From Uncertainty to Verified Posture
Many compliance teams working toward NIS2 compliance face the same challenge: they have reviewed the directive, they understand the ten Article 21 measures, and they have some controls in place - but they cannot confidently answer the question 'where exactly do we stand?'
The ROOTKey NIS2 Simulator was built to answer that question. It maps your organization's specific obligations under NIS2, assesses your current posture against each requirement, scores your compliance position, and identifies the gaps that carry the highest regulatory and operational risk.
This guide walks through how to get the most from the Simulator - from initial setup through to generating audit-ready evidence for your compliance documentation.
What the NIS2 Simulator Does
The ROOTKey NIS2 Simulator is not a generic checklist tool. It applies NIS2's requirements to your organization's specific context: your sector, your entity classification (essential vs. important), your jurisdiction, and the specific systems and processes that fall within scope.
The Simulator covers all ten Article 21 cybersecurity measures, including risk analysis and information system security policies, incident handling procedures, business continuity and crisis management, supply chain security, network and information system security, and policies on the use of cryptography and encryption.
For each measure, the Simulator assesses your current controls, identifies evidence gaps, and produces a compliance score with a prioritized list of remediation actions. The output is not just a score - it is a structured, documented assessment that serves as a starting point for your compliance audit trail.
- Set up your organization profile. Enter your sector, entity classification, member state jurisdiction, and the systems in scope. The Simulator uses this to apply the correct NIS2 obligations - essential entity requirements differ from important entity requirements in several key areas.
- Map your existing controls. For each Article 21 measure, the Simulator walks you through a structured assessment of your current controls. Be specific: document what exists, not what you intend to implement. Accurate baseline data produces accurate gap analysis.
- Review your compliance score. The Simulator generates a posture score for each measure and an overall compliance position. High-risk gaps are flagged with regulatory priority - these are the areas most likely to be scrutinized in a supervisory review.
- Generate your gap remediation plan. Each identified gap comes with a prioritized remediation recommendation. The plan includes specific actions, ownership assignment fields, and target timelines. Use this as your compliance roadmap.
- Export your assessment documentation. The Simulator produces structured documentation of your assessment - the controls evaluated, the gaps identified, the evidence reviewed, and the remediation actions planned. This documentation forms the beginning of your NIS2 audit trail.
- Connect to continuous monitoring. The most effective compliance teams use the Simulator output as a baseline and then connect ROOTKey's continuous integrity verification to maintain and evidence that posture over time - not just at assessment time.
Understanding Your Compliance Score
The Simulator's compliance score is designed to be useful, not just reassuring. A high score indicates strong control coverage across the Article 21 measures. A lower score indicates specific, addressable gaps - which is more valuable information than a false sense of security.
Scores are broken down by measure category, so compliance teams can see precisely where risk concentrates. Common patterns include:
High control coverage, low evidence quality. Many organizations have strong technical controls but lack the verifiable documentation proving those controls are continuously applied.
Strong internal controls, weak supply chain coverage. NIS2's supply chain security requirements are among the most challenging to satisfy comprehensively.
Policy completeness, operational gaps. Well-documented policies that have not been operationalized - or that staff have not been trained on - score well in documentation review but poorly in operational validation. The Simulator distinguishes between these.
From Simulation to Continuous Evidence
The NIS2 Simulator gives you a verified starting point. But NIS2 compliance is not a starting point - it is a continuous obligation. The organizations best positioned for ongoing regulatory scrutiny are those that have moved from periodic assessment to continuous evidence generation.
This means connecting the controls you have documented in the Simulator to ROOTKey's continuous integrity verification layer: cryptographically anchoring critical systems, policies, and incident records so that your compliance posture is not just assessed periodically but proven continuously.
When your next supervisory review arrives, the question is not 'did you pass your last assessment?' It is 'can you demonstrate your posture has been maintained?' With ROOTKey, that answer is a continuous, independently verifiable record - not a reconstruction.
Try the ROOTKey NIS2 Simulator now - free to start, no credit card required. Map your obligations and know exactly where you stand.
Get cyber-resilience insights in your inbox
Practical, audit-ready guidance on data integrity, compliance and continuity - delivered as we publish.