NIS2 READY
The NIS2 Directive affects tens of thousands of organisations across the EU and requires demonstrable management of risks, incidents, business continuity and supply-chain dependencies. For IT teams, this represents a complex operational obligation; for management, it is often a misunderstood regulation.
Tazilla bridges these two worlds – providing precise data for IT and clear decision-making insights for leadership. This article explains where Tazilla supports NIS2 compliance and where responsibility remains with organisational processes, people and other technologies.
1. Cybersecurity Risk Management (Article 21 NIS2)
NIS2 builds on one key pillar – an organisation must know its assets, threats and impacts, assign appropriate security controls and continuously monitor their effectiveness. This is a systematic process – not a one-off spreadsheet exercise.
What tazilla covers
The Risk Analysis module together with the Organisation module provides a comprehensive framework for risk management across the entire organisation.
It enables:
- precise asset inventory (hardware, software, data, processes, locations) and classification,
- use of predefined catalogues of threats, impacts and security controls,
- AI assistant support for conducting risk assessments and selecting appropriate controls,
- automatic linking of risks to incidents, third parties or business continuity plans (BCP),
clear analytical dashboards and management reports that simplify decision-making and demonstration of compliance.
The result is an auditable proof that the organisation truly manages risks as required by Article 21 NIS2 and applicable national legislation.
What tazilla does not cover
Tazilla does not design security architecture (firewalls, EDR, SIEM) nor does it physically implement encryption, patching or network segmentation. It can record that such controls exist, what risks they address and who is responsible. The implementation of technical security controls therefore remains with the organisation and its suppliers.
2. Management Responsibility and Approvals (Article 20)
NIS2 shifts cybersecurity from “just IT” to an enterprise-wide responsibility. Management must understand risks, approve controls and demonstrably maintain security-related competence.
What tazilla covers
The platform helps organisations meet this obligation clearly and transparently by allowing them to:
• generate management risk reports summarising key risks, planned controls and related costs,
• record approvals, management decisions and remarks, creating a complete audit trail,
• plan and track mandatory training for management and employees through the Tazilla eLearning module.
This makes it easier for the CISO to explain real threats and required decisions.
What tazilla does not cover
Tazilla cannot make decisions on behalf of management nor ensure that reports are read and acted upon. Approving budgets, accepting risks and setting internal responsibilities remain exclusively management duties.
3. Incidents and Mandatory Reporting (Article 23)
NIS2 requires organisations to report significant cybersecurity incidents to national authorities (e.g., CSIRT, NBÚ in Slovakia) within strict deadlines – an initial notification within 24 hours, updates within 72 hours, and a final report within one month. For many organisations, this is one of the most challenging obligations: incidents often arise unexpectedly and under pressure, and the team must ensure accurate and complete reporting while resolving the issue.
What tazilla covers
The Registers – Cybersecurity Events module enables:
• recording incidents, near-misses, vulnerabilities and critical threats,
• assigning incidents to specific assets, services, employees or suppliers,
• logging response controls, timelines and detailed descriptions,
• automatic categorisation according to NBÚ rules,
• storing documentation (logs, evidence, analyses, correspondence).
This provides the organisation with the necessary information to quickly understand: What happened? What was affected? What are the impacts? Who handled the incident? Were all obligations met? Practically, this means that the CISO or responsible person can prepare required reports from already available data.
What tazilla does not cover
Tazilla does not automatically submit reports – current national systems do not provide interfaces for direct electronic reporting to CSIRT or NBÚ. The organisation remains responsible for submitting notifications and deciding whether an event qualifies as a “significant incident”.
4. Business Continuity, Backup and Recovery
One of NIS2’s key requirements is ensuring continued operations even during disruptions – whether due to cyberattacks, technical failures or human error. Regulations therefore emphasise documented and tested Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP), including clear recovery parameters and responsibilities.
What tazilla covers
The Business Continuity Management module allows organisations to create, maintain and audit their preparedness documentation. It supports:
• creation and maintenance of BCP/DRP plans and their links to assets, services and responsible persons,
• setting RTO and RPO parameters in the Recovery Strategy section,
• recording backup strategies including responsible persons and restoration tests,
• documenting and evaluating plan tests – often the weakest area during audits.
Tazilla helps create realistic, continuously updated plans suitable for audits.
What tazilla does not cover
Tazilla does not perform backups or restorations, control storage systems or replications, nor create crisis communication channels. These must be provided by IT teams and suppliers. Tazilla records them and adds context.
5. Supplier Management and Supply Chain Risks
According to NIS2, suppliers pose one of the largest sources of risk – yet organisations frequently underestimate them. A supplier incident can have the same impact as one occurring directly in your infrastructure. NIS2 requires organisations to know, assess and continuously manage third-party risks.
What tazilla covers
The Third Parties and Contracts modules provide a unified environment for managing the supplier ecosystem:
• maintaining and categorising all suppliers, including their criticality,
• linking them to services, assets and responsible persons,
• assessing risks arising from external partners,
• storing auditable SLA, contract and security obligation data,
• linking information to risk analysis to understand supplier impact on critical assets.
What tazilla does not cover
Tazilla does not enforce SLAs, validate supplier technical controls or perform onsite assessments. These remain the organisation’s responsibility – no software can automate them. Tazilla provides the tools to manage and demonstrate them.
6. Documentation, Policies and Audit Trail
NIS2 requires demonstrability – it is not enough to claim that processes exist. Organisations must present evidence that they are performed and regularly updated. Documentation and audit trails determine whether an organisation passes audits, inspections or incident investigations.
What tazilla covers
The Documentation module provides a structured, controlled environment for managing security documents:
• centralising directives, policies, records, audit logs and decisions,
• ensuring versioning and linkage to services, assets and risks,
• generating questionnaires and audit materials.
This enables rapid responses to auditors and regulators, with all relevant documents connected and stored in one system.
What tazilla does not cover
Tazilla does not ensure the quality of internal policies, create BCM policies, classify documents or replace legal experts or internal approval processes. It offers a management tool – creation and approval remain with the organisation.
7. Training, Cyber Hygiene and Awareness
NIS2 stresses that technology alone is insufficient. Organisations must demonstrate that their people know how to work securely and respond to incidents. Continuous awareness, training and security culture are key.s not only visibility into their security posture but also the ability to proactively respond to new threats.
What tazilla covers
Tazilla provides a multi-layered approach to training and prevention:
• an eLearning module with AI-narrated courses for IT staff, management and employees,
• dashboards and auditable records of completed training,
• integrated technical modules – VScan, Honeypot, Threat Intelligence – strengthening internal monitoring.
These functionalities support better cyber hygiene and demonstrate active monitoring.
What tazilla does not cover
Tazilla cannot build an organisation’s security culture. It cannot guarantee that employees understand the training, nor can it replace internal communication campaigns promoting secure behaviour.
8. Technical Security Controls (Critical but Outside Tazilla’s Scope)
NIS2 includes numerous requirements classified as “hard security” – technical controls implemented within IT infrastructure. These are essential and cannot be replaced by any GRC platform.
Tazilla does not cover hard security
Tazilla does not implement:
• firewalling, IDS/IPS, EDR/XDR, SIEM monitoring,
• email security (anti-spam, anti-phishing),
• DDoS protection, WAF,
• patch management,
• real-time operational and log monitoring,
• PKI, certificates, encryption or key management,
• physical security (access control, CCTV).
Tazilla can, however, record these controls, their implementation status, responsible persons and links to risks.
What Tazilla provides in this area (management perspective)
While not operating these technologies, Tazilla can:
• include them in the catalogue of security controls,
• record their implementation and status,
• assign responsible persons and budgets,
• connect them to risks, impacts and assets,
• identify which risks they mitigate and which remain open.
In practice, Tazilla provides the managerial and auditable oversight, while technical protection remains within infrastructure and security tools.
Conclusion: Tazilla Makes NIS2 Achievable – But Not Automatic
The most common NIS2 failures remain the same:
organisations do not know whether they fall under NIS2, do not manage risks, ignore monitoring, lack continuity plans, and have no system for recording incidents or suppliers.
Tazilla addresses these issues in a single platform – clearly, comprehensively, auditably and in a way understood by both IT and management. It supports fulfilment of a substantial part of NIS2 requirements and creates a framework for long-term security management, rather than mere “checkbox compliance”.
