NIS2 on Azure
Azure NIS2 compliance, mapped to Article 21 with audit-ready evidence
Microsoft tells you what is misconfigured. NIS2 asks you what it means for Article 21, who owns it, and what evidence you can show an auditor. Governator is the layer between the two.
What NIS2 actually requires from your Azure environment
The NIS2 Directive (EU 2022/2555) became enforceable in Belgium on 18 October 2024. For organisations that operate cloud infrastructure, the operative text is Article 21, which lists ten technical and organisational measures every essential or important entity must implement and document. There is no Annex with a checklist. The measures are framed as outcomes, and the burden of proof sits with you.
On Microsoft Azure, the underlying controls usually exist somewhere — Defender for Cloud, Azure Policy, Conditional Access, Key Vault, Sentinel, Azure Backup. What does not exist out of the box is the mapping layer between those technical controls and the Article 21 measures, the ownership trail, and the audit evidence pack a regulator can read in five minutes.
Governator is built specifically for that gap. It collects findings from your Azure environment, maps each one to the Article 21 measure it relates to, assigns an owner, tracks remediation, and produces an audit-ready evidence pack on demand.
How Governator maps Azure to NIS2 Article 21
Each Article 21 measure has a corresponding Azure evidence model. The table below shows the mapping Governator runs continuously across your subscriptions.
| Reference | Measure | Azure evidence Governator collects |
|---|---|---|
| Article 21(2)(a) | Risk analysis & information system security policies | Azure Policy assignments, Defender for Cloud regulatory compliance dashboard, exemption registry with business justification. |
| Article 21(2)(b) | Incident handling | Sentinel incidents, Defender alert workflow, runbook attestation, post-incident review evidence. |
| Article 21(2)(c) | Business continuity & crisis management | Azure Backup vault policies, Azure Site Recovery configuration, geo-redundant storage, tested DR runbook attestation. |
| Article 21(2)(d) | Supply chain security | Service principal inventory, third-party RBAC assignments, federated identity audit, partner Lighthouse delegation review. |
| Article 21(2)(e) | Acquisition, development, and maintenance security | AVM module versions, pipeline secret scanning, Defender for DevOps findings, IaC review evidence. |
| Article 21(2)(f) | Effectiveness of cybersecurity risk-management measures | Secure Score trend, control effectiveness metrics, exemption decay rate, MTTR per finding category. |
| Article 21(2)(g) | Cyber hygiene & training | Conditional Access posture, MFA coverage, Privileged Identity Management activations, training attestation register. |
| Article 21(2)(h) | Cryptography | Key Vault inventory, TLS minimum-version policy, customer-managed key (CMK) coverage, certificate expiry monitoring. |
| Article 21(2)(i) | Human resources, access control, asset management | RBAC role assignments, joiner-mover-leaver process evidence, service principal lifecycle, just-in-time access logs. |
| Article 21(2)(j) | Multi-factor authentication & secured communications | Entra Conditional Access reports, MFA registration coverage, Private Link & private endpoint inventory, public exposure analysis. |
The Belgian NIS2 timeline
Belgium implemented NIS2 through the law of 26 April 2024, with the CCB (Centre for Cybersecurity Belgium) as the supervisory authority. The CCB has aligned NIS2 enforcement with the CyberFundamentals framework: organisations demonstrate Article 21 compliance by reaching the appropriate CyFun assurance level (Basic, Important, or Essential).
- Registration deadline: 18 March 2025 (passed). All in-scope entities must be registered with the CCB.
- CyFun self-assessment due: 18 April 2026. Most "important" entities are working toward CyFun Important; "essential" entities need CyFun Essential.
- Reclassification: Critical entities become essential entities on 17 July 2026.
- Progress report due: 18 April 2027.
If you operate on Azure and your CyFun self-assessment is on the calendar, the reconciliation work between Defender findings, policy compliance, RBAC inventory, and the CyFun control set is exactly what Governator was built to handle. See the dedicated CyFun on Azure page for the assurance-level mapping.
What Microsoft gives you, and what Microsoft does not
Microsoft gives you
- ✓Defender for Cloud regulatory compliance dashboard with NIS2 initiative
- ✓Secure Score and recommendation engine
- ✓Azure Policy compliance state per assignment
- ✓Sentinel for incident logging and detection
- ✓Activity Log with 90-day retention per resource
Microsoft does not give you
- ✓Per-finding mapping to Article 21 measures (a)–(j)
- ✓Owner assignment and remediation SLA tracking
- ✓Evidence vault with attestations, snapshots, and exemptions
- ✓CyFun assurance-level export with control-evidence matrix
- ✓Board-level audit-readiness percentage and trends
- ✓Cross-cloud and external-evidence integration
Defender's NIS2 view tells you which Azure controls are technically configured. It does not tell you what the gap means for your Article 21 obligation, who owns the remediation, or what your auditor will accept as proof. That is the operating layer Governator provides.
Where to start
Most organisations facing the April 2026 CyFun self-assessment start with a NIS2 readiness assessment: a one-time engagement that uses Governator to produce a point-in-time compliance picture with expert interpretation, identify the highest-risk gaps, and scope the remediation roadmap. Organisations with the assessment behind them move to continuous assurance, where Governator runs as a managed service against your Azure subscriptions.
Related
Start with a Governator-powered Azure Health Check
Not sure where to begin? A quick architecture review gives you a clear picture. No obligation.
- ✓ Risk scorecard across identity, network, governance, and security
- ✓ Top 10 issues ranked by impact and effort
- ✓ 30-60-90 day roadmap with quick wins