EU mandatory cybersecurity directive for essential and important entities. Effective October 2024. Covers endpoint security, supply chain, incident response, and management accountability.
EU-operating organizations in energy, transport, health, finance, digital infrastructure
14
control domains mapped
32
products applicable
6
other frameworks cross-mapped
EU NIS2 Directive (2022/2555)
Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.
Products that satisfy this control:
Same control in other frameworks:
Hardware-bound key generation and storage. Private keys generated and stored inside a certified secure element (EAL 6+) and are non-exportable by design — for login credentials (Nitrokey) and crypto-asset custody (Ledger) alike.
Products that satisfy this control:
Same control in other frameworks:
Hardened mobile OS with per-app sensor controls, verified boot, and no background telemetry. Satisfies mobile device management and bring-your-own-device security requirements.
Products that satisfy this control:
Same control in other frameworks:
Measured boot chain verified on every power-on. Any firmware modification — supply chain implant, evil-maid attack, or malicious update — fails attestation before the OS loads.
Products that satisfy this control:
Same control in other frameworks:
VM-level compartmentalization means a compromise of one domain (e.g. browser) cannot reach another (e.g. keys, vault). No other consumer laptop provides this by default.
Products that satisfy this control:
Same control in other frameworks:
Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.
Products that satisfy this control:
Same control in other frameworks:
Hardware-encrypted storage and self-hosted file servers replace cloud storage with hardware you control. Encryption keys never leave your environment.
Products that satisfy this control:
Same control in other frameworks:
Open-source firmware is publicly auditable and reproducibly built. EU jurisdiction hardware is not subject to US National Security Letters. Directly addresses hardware supply chain risk in CMMC and NIS2.
Products that satisfy this control:
Same control in other frameworks:
Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.
Products that satisfy this control:
Same control in other frameworks:
Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.
Products that satisfy this control:
Same control in other frameworks:
UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).
Products that satisfy this control:
Same control in other frameworks:
Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.
Products that satisfy this control:
Same control in other frameworks:
MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.
Products that satisfy this control:
Same control in other frameworks:
Verified boot ensures the TLS stack is unmodified before communication. VPN gateway encrypts all remote access traffic. Hardware-backed keys prevent interception even if endpoints are observed.
Products that satisfy this control:
Same control in other frameworks: