We can't find the internet
Attempting to reconnect
Something went wrong!
Attempting to reconnect
NIS2 Compliance: A Technical Implementation Guide
Building automated compliance checking for Czech critical infrastructure
Prismatic Engineering
Prismatic Platform
NIS2 and the Czech ZKB Law
The EU Network and Information Security Directive (NIS2) establishes baseline
cybersecurity requirements for operators of essential services and digital
infrastructure. In the Czech Republic, NIS2 is transposed through the ZKB
(Zakon o kyberneticke bezpecnosti) law, which imposes additional requirements
specific to Czech critical infrastructure.
Organizations classified as essential or important entities must implement
risk management measures, report significant incidents within 24 hours, and
ensure supply chain security. Non-compliance carries penalties of up to 10
million EUR or 2% of global annual turnover.
The prismatic_compliance Application
The prismatic_compliance umbrella app provides automated compliance checking
and reporting. It is structured around three core workflows: CER (Critical
Entity Report) generation, supplier vetting, and employee screening.
# Generate a CER report for an organization
{:ok, report} = PrismaticCompliance.CER.generate(%{
organization: "Acme Energy a.s.",
ico: "12345678",
sector: :energy,
classification: :essential
})
# The report includes compliance status across all NIS2 dimensions
report.dimensions
# => [
# %{name: "Risk Management", status: :compliant, score: 0.87},
# %{name: "Incident Reporting", status: :partial, score: 0.62},
# %{name: "Supply Chain", status: :non_compliant, score: 0.31},
# ...
# ]
CER Report Structure
A CER report evaluates an organization across 10 compliance dimensions
defined by NIS2 Article 21:
|-----------|-------------|------------------|
Each dimension receives a score from 0.0 to 1.0 based on evidence gathered
from the organization's documentation, technical controls, and OSINT data.
Supplier Vetting Workflow
NIS2 Article 21(2)(d) requires organizations to assess the cybersecurity
posture of their supply chain. The supplier vetting workflow automates this
by running each supplier through the DD pipeline:
The system fetches the supplier's business registry data, checks sanctions
lists, reviews court proceedings, and analyzes the supplier's digital
footprint (domain age, SSL configuration, security headers). Results are
scored and presented as a supplier risk profile.
For Czech suppliers, the system leverages ARES data to verify company
status, extract beneficial ownership from the Justice.cz registry, and
check the ISIR insolvency registry. International suppliers are vetted
through OpenCorporates and jurisdiction-specific registries.
Employee Screening
Article 21(2)(i) mandates human resource security measures including
background checks for personnel with access to critical systems. The
screening module checks individuals against sanctions lists, PEP
databases, adverse media sources, and professional registries.
The screening workflow respects GDPR requirements by implementing
purpose limitation, data minimization, and retention policies. Results
are stored encrypted with access logging, and screening records are
automatically purged after the configured retention period.
Automated Compliance Checking
The compliance engine runs continuous checks against the organization's
posture. When a supplier's status changes (new court proceedings, sanctions
listing, or financial distress), the system updates the CER report
automatically and notifies the compliance officer.
Integration with the platform's telemetry system enables real-time
compliance dashboards showing the organization's overall NIS2 readiness
score, trending risk areas, and upcoming audit deadlines.