What we mean by "produces evidence"
Sekeye does not grant NIS2 or DORA compliance. It is being built to produce the software inventory, exposure, and incident-response timeline evidence these regimes require you to demonstrate, with EU-resident hosting or fully self-hosted inside your VPC.
NIS2 (essential and important entities)
- Article 21 supply-chain security. Endpoint software inventory across developer and analyst machines feeds supplier and third-party controls evidence.
- 24-hour early warning, 72-hour incident notification. Campaign scope identifies affected endpoints and exposure window per host.
- Executive accountability. Board-level attestation is easier when the posture evidence is a report, not a spreadsheet.
DORA (financial-services entities)
- ICT third-party risk. Software artefact inventory across critical functions gives the auditable evidence base.
- ICT-related incidents. Campaign findings tie affected endpoints to the incident timeline required for reporting.
- Threat-led penetration testing (TLPT) preparation. Inventory context for scoping: what components exist across the fleet.
CRA (product manufacturers)
- Vulnerability handling and SBOM obligations. The SBOM you export for compliance can be produced from the same inventory you use for operational security.
- Coordinated vulnerability disclosure. Findings queue and closure tracking is the evidence trail.