Skip to main content
VaultPAM
00 Compliance

every nis2 art. 21 pam control. one platform.

VaultPAM maps directly to NIS2 Article 21, GDPR, SOC 2 and ISO 27001. Every control is implemented — not manually assembled — so your compliance report is a button, not a project.

EU-hosted · GCP Warsaw, Poland · SOC 2 Type II 2026 — final report pending · NIS2-aligned · GDPR-native

01 NIS2 Art. 21

Every NIS2 Article 21 PAM control — mapped, not assembled by hand.

NIS2 mandates specific access controls for EU organizations. VaultPAM implements every relevant PAM control out of the box.

ArticleRequirementVaultPAM control
Art. 21(2)(a)Risk analysis and information system security policiesAudit trail + session recording for all privileged access. Exportable risk reports.
Art. 21(2)(b)Incident handlingReal-time alerting on suspicious privileged sessions. Full session replay for incident investigation.
Art. 21(2)(e)Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosureSBOM, SAST/SCA on every release, penetration test annually. Patch SLA enforced in CI pipeline.
Art. 21(2)(g)Multi-factor authentication or continuous authentication solutionsTOTP, FIDO2/WebAuthn, SAML 2.0 SSO with MFA enforcement at the session layer.
Art. 21(2)(h)Privileged access management — secure communications, emergency communicationsJust-in-time credential checkout, time-limited sessions, no standing privileges. Role-based access with audit log.
Art. 21(2)(i)Policies and procedures regarding the use of cryptography and encryptionAES-256-GCM at rest, TLS 1.3 in transit. Key rotation policy enforced. No plaintext credentials stored.
Art. 21(2)(j)Human resources security, access control policies and asset managementRBAC with tenant isolation. Automated off-boarding via session revocation and credential rotation.
ENFORCEMENT WINDOW OCT 2024 NIS2 IN FORCE ✓ PASSED JAN 2025 ANNEX I DEADLINE ✓ PASSED OCT 2025 ENFORCEMENT RAMP ✓ PASSED TODAY YOU ARE HERE ⊙ NOW APR 2027 FULL ENFORCEMENT + FINES ~10 MONTHS VAULTPAM NIS2 ENFORCEMENT TIMELINE FIG.04 DIR. 2022/2555/EU
Fig. 04 NIS2 enforcement is not a future event — three milestones have already passed. Full enforcement and administrative fines begin April 2027.
02 Audit chain

Hash-chain integrity — tamper-evident by design.

Every access event is sealed with a cryptographic hash that chains to the next. Altering any record breaks the chain — making tampering immediately detectable.

Every access event is cryptographically chained — tamper-evident by design.

03 Framework coverage

Compliance frameworks — coverage overview.

FrameworkPAM scopeStatus
NIS2Art. 21(2)(a)(b)(e)(g)(h)(i)(j) — all PAM-relevant controlsCovered
GDPR / RODOArt. 5, 25, 32, 44 — data protection by design, EU residency, access controlsCovered
SOC 2 Type IICC6.1–CC6.3, CC7.2, CC9.2 — access, logical security, change managementIn audit (2026)
ISO 27001A.9 (access control), A.12 (operations), A.14 (secure development)Roadmap 2026
DORAArt. 9 — ICT security, access management, incident loggingAligned
04 SOC 2 controls

SOC 2 Type II — controls in scope.

VaultPAM's SOC 2 Type II audit covers the controls below. Final report expected 2026.

CC6.1

Logical access controls

Role-based access, MFA enforcement, and session token binding implemented across all VaultPAM surfaces.

CC6.2

Credential management

Password vaulting, just-in-time checkout, automatic rotation, and no standing credentials.

CC6.3

Access provisioning

Least-privilege provisioning with approval workflows, time-limited access, and automated de-provisioning.

CC7.2

System monitoring

Real-time session monitoring, anomaly detection, and tamper-resistant audit logs.

CC8.1

Change management

All infrastructure and application changes require peer review, automated testing, and documented approval before deployment.

CC9.2

Risk mitigation

Vendor risk assessments, SLA commitments, and annual penetration testing documented and tracked to closure.

05 GDPR & data residency

GDPR-native, EU-hosted, auditable by design.

VaultPAM was designed for GDPR compliance from day one. Data residency in GCP europe-central2 (Warsaw) satisfies Article 44. Right-to-erasure workflows, data minimization and processing records are built in.

For compliance documentation requests, contact us at contact@vaultpam.com.

  • Data stored exclusively in GCP europe-central2 (Warsaw)
  • No third-country transfers (GDPR Art. 44 compliant)
  • Right-to-erasure workflow available in admin dashboard
  • Data processing records (Art. 30) generated on demand
  • Data minimization enforced — no telemetry to third-party services