Skip to content
Now taking design partners.Roadmap →
← Home

NIS2, DORA, CRA

Compliance evidence · EU

Software-supply-chain evidence for EU essential and important entities, financial services, and digital-product manufacturers.

Request evidence pack

What we mean by "produces evidence"

Sekeye does not grant NIS2 or DORA compliance. It is being built to produce the software inventory, exposure, and incident-response timeline evidence these regimes require you to demonstrate, with EU-resident hosting or fully self-hosted inside your VPC.

NIS2 (essential and important entities)

  • Article 21 supply-chain security. Endpoint software inventory across developer and analyst machines feeds supplier and third-party controls evidence.
  • 24-hour early warning, 72-hour incident notification. Campaign scope identifies affected endpoints and exposure window per host.
  • Executive accountability. Board-level attestation is easier when the posture evidence is a report, not a spreadsheet.

DORA (financial-services entities)

  • ICT third-party risk. Software artefact inventory across critical functions gives the auditable evidence base.
  • ICT-related incidents. Campaign findings tie affected endpoints to the incident timeline required for reporting.
  • Threat-led penetration testing (TLPT) preparation. Inventory context for scoping: what components exist across the fleet.

CRA (product manufacturers)

  • Vulnerability handling and SBOM obligations. The SBOM you export for compliance can be produced from the same inventory you use for operational security.
  • Coordinated vulnerability disclosure. Findings queue and closure tracking is the evidence trail.