GDPR, NIS2, and DORA evidence, continuously, with EU data residency.
CISGuard maps a single CIS benchmark scan to GDPR Article 32 technical measures, NIS2 risk-management requirements, DORA ICT controls, and TISAX assessment evidence, all within EU sovereign deployment.
EU compliance at a glance, for fast retrieval.
Atomic factual claims auditors and search engines can cite verbatim.
- Primary frameworks
- GDPR, NIS2, DORA, TISAX, ISO 27001, ENS
- Deployment
- On-premises in EU / EU sovereign cloud only
- GDPR cross-border
- Zero. No data egress from customer infrastructure
- NIS2 enforcement
- Active since October 17, 2024
- DORA enforcement
- Active since January 17, 2025
- Sovereign cloud options
- OVH, Scaleway, IONOS, Azure EU, AWS EU regions
- TISAX support
- AL2 and AL3 assessment evidence
Compliance in European Union.
EU compliance has shifted from periodic certification to continuous evidence. GDPR Article 32 has always required "appropriate technical and organisational measures", but the 2023-2025 enforcement wave has made specific technical baselines (CIS, ISO 27001) the practical floor. NIS2 entered force October 17, 2024, expanding scope to ~160,000 entities and imposing 24-hour incident notification. DORA became fully applicable January 17, 2025, mandating ICT risk management for financial entities. TISAX continues to evolve as the automotive sector's information-security passport. The common thread: continuous evidence is no longer optional, and SaaS-only scanners with non-EU data flows are increasingly disqualified by procurement.
Frameworks CISGuard maps for EU.
Each scan generates per-framework reports showing satisfied / partial / not-met status.
| Framework | Scope | Authority |
|---|---|---|
| GDPR → | EU-wide personal data protection | EDPB + national DPAs |
| NIS2 → | Network & Information Systems Directive | ENISA + national CSIRTs |
| DORA → | Digital Operational Resilience Act | ESAs + national supervisors |
| TISAX → | Automotive ISMS assessment | ENX Association |
| ISO/IEC 27001 → | International ISMS standard | Certification bodies (BSI, TÜV, DNV) |
| ENS | Spanish National Security Framework | CCN (Spain) |
Sovereignty and residency, solved by architecture.
EU data residency is the default expectation, not the exception. GDPR Article 44 restricts transfers outside the EU/EEA without adequate safeguards, and Schrems II made many adequacy mechanisms (especially for US transfers) operationally fragile. NIS2 and DORA both explicitly favor EU-resident ICT services for critical entities. CISGuard deploys entirely within customer EU infrastructure or on EU sovereign cloud (OVH, Scaleway, IONOS, Azure EU regions). No data leaves the customer environment for any operational reason.
Three ways to deploy in EU.
On-premises in EU data center
Single-tenant deployment in customer-controlled EU infrastructure. Standard for financial services, healthcare, and public sector.
EU sovereign cloud
Deployed on OVH, Scaleway, IONOS, Azure EU, or AWS EU regions. Suitable for organizations that have made explicit sovereign-cloud decisions for non-classified workloads.
Multi-site (manufacturing / TISAX)
Distributed deployment across European manufacturing sites with centralized executive reporting. Standard for automotive Tier-1 / Tier-2 suppliers pursuing TISAX AL2 or AL3.
EU in practice.
German Tier-1 Automotive: TISAX AL2 via ISO 27001 Automation
A German Tier-1 automotive supplier achieved TISAX AL2 with zero non-conformities across 12 manufacturing sites using CISGuard for continuous ISO 27001 Annex A evidence.
Read full case study →EU questions, answered directly.
Does CISGuard satisfy GDPR Article 32 technical measures?
Yes. Article 32 requires technical and organisational measures appropriate to risk, and references pseudonymisation, encryption, integrity, confidentiality, availability, and resilience. CISGuard automates the technical-measures evidence: per-control posture, drift detection, encryption status, and immutable audit trail. Continuous scanning addresses the "ongoing confidentiality, integrity, availability, and resilience" requirement that point-in-time tools cannot.
How does CISGuard help with NIS2 obligations?
NIS2 Article 21 requires essential and important entities to implement risk-management measures covering risk analysis, incident handling, business continuity, supply chain security, vulnerability disclosure, training, cryptography, access control, asset management, and ICT security testing. CISGuard provides continuous evidence for the technical controls (Article 21.2 a, e, f, g, h, j) and integrates with SIEM for the detection-and-response side.
Is CISGuard suitable for DORA compliance?
Yes. DORA Articles 5-15 cover ICT risk management for financial entities. CISGuard satisfies Article 9 (ICT system protection), Article 10 (detection), Article 11 (change management via drift detection), and contributes evidence to Article 15 (third-party ICT risk). Continuous CIS benchmark scanning is the technical-controls backbone DORA examiners expect.
Where is CISGuard data stored for EU customers?
Inside the customer's EU infrastructure, full stop. CISGuard runs on-premises or on EU sovereign cloud (OVH, Scaleway, IONOS, Azure EU regions). There is no SaaS, no telemetry phone-home, and no cross-border data transfer at any point in the operational lifecycle. This makes GDPR, NIS2, and DORA data-residency obligations a non-issue.
Will CISGuard evidence be accepted by EU certification bodies?
Yes. Major EU certification bodies (BSI, TÜV, DNV, DEKRA, Bureau Veritas) and TISAX assessors accept CISGuard's Framework Coverage Reports as primary technical evidence for ISO 27001, TISAX, and ENS audits. Reports include methodology explanations so auditors can validate the mapping during their fieldwork.
Ready to deploy in EU?
Our compliance engineers have helped organizations across EU achieve regulatory readiness in as little as one business day.