Built for NIS2.

Built to prove your controls under NIS2, not just describe them. Continuous Article 21 readiness, ready-to-file Article 23 reports and an Article 20 accountability pack, on a hash-chained audit trail.

Article 21

Risk-management measures

Continuous readiness scoring against all 10 cybersecurity measures, each with a per-control evidence trail.

Article 23

Incident reporting

Pre-formatted 24-hour early-warning and 72-hour full reports, aligned to your national CSIRT's accepted format.

Article 20

Management accountability

An audit-grade quarterly pack for boards, regulators and D&O insurers, due-diligence under personal-liability rules.

Why NIS2, why now

The stakes are real, and already live.

NIS2 turned cybersecurity from an IT concern into a board-level, legally-enforced obligation. The hard part isn't knowing the rules; it's proving you meet them. That's Alexus.

Oct 2024
In force

Live across the EU, with national transposition enforced now.

€10M / 2%
Max fine

Essential entities: up to €10M or 2% of global turnover. Important: €7M or 1.4%.

Personal
Liability

Management bodies must approve and oversee measures, and can be personally accountable.

18 sectors
Wider scope

Far more organisations caught than under NIS1, most medium+ firms in the sectors.

Article 21

The 10 risk-management measures

Every in-scope entity must implement, and demonstrate, these ten minimum measures.

Alexus covers this: a live readiness score against all 10 measures, each with a per-control evidence trail.

01Risk analysis & security policies
02Incident handling
03Business continuity, backup & crisis mgmt
04Supply-chain security
05Secure acquisition, development & vuln handling
06Policies to assess effectiveness
07Cyber hygiene & training
08Cryptography & encryption
09HR security, access control & asset mgmt
10MFA & secured communications
Article 23

The incident-reporting clock

When a significant incident hits, the deadlines are short and unforgiving.

Hour 0
Significant incident

A material impact on your services starts the clock.

24 hours
Early warning

Notify your CSIRT, incl. whether it's suspected malicious / cross-border.

72 hours
Incident notification

Initial assessment, severity, impact and indicators of compromise.

1 month
Final report

Root cause, mitigations applied and any cross-border impact.

Alexus covers this: pre-formatted 24h / 72h reports assembled from your live operational graph, in your CSIRT's format.

Scope & penalties

Essential vs important entities

Both face the same Article 20, 21 and 23 duties; what differs is supervision and the maximum fine.

Essential entities

Annex I
Proactive supervision: audited without cause
up to €10M or 2% of global turnover

Energy · Transport · Banking · Financial market infra · Health · Water · Digital infrastructure · ICT management · Public administration · Space

Important entities

Annex II
Reactive supervision: scrutiny follows an incident
up to €7M or 1.4% of global turnover

Postal & courier · Waste · Chemicals · Food · Manufacturing · Digital providers · Research

General guidance, not legal advice. Confirm your status against your national NIS2 transposition.

Under the hood

Engineered to be provable.

Governance

Every change logged with actor, source and timestamp; the Write Authority Map resolves multi-source conflicts.

Data protection

Per-tenant encryption, Postgres RLS and tenant-scoped Redis / Neo4j, isolation set by a JWT at the edge.

Responsible AI

Confidence-gated: sure cases auto-execute, the rest go to a human. Only confirmed fixes enter the corpus.

Security infrastructure

Three independent planes so a stuck step can't back-pressure the bus, with production-grade health checks.

Regulatory alignment

NIS2 reporting as a query; GDPR erasure as a data flow across embeddings, audit entries and graph nodes.

Customer trust

The same isolation from tenant 1 to 1,000: onboarding is a JWT claim, with a demo tenant for evaluation.

Documentation

Architecture, subsystem deep-dives and the deployment matrix, plus Privacy, Terms and GDPR policy pages.