What the law asks of your area
GDPR, NIS2, ENS, ISO 27001… different names, similar demands. This is what they touch on your turf:
From regulation to control
The legal text doesn't say "FIDO2" — but the auditor expects it. This is how we translate the letter of the law into verifiable controls and the evidence you'll be asked for:
| Regulation / article | Expected technical control | Evidence an auditor asks for |
|---|---|---|
| NIS2 art. 21.2(j)Multi-factor authentication | Phishing-resistant MFA —FIDO2/WebAuthn, passkeys— on privileged and remote access. App-based OTP as the acceptable minimum elsewhere; SMS, no. |
Access control policy + IdP configuration export (Entra ID, Okta, Google Workspace) showing per-group enforcement. |
| NIS2 art. 21.2(c)Continuity and backups | 3-2-1 backups with at least one immutable copy (object lock / WORM) or offline, and periodic restore tests against defined RTO/RPO. |
Dated restore-test report, with measured times against the target and who ran it. |
| GDPR art. 32Security of processing | Encryption in transit (TLS 1.2+, ideally 1.3) and at rest (AES-256); laptop disks with centrally managed FileVault/BitLocker. |
Per-system encryption inventory + key management procedure (who holds the keys and how they rotate). |
| ENS op.accAccess control | Least privilege: separate admin accounts, periodic permission reviews and PAM at scale. Same-day user offboarding. | Reviewed roles-and-permissions matrix, with date, owner and outcome of the last review. |
| NIS2 art. 23Incident notification | Ability to detect and classify significant incidents: early warning within 24 h and notification within 72 h to the reference CSIRT (in Spain, INCIBE-CERT / CCN-CERT). | Response runbook with roles and deadlines + incident register, even if it's at zero. |
| NIS2 art. 21.2(e)Vulnerability management | Patching prioritized by real exploitability: CVSS as the baseline, corrected with EPSS and CISA's KEV catalog. SLAs per severity. |
Monthly vulnerability report with SLAs met and exceptions justified in writing. |
| EmailNIS2 art. 21.2 · basic hygiene | SPF + DKIM + DMARC at p=reject, first passing through p=none and p=quarantine while monitoring aggregate reports. |
Published DNS records + DMARC (rua) reports from the last quarter. |
| NIS2 art. 21.2(d)Supply chain | TPRM assessment of suppliers with access to data or systems, security clauses in contracts and data processing agreements (GDPR art. 28) where due. | Register of assessed suppliers with criticality, date and outcome of the last review. |
| ENS op.exp.8Activity logging | Centralized logs for critical systems, defined retention, NTP-synchronized clocks and restricted access to the log itself. | Logging policy + evidence of retention and of who can read (and not delete) the records. |
A representative sample, not the full map. The Gap Analysis crosses your real scope —assets, data, sector, size— with the provisions that actually apply to you.
The frameworks we work with
Prioritizing without a reference framework is guessing. These are ours — and what we use each one for:
Our baseline for ordering the work. We start with IG1 —essential hygiene, 56 safeguards— and move up to IG2 depending on size and exposure. Every recommendation traces to a specific safeguard, not a generic "best practice".
We map each CIS control to the 93 controls of ISO 27002:2022 and to the ENS measures (basic or medium category, as applicable). You implement once and cover several frameworks — no duplicated work.
For what you expose on the web: ASVS as a list of verifiable requirements, level L1 or L2 depending on the application's criticality. Concrete, testable requirements, not a top-10 of headlines.
How we fit with you
Not auditors who come to fail you, not consultants who send you a PDF and disappear.
Your stack is yours.
We recommend agnostically: criteria and options, not brands. You choose the tool — or keep the one you have, if it meets the requirement. We take commission from no one.
Concrete proposals.
Every finding comes with severity, estimated effort and a budget-friendly alternative when one exists. No "you should strengthen security": what to change, in what order and why.
We do the documenting.
You implement; the policies, the evidence and the answers to auditors are prepared by us with the platform. Compliance paperwork stops being your problem.
Shall we talk about your stack?
Tell us what you're running and we'll send back the map: what the regulation asks of you, what you already have covered and what evidence is missing. Engineer to engineer, no smoke.
hola@tria.consultingPrefer to start on your own? Take the free check-up (Spanish) →