From Uncertainty to Verified Posture
Many compliance teams working toward NIS2 compliance face the same challenge: they have reviewed the directive, they understand the ten Article 21 measures, and they have some controls in place - but they cannot confidently answer the question 'where exactly do we stand?'
The ROOTKey NIS2 Simulator was built to answer that question. It maps your organization's specific obligations under NIS2, assesses your current posture against each requirement, scores your compliance position, and identifies the gaps that carry the highest regulatory and operational risk.
This guide walks through how to get the most from the Simulator - from initial setup through to generating audit-ready evidence for your compliance documentation.
What the NIS2 Simulator Does
The ROOTKey NIS2 Simulator is not a generic checklist tool. It applies NIS2's requirements to your organization's specific context: your sector, your entity classification (essential vs. important), your jurisdiction, and the specific systems and processes that fall within scope.
The Simulator covers all ten Article 21 cybersecurity measures, including risk analysis and information system security policies, incident handling procedures, business continuity and crisis management, supply chain security, network and information system security, and policies on the use of cryptography and encryption.
For each measure, the Simulator assesses your current controls, identifies evidence gaps, and produces a compliance score with a prioritized list of remediation actions. The output is not just a score - it is a structured, documented assessment that serves as a starting point for your compliance audit trail.
- Set up your organization profile. Enter your sector, entity classification, member state jurisdiction, and the systems in scope. The Simulator uses this to apply the correct NIS2 obligations - essential entity requirements differ from important entity requirements in several key areas.
