Mapping Engine

Azure findings mapped to CyFun/NIS2/CCB themes. Not just 'what is wrong' but 'what it means for your compliance obligation, which NIS2 article is affected, and who owns the gap.'

Evidence Vault

Timestamped proof, snapshots, manual attestations, exceptions, and a complete audit trail. The evidence your auditor needs, structured and exportable.

Remediation Factory

Owner assignment per finding, SLA tracking, and re-verification on each collection run. Findings do not just get reported, they get closed.

Executive Assurance Pack

Board-level dashboard with audit readiness percentage, risk trends, overdue owners, and management summaries. One page for the people who need to sign off.

Pre-Audit Mode

Assessment-ready export at your target CyFun assurance level. Executive summary, control evidence matrix, gap analysis, attestations, and exemptions. Color-coded XLSX.

Governator Overview dashboard showing audit readiness, secure score, public exposure count, and detected toxic combinations across subscriptions.
Executive overview: audit readiness, secure score, public exposure, top exposures, audit blockers, and toxic combinations on one page.

Who it is for

Security teams

Day-to-day operational security: WAF assessment, public exposure analysis, RBAC audit, Defender finding triage, exemption workflows, drift alerting, cleanup tracking. Actionable insights, not just dashboards.

Management and audit

Compliance evidence, CyFun/NIS2 mapping, board reporting, audit-ready exports, gap narratives. Proof and accountability for the people who need to sign off.

How it works

Data collection

  • Resource Graph (subscriptions, resources, tags, properties)
  • Defender for Cloud (CSPM assessments, secure scores)
  • Azure Policy (compliance states, definition resolution)
  • RBAC (role assignments, principal resolution via MS Graph)
  • Activity Log (90-day activity per resource)
  • Cost Management (billing data, service breakdown)
  • WAF Policies (CRS rules, paranoia level, exclusions)
  • Azure Firewall (rule collection groups, DNAT exposure)
  • Storage Metrics (transactions, capacity, egress)
  • Tag Compliance, Cleanup Detection, Change Detection

AI-powered assessment

  • Per-control gap narrative generated for auditor review
  • Storage account deep inspection with PII detection
  • Resource criticality and data sensitivity classification
  • WAF security assessment with effective protection scoring
  • Defender exemption justification drafting

How Governator is different

Defender / Policy / Secure Score tell you

  • What is misconfigured
  • What is exposed
  • What is non-compliant technically

Governator adds

  • CyFun/NIS2 control mapping with interpretation
  • Ownership and remediation workflow per finding
  • Evidence trail with attestations and review dates
  • Executive summary and audit-ready export
  • One place to track technical and compliance meaning

Example: from Defender finding to audit evidence

1

Defender for Cloud flags a storage account with public blob access enabled

2

Governator maps it to CyFun PR.AC-3 (access control) and NIS2 Art. 21(2)(d) (access management policies)

3

The finding is assigned to the subscription owner with a 14-day remediation SLA

4

If the public access is intentional, the owner files an exemption with business justification and review date

5

The corrected or exempted state is included in the next audit evidence pack with full history

Governator issue lifecycle view showing detection, ownership, evidence, and resolution states for findings.
Issue lifecycle: detect, assign an owner, attach evidence, resolve. The timestamp trail an auditor will ask for.

From recurring audit costs to continuous assurance

NIS2 and DORA are both ongoing obligations, not one-off certifications. NIS2 Article 21 measures must be implemented and maintained, with annual progress reports under the Belgian regime. DORA requires continuous ICT risk management, mandatory operational resilience testing, and an up-to-date third-party register. The audit never really ends.

Most organisations meet that with recurring readiness assessments: every twelve months, an external consulting engagement, a fresh PDF, and another budget cycle. The drift between assessments is where most failures show up. Governator inverts the model. A one-time assessment to baseline, then continuous assurance as a managed service. Evidence regenerates on demand. The recurring spend goes into tooling that produces auditor-ready output, not into commissioning a new consulting deliverable every year.

  • Replaces the annual external readiness engagement with continuous data collection.
  • Generates fresh evidence packs on demand for the next audit, snapshot review, or board update.
  • Alerts on drift between assessments, where the actual failures happen.
  • Keeps the recurring budget inside the toolchain instead of in repeat consultancy fees.
Governator compliance timeline showing percentage tracked week by week against CyFun and NIS2 controls.
Compliance percentage tracked continuously, not just before an audit.

Assessment or continuous assurance?

Governator powers both. A CyFun/NIS2 Readiness Assessment is a one-time engagement that uses Governator to produce a point-in-time compliance picture with expert interpretation. For organisations that need ongoing visibility, Governator runs continuously as a managed service with regular collection, drift detection, and management reporting.

Most organisations start with an assessment and move to continuous assurance when they see the value of the evidence trail.

Start with a readiness assessment Discuss continuous assurance

Go deeper

NIS2 on Azure

Article 21 mapping & audit evidence

Per-measure mapping, Belgian timeline, and what Microsoft does not give you on NIS2.

CyFun on Azure

Basic, Important, Essential assurance

748 control-evidence links, assurance-level exports, and gap narratives for CyberFundamentals.

DORA on Azure

ICT risk, resilience & third-party register

The four DORA pillars on Azure, with a maintained third-party register and resilience-testing trail.

Comparison

Defender for Cloud vs Governator

Where Defender stops on NIS2 and CyFun, and the layer Governator adds on top.

From the blog

→ Defender for Cloud in 2026 and What to Enable, Tune, and Skip → Your Board Is Asking About NIS2. Here Is What You Actually Need to Do → Why Every Azure Enterprise Needs a WAF Analysis Methodology → Microsoft Sentinel in 2026 and How to Control Ingestion Costs → Azure Landing Zones in 2026 and What Actually Matters Now

Start with a Governator-powered Azure Health Check

Not sure where to begin? A quick architecture review gives you a clear picture. No obligation.

  • Risk scorecard across identity, network, governance, and security
  • Top 10 issues ranked by impact and effort
  • 30-60-90 day roadmap with quick wins
Book a Conversation