EU/UK Sovereignty Gap Analysis - Clewline (SugarCube)

Browser lacks capabilities required to play.

Upgrade or switch to another browser.

Loading…

<<set $org_name to "">><<set $sector to "">><<set $jurisdiction to "">>

CLEWLINE
Sovereignty Gap Analysis # Sovereignty starts before the first breach. This assessment maps your organisation's security posture across nine sovereignty domains, from silicon supply chain through to AI model provenance and ICT vendor risk. What you will get: - A maturity score (0–4) for each of nine domains - An overall posture rating with named archetype - A prioritised gap list against regulatory baseline (Level 2) - A copyable plain-text report How it works: Each question offers four responses: - Yes (2 pts): control is in place, applied, and verified - Partial (1 pt): control exists but is incomplete, undocumented, or not consistently applied - No (0 pts): control is absent - N/A: not applicable to your environment; excluded from scoring Domain maturity is the ratio of points earned to points possible, mapped to the 0–4 scale. Time: 20–35 minutes for all applicable domains. Based on Code, Chips and Control by Sal Kimmich
clewline.com · hello@clewline.com

[[Begin Assessment →|ScopingOrg]]

Step 1 of 4 Organisation What organisation are you assessing? (Optional - used only in the report header.) <<textbox "$org_name" "">> Leave blank and continue if you prefer not to include this. [[Continue →|ScopingSector]]

Step 2 of 4 Sector Which sector best describes your organisation? Your answer determines which regulatory frameworks are mandatory, applicable, advisory, or out of scope. This affects which questions are conditionally shown and how your results are framed. [[Financial Services - banking, insurance, payments, investment, asset management|ScopingJx][$sector to "finance"]] [[Healthcare - hospitals, medtech, pharmaceutical, health data processors|ScopingJx][$sector to "healthcare"]] [[Energy / Critical National Infrastructure - energy, water, transport, telecoms, digital infrastructure|ScopingJx][$sector to "energy"]] [[Government / Public Sector|ScopingJx][$sector to "government"]] [[Technology / Software / Digital Services|ScopingJx][$sector to "tech"]] [[Other / Not Listed - or prefer not to specify|ScopingJx][$sector to "other"]]

Step 3 of 4 Jurisdiction Where does your organisation primarily operate and hold data? [[European Union - EU-incorporated or primarily EU operations and data|ScopingConfirm][$jurisdiction to "eu"]] [[United Kingdom only - UK-incorporated, primarily UK operations|ScopingConfirm][$jurisdiction to "uk"]] [[UK and EU - dual jurisdiction, significant operations in both|ScopingConfirm][$jurisdiction to "ukeu"]] [[Global / Other - primarily US, APAC, or multi-jurisdiction without EU/UK primacy|ScopingConfirm][$jurisdiction to "global"]]

<<set $f_nis2 to "applicable">> <<set $f_dora to "oos">> <<set $f_cra to "applicable">> <<set $f_gdpr to "applicable">> <<set $f_aiact to "advisory">> <<if $sector is "finance">> <<set $f_dora to "mandatory">> <<set $f_gdpr to "mandatory">> <<if $jurisdiction is "eu" or $jurisdiction is "ukeu">> <<set $f_nis2 to "mandatory">> <<set $f_cra to "applicable">> <<set $f_aiact to "applicable">> <<elseif $jurisdiction is "uk">> <<set $f_nis2 to "advisory">> <<set $f_dora to "applicable">> <<set $f_cra to "advisory">> <<set $f_aiact to "advisory">> <<else>> <<set $f_nis2 to "advisory">> <<set $f_dora to "applicable">> <<set $f_cra to "advisory">> <<set $f_aiact to "advisory">> <</if>> <<elseif $sector is "healthcare">> <<set $f_nis2 to "mandatory">> <<set $f_cra to "applicable">> <<set $f_gdpr to "mandatory">> <<set $f_aiact to "applicable">> <<if $jurisdiction is "uk">> <<set $f_nis2 to "advisory">> <<set $f_aiact to "advisory">> <</if>> <<elseif $sector is "energy">> <<set $f_nis2 to "mandatory">> <<set $f_cra to "mandatory">> <<set $f_aiact to "applicable">> <<if $jurisdiction is "uk">> <<set $f_nis2 to "advisory">> <<set $f_cra to "advisory">> <<set $f_aiact to "advisory">> <</if>> <<elseif $sector is "government">> <<set $f_nis2 to "mandatory">> <<set $f_cra to "applicable">> <<set $f_gdpr to "mandatory">> <<set $f_aiact to "applicable">> <<if $jurisdiction is "uk">> <<set $f_nis2 to "advisory">> <<set $f_aiact to "advisory">> <</if>> <<elseif $sector is "tech">> <<if $jurisdiction is "eu" or $jurisdiction is "ukeu">> <<set $f_nis2 to "applicable">> <<set $f_cra to "mandatory">> <<set $f_gdpr to "mandatory">> <<set $f_aiact to "applicable">> <<else>> <<set $f_nis2 to "advisory">> <<set $f_cra to "advisory">> <</if>> <</if>> <<set $d1_score to 0>><<set $d1_max to 0>><<set $d1_q to 0>><<set $d1_done to false>><<set $d1_skip to false>><<set $d1_mat to 0>><<set $d1_answers to []>> <<set $d2_score to 0>><<set $d2_max to 0>><<set $d2_q to 0>><<set $d2_done to false>><<set $d2_skip to false>><<set $d2_mat to 0>><<set $d2_answers to []>> <<set $d3_score to 0>><<set $d3_max to 0>><<set $d3_q to 0>><<set $d3_done to false>><<set $d3_skip to false>><<set $d3_mat to 0>><<set $d3_answers to []>> <<set $d4_score to 0>><<set $d4_max to 0>><<set $d4_q to 0>><<set $d4_done to false>><<set $d4_skip to false>><<set $d4_mat to 0>><<set $d4_answers to []>> <<set $d5_score to 0>><<set $d5_max to 0>><<set $d5_q to 0>><<set $d5_done to false>><<set $d5_skip to false>><<set $d5_mat to 0>><<set $d5_answers to []>> <<set $d6_score to 0>><<set $d6_max to 0>><<set $d6_q to 0>><<set $d6_done to false>><<set $d6_skip to false>><<set $d6_mat to 0>><<set $d6_answers to []>> <<set $d7_score to 0>><<set $d7_max to 0>><<set $d7_q to 0>><<set $d7_done to false>><<set $d7_skip to false>><<set $d7_mat to 0>><<set $d7_answers to []>> <<set $d8_score to 0>><<set $d8_max to 0>><<set $d8_q to 0>><<set $d8_done to false>><<set $d8_skip to false>><<set $d8_mat to 0>><<set $d8_answers to []>> <<set $d9_score to 0>><<set $d9_max to 0>><<set $d9_q to 0>><<set $d9_done to false>><<set $d9_skip to false>><<set $d9_mat to 0>><<set $d9_answers to []>> <<set $overall_score to 0>><<set $active_count to 0>><<set $overall_avg to 0>><<set $posture to "">> Step 4 of 4 Your Regulatory Profile

<<if $org_name is not "">>Organisation: $org_name <</if>>Sector: <<if $sector is "finance">>Financial Services<<elseif $sector is "healthcare">>Healthcare<<elseif $sector is "energy">>Energy / Critical Infrastructure<<elseif $sector is "government">>Government / Public Sector<<elseif $sector is "tech">>Technology / Digital Services<<else>>Other<</if>> · Jurisdiction: <<if $jurisdiction is "eu">>European Union<<elseif $jurisdiction is "uk">>United Kingdom<<elseif $jurisdiction is "ukeu">>UK and EU<<else>>Global / Other<</if>> <table> <tr><th>Framework</th><th>Status</th><th>Notes</th></tr> <tr><td>NIS2 (EU) / UK NIS Regs</td><td>$f_nis2</td><td>Art.21 security measures; Art.23 incident notification</td></tr> <tr><td>DORA</td><td>$f_dora</td><td>Art.28–30 ICT third-party; Art.26 TLPT; in force Jan 2025</td></tr> <tr><td>CRA (Cyber Resilience Act)</td><td>$f_cra</td><td>CVD obligations ~mid-2026; most provisions ~late 2027</td></tr> <tr><td>GDPR / UK GDPR</td><td>$f_gdpr</td><td>Ch.V international transfers; Art.32 security</td></tr> <tr><td>EU AI Act</td><td>$f_aiact</td><td>Annex III high-risk Aug 2026; CNI = high-risk by definition</td></tr> </table> MANDATORY - directly enforceable for your profile. APPLICABLE - likely applies; verify with legal counsel. ADVISORY - not mandated; recommended best practice. OOS - out of scope for your sector. <<if $jurisdiction is "global">>Note on EU AI Act extraterritorial reach: organisations without EU incorporation may still have deployer obligations under the EU AI Act if their AI system outputs are used by persons located in the EU (Regulation (EU) 2024/1689, Art. 2). If any part of your user base or operations touches the EU, verify scope with legal counsel before treating the EU AI Act as advisory. <</if>>

All nine domains will be presented. [[Start Assessment →|DomainHub]]

<<include "WidgetProgress">> ## Domain Assessment Hub Select a domain to begin or continue. Each domain takes about 3–6 minutes. ✓ = complete (you can re-enter; scores stay). · = not yet started.

Domains (click to start or continue) <ul class="domain-list"> <li>1. <<if $d1_done>>✓ Silicon & Hardware - complete<</if>><<if !$d1_done>>· [[D1: Silicon & Hardware Supply Chain|D1]]<</if>></li> <li>2. <<if $d2_done>>✓ Firmware & Kernel - complete<</if>><<if !$d2_done>>· [[D2: Firmware & Kernel Trust|D2]]<</if>></li> <li>3. <<if $d3_done>>✓ Embedded & Edge - complete<</if>><<if !$d3_done>>· [[D3: Embedded & Edge Sovereignty|D3]]<</if>></li> <li>4. <<if $d4_done>>✓ Vulnerability Governance - complete<</if>><<if !$d4_done>>· [[D4: Vulnerability Governance|D4]]<</if>></li> <li>5. <<if $d5_done>>✓ Formal Trust - complete<</if>><<if !$d5_done>>· [[D5: Formal Trust & Verification|D5]]<</if>></li> <li>6. <<if $d6_done>>✓ Cloud Sovereignty - complete<</if>><<if !$d6_done>>· [[D6: Hypervisor & Cloud Sovereignty|D6]]<</if>></li> <li>7. <<if $d7_done>>✓ Data Jurisdiction - complete<</if>><<if !$d7_done>>· [[D7: Data Jurisdiction & Unicity|D7]]<</if>></li> <li>8. <<if $d8_done>>✓ AI Supply Chain - complete<</if>><<if !$d8_done>>· [[D8: AI Supply Chain & Platform Dependency|D8]]<</if>></li> <li>9. <<if $d9_done>>✓ ICT Vendor Risk - complete<</if>><<if !$d9_done>>· [[D9: ICT Vendor & Third-Party Risk|D9]]<</if>></li> </ul>

<<if $d1_done and $d2_done and $d3_done and $d4_done and $d5_done and $d6_done and $d7_done and $d8_done and $d9_done>> All 9 domains complete. [[View Results →|RESULTS]] <</if>>

<<set $done_count to 0>> <<if $d1_done>><<set $done_count to $done_count + 1>><</if>> <<if $d2_done>><<set $done_count to $done_count + 1>><</if>> <<if $d3_done>><<set $done_count to $done_count + 1>><</if>> <<if $d4_done>><<set $done_count to $done_count + 1>><</if>> <<if $d5_done>><<set $done_count to $done_count + 1>><</if>> <<if $d6_done>><<set $done_count to $done_count + 1>><</if>> <<if $d7_done>><<set $done_count to $done_count + 1>><</if>> <<if $d8_done>><<set $done_count to $done_count + 1>><</if>> <<if $d9_done>><<set $done_count to $done_count + 1>><</if>> <div class="progress-line">*Progress: $done_count of 9 domains complete* - <<if $done_count is 0>>no domains started<<elseif $done_count is 9>>all complete<<else>>$done_count done, <<print 9 - $done_count>> remaining<</if>></div>

<div class="domain-progress">*Domain $progress_domain of 9* · $progress_name <<if $progress_q is 0>> · *Introduction*<<else>> · Question $progress_q of $progress_qmax<</if>></div> ---

<<set $progress_domain to 1>><<set $progress_name to "Silicon & Hardware">><<set $progress_qmax to 8>><<set $progress_q to $d1_q>> <<include "WidgetDomainProgress">>

<<if $d1_q is 0>> ## D1: Silicon & Hardware Supply Chain Regulatory context: CRA Annex I (essential requirements for hardware products with digital elements) · NIS2 Art.21(2)(d) (supply chain security measures) What this domain covers: Your ability to verify the provenance, integrity, and firmware state of the physical hardware underlying your infrastructure. Sovereignty is lost at this layer when procurement controls exist on paper but the hardware running in production cannot be cryptographically attested - you know where you bought it, not what it is doing. Failure mode: Compliant procurement from an approved vendor list, but no ability to prove what firmware or microcode the chip is actually running at boot. The physical root of trust is assumed, not verified. 8 questions · NIS2: $f_nis2 · CRA: $f_cra [[Begin Domain 1 →|D1][$d1_q to 1; $d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 2]] [[Partial - exists but incomplete, out-of-date, or covers only some systems|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 2]] [[No - no hardware SBOM in place|D1][$d1_max to $d1_max + 2; $d1_q to 2]] [[N/A - not applicable to our infrastructure model|D1][$d1_q to 2]] <<elseif $d1_q is 2>> D1 · 2 / 8 - Supplier Verification & Advisories Have you verified the firmware version and supplier provenance for all critical hardware, and are you registered on authenticated security advisory channels for all critical hardware vendors? CRA Annex I (secure-by-design) · NIS2 Art.21(2)(d) [[Yes - verified provenance and on authenticated advisory feeds for all critical hardware|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 3]] [[Partial - covered for some hardware, or advisory feeds are not authenticated|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 3]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 3]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 3]] <<elseif $d1_q is 3>> D1 · 3 / 8 - Verified Boot Chain Is a cryptographically verified boot chain (UEFI Secure Boot + TPM 2.0 measured boot) enabled on all production systems, with PCR values logged to a centralised, tamper-evident store and monitored for deviation? NIST SP 800-147B (BIOS protection) · CRA security-by-design · NIS2 Art.21(2)(e) (security monitoring) [[Yes - Secure Boot enforced, measured boot active, PCR values logged and monitored|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 4]] [[Partial - implemented on some systems, or PCR monitoring not automated|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 4]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 4]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 4]] <<elseif $d1_q is 4>> D1 · 4 / 8 - Firmware Integrity Monitoring Do you continuously monitor firmware integrity post-deployment, with automated alerting on unexpected firmware changes, BMC anomalies, or configuration drift? NIS2 Art.21(2)(e) (monitoring) · CRA Annex I [[Yes - continuous monitoring with automated alerts in place|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 5]] [[Partial - periodic checks only, or alerting is incomplete or manual|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 5]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 5]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 5]] <<elseif $d1_q is 5>> D1 · 5 / 8 - Geopolitical Concentration Risk Have you assessed your hardware supply chain for geopolitical concentration risk - specifically whether critical components originate predominantly from a single country or vendor with potential state influence? NIS2 Art.21(2)(d) · DORA Art.29 (concentration risk, for financial entities) · US Executive Orders on supply chain security [[Yes - formally assessed, documented, with a mitigation or monitoring strategy|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 6]] [[Partial - informal awareness, no formal assessment or documented position|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 6]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 6]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 6]] <<elseif $d1_q is 6>> D1 · 6 / 8 - Procurement Controls Do you have documented hardware procurement controls aligned to CRA Annex I requirements, including supplier security assessment, minimum security specifications, and contractual security obligations? CRA Annex I para.1–2 · NIS2 Art.21(2)(d) [[Yes - documented, enforced, and reviewed at least annually|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 7]] [[Partial - controls exist but not consistently documented, enforced, or reviewed|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 7]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 7]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 7]] <<elseif $d1_q is 7>> D1 · 7 / 8 - Hardware Configuration Logging Do you log hardware configuration state (firmware versions, enabled interfaces, BIOS/UEFI settings) and alert on deviation from a known-good baseline? NIS2 Art.21(2)(e) · ISO 27001 A.12.1 [[Yes - logged continuously with deviation alerting against a managed baseline|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 8]] [[Partial - logged periodically or alerting is not automated|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 8]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 8]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 8]] <<elseif $d1_q is 8>> D1 · 8 / 8 - SBOM Tooling Maturity Is your hardware SBOM process automated and integrated with your vulnerability management toolchain, so that newly published CVEs are automatically cross-referenced against your hardware inventory? CRA Annex I · NIS2 Art.21(2)(d) [[Yes - automated SBOM generation and CVE cross-referencing in production|D1][$d1_score to $d1_score + 2; $d1_max to $d1_max + 2; $d1_q to 9]] [[Partial - some automation but cross-referencing is manual or incomplete|D1][$d1_score to $d1_score + 1; $d1_max to $d1_max + 2; $d1_q to 9]] [[No - control absent|D1][$d1_max to $d1_max + 2; $d1_q to 9]] [[N/A - not applicable; excluded from scoring|D1][$d1_q to 9]] <<else>> D1 Complete. Domain 1: Silicon & Hardware Supply Chain · Score: $d1_score / $d1_max <<set $d1_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 2>><<set $progress_name to "Firmware & Kernel Trust">><<set $progress_qmax to 7>><<set $progress_q to $d2_q>> <<include "WidgetDomainProgress">>

<<if $d2_q is 0>> ## D2: Firmware & Kernel Trust Regulatory context: NIS2 Art.21(2)(e) · NIST SP 800-193 (Platform Firmware Resiliency) · CRA Annex I What this domain covers: Your ability to verify, lock down, and maintain the firmware and kernel layer - the layer between your hardware attestation (D1) and your OS. Firmware sovereignty is nominal without measured boot: you can have Secure Boot enabled and still be running unverified microcode injected before the UEFI handshake. Failure mode: OS patched to current. UEFI is not locked. Measured boot is not enabled. Firmware updates are applied over unsigned channels. The boot chain cannot be attested. 7 questions · NIS2: $f_nis2 [[Begin Domain 2 →|D2][$d2_q to 1; $d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 2]] [[Partial - enabled on some systems, or logging not centralised|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 2]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 2]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 2]] <<elseif $d2_q is 2>> D2 · 2 / 7 - UEFI Lockdown Is UEFI Secure Boot enforced and UEFI configuration locked (password-protected, boot order fixed, admin password set) on all production systems? CRA Annex I · NIS2 Art.21(2)(e) [[Yes - Secure Boot enforced, UEFI locked on all production systems|D2][$d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 3]] [[Partial - enforced on some systems, or not fully locked|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 3]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 3]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 3]] <<elseif $d2_q is 3>> D2 · 3 / 7 - Firmware Update Signing Are all firmware updates cryptographically signed and verified before application - either with a key under your organisation's control or with a vendor key verified against a known-good root? CRA Annex I para.1 · NIST SP 800-193 section 4.1 (authenticated updates) [[Yes - all firmware updates signed and verified|D2][$d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 4]] [[Partial - some updates signed, or verification incomplete|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 4]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 4]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 4]] <<elseif $d2_q is 4>> D2 · 4 / 7 - Immutable Infrastructure Do you use immutable infrastructure patterns (build a golden image, deploy fresh instances, replace rather than patch-in-place) for security-critical systems? NIS2 Art.21(2)(e) · ISO 27001 A.12.1 (operational security) [[Yes - immutable patterns for all security-critical systems|D2][$d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 5]] [[Partial - used for some systems only|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 5]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 5]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 5]] <<elseif $d2_q is 5>> D2 · 5 / 7 - Kernel Module Signing Is kernel module signing enforced, and is loading of unsigned modules blocked in production? CRA security-by-design · NIS2 Art.21(2)(e) [[Yes - kernel module signing enforced, unsigned blocked|D2][$d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 6]] [[Partial - enforced on some systems|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 6]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 6]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 6]] <<elseif $d2_q is 6>> D2 · 6 / 7 - Firmware Rollback Capability Do you maintain a documented firmware update process with tested rollback capability, so that a failed or compromised firmware update can be reversed to a verified known-good state? NIS2 Art.21(2)(c) (backup and recovery) · NIST SP 800-193 section 4.2 [[Yes - documented process with tested rollback|D2][$d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 7]] [[Partial - process exists but rollback not tested|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 7]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 7]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 7]] <<elseif $d2_q is 7>> D2 · 7 / 7 - Firmware Recovery Testing Have you tested firmware recovery procedures under simulated failure conditions in the last 12 months? NIS2 Art.21(2)(c) · DORA Art.25 (ICT continuity testing, for financial entities) [[Yes - tested in the last 12 months|D2][$d2_score to $d2_score + 2; $d2_max to $d2_max + 2; $d2_q to 8]] [[Partial - tested but not in last 12 months, or partial test|D2][$d2_score to $d2_score + 1; $d2_max to $d2_max + 2; $d2_q to 8]] [[No - control absent|D2][$d2_max to $d2_max + 2; $d2_q to 8]] [[N/A - not applicable; excluded from scoring|D2][$d2_q to 8]] <<else>> D2 Complete. Domain 2: Firmware & Kernel Trust · Score: $d2_score / $d2_max <<set $d2_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 3>><<set $progress_name to "Embedded & Edge Sovereignty">><<set $progress_qmax to 7>><<set $progress_q to $d3_q>> <<include "WidgetDomainProgress">>

<<if $d3_q is 0>> ## D3: Embedded & Edge Sovereignty What this domain covers: Physical and embedded devices - IoT, OT, industrial control systems, edge compute nodes - and your ability to verify, update, and physically protect them. Failure mode: Devices are network-segmented. Physical blast radius is undocumented. Update mechanisms are manual and unsigned. 7 questions · NIS2: $f_nis2 · CRA: $f_cra [[Begin Domain 3 →|D3][$d3_q to 1; $d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 2]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 2]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 2]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 2]] <<elseif $d3_q is 2>> D3 · 2 / 7 - Authenticated OTA Updates Do you implement cryptographically authenticated OTA update mechanisms for all edge devices? [[Yes - in place, applied, and verified|D3][$d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 3]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 3]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 3]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 3]] <<elseif $d3_q is 3>> D3 · 3 / 7 - Physical Blast Radius Have you documented the "physical blast radius" for each device class? [[Yes - in place, applied, and verified|D3][$d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 4]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 4]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 4]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 4]] <<elseif $d3_q is 4>> D3 · 4 / 7 - Physical Access Controls Do you implement and enforce documented physical access controls for all critical edge devices, with access logging? [[Yes - in place, applied, and verified|D3][$d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 5]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 5]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 5]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 5]] <<elseif $d3_q is 5>> D3 · 5 / 7 - Physical Compromise Response Do you have a documented and rehearsed incident response procedure for the physical compromise or theft of an edge device? [[Yes - in place, applied, and verified|D3][$d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 6]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 6]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 6]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 6]] <<elseif $d3_q is 6>> D3 · 6 / 7 - Network Segmentation Are edge devices network-segmented from core infrastructure, with enforced, monitored segment boundaries? [[Yes - in place, applied, and verified|D3][$d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 7]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 7]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 7]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 7]] <<elseif $d3_q is 7>> D3 · 7 / 7 - Continuous Configuration Monitoring Do you continuously monitor edge device configuration state and alert on deviation from a defined baseline? [[Yes - in place, applied, and verified|D3][$d3_score to $d3_score + 2; $d3_max to $d3_max + 2; $d3_q to 8]] [[Partial - exists but incomplete or not consistently applied|D3][$d3_score to $d3_score + 1; $d3_max to $d3_max + 2; $d3_q to 8]] [[No - control absent|D3][$d3_max to $d3_max + 2; $d3_q to 8]] [[N/A - not applicable; excluded from scoring|D3][$d3_q to 8]] <<else>> D3 Complete. Domain 3: Embedded & Edge Sovereignty · Score: $d3_score / $d3_max <<set $d3_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 4>><<set $progress_name to "Vulnerability Governance">><<set $progress_qmax to 8>><<set $progress_q to $d4_q>> <<include "WidgetDomainProgress">>

<<if $d4_q is 0>> ## D4: Vulnerability Governance What this domain covers: Your organisation's end-to-end process for discovering, prioritising, communicating, and remediating vulnerabilities. Failure mode: CVD policy reviewed by legal. NIS2 Art.23 24-hour notification has never been rehearsed. MTTP is unknown. 8 questions (Q6 shown only if DORA applicable) · NIS2: $f_nis2 · DORA: $f_dora [[Begin Domain 4 →|D4][$d4_q to 1; $d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 2]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 2]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 2]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 2]] <<elseif $d4_q is 2>> D4 · 2 / 8 - CVD Policy Do you have a documented, published, and operationally tested Coordinated Vulnerability Disclosure (CVD) policy? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 3]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 3]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 3]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 3]] <<elseif $d4_q is 3>> D4 · 3 / 8 - Incident Notification Rehearsal Have you rehearsed the NIS2 Art.23 24-hour significant incident notification process as a live exercise in the last 12 months? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 4]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 4]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 4]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 4]] <<elseif $d4_q is 4>> D4 · 4 / 8 - Asset-Driven Prioritisation Do you maintain a current, comprehensive asset inventory that directly drives vulnerability prioritisation? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 5]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 5]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 5]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 5]] <<elseif $d4_q is 5>> D4 · 5 / 8 - Penetration Testing Do you conduct regular penetration testing against production-equivalent environments, with findings tracked to independently verified closure? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 6]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 6]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 6]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 6]] <<elseif $d4_q is 6>> <<if $f_dora is "mandatory" or $f_dora is "applicable">> D4 · 6 / 8 - DORA TLPT If you are or may be designated as a significant financial entity under DORA, have you initiated or completed Threat-Led Penetration Testing (TLPT) using the TIBER-EU methodology? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 7]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 7]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 7]] <<else>><<set $d4_q to 7>><<goto "D4">><</if>> <<elseif $d4_q is 7>> D4 · 7 / 8 - Vulnerability Classification Methodology Do you have a documented vulnerability classification and prioritisation methodology that goes beyond CVSS score alone? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 8]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 8]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 8]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 8]] <<elseif $d4_q is 8>> D4 · 8 / 8 - Finding Closure Tracking Do you systematically track and close findings from penetration tests, vulnerability scans, and audits, with independent verification of closure? [[Yes - in place, applied, and verified|D4][$d4_score to $d4_score + 2; $d4_max to $d4_max + 2; $d4_q to 9]] [[Partial - exists but incomplete or not consistently applied|D4][$d4_score to $d4_score + 1; $d4_max to $d4_max + 2; $d4_q to 9]] [[No - control absent|D4][$d4_max to $d4_max + 2; $d4_q to 9]] [[N/A - not applicable; excluded from scoring|D4][$d4_q to 9]] <<else>> D4 Complete. Domain 4: Vulnerability Governance · Score: $d4_score / $d4_max <<set $d4_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 5>><<set $progress_name to "Formal Trust & Verification">><<set $progress_qmax to 8>><<set $progress_q to $d5_q>> <<include "WidgetDomainProgress">>

<<if $d5_q is 0>> ## D5: Formal Trust & Verification What this domain covers: Software supply chain integrity - build provenance, artefact signing, dependency management. CRA and NIS2 require secure development and supply chain risk management. 8 questions · NIS2: $f_nis2 · CRA: $f_cra [[Begin Domain 5 →|D5][$d5_q to 1; $d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 2]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 2]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 2]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 2]] <<elseif $d5_q is 2>> D5 · 2 / 8 - Software Update Verification Do you verify the integrity of software updates before applying them - cryptographic signature verification or controlled staging before production? NIS2 Art.21(2)(e) · NIST SSDF [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 3]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 3]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 3]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 3]] <<elseif $d5_q is 3>> D5 · 3 / 8 - Software Composition Analysis Do you run or commission Software Composition Analysis (SCA) for critical systems, identifying known-vulnerable components in software you deploy? NIS2 Art.21(2)(d) · CISA SBOM guidance [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 4]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 4]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 4]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 4]] <<elseif $d5_q is 4>> D5 · 4 / 8 - Vendor Security Assessment Do you assess the security posture of critical software vendors before deployment - incident history, security documentation, update signing practices? NIS2 Art.21(2)(d) · DORA Art.28–30 (ICT third-party, if applicable) [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 5]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 5]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 5]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 5]] <<elseif $d5_q is 5>> D5 · 5 / 8 - Artefact Signing (Internal) For any software or scripts your organisation develops or customises internally, are artefacts signed with a key under your control before deployment? CRA secure-by-design · NIS2 Art.21(2)(e) [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 6]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 6]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 6]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 6]] <<elseif $d5_q is 6>> D5 · 6 / 8 - Build Pipeline Documentation For internally developed or customised systems, is the build pipeline documented and access-controlled so a compromise would be detected? CRA Annex I · NIST SSDF [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 7]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 7]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 7]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 7]] <<elseif $d5_q is 7>> D5 · 7 / 8 - Supply Chain Compromise Response Do you have a documented process for responding to upstream software supply chain compromises (e.g. vendor announcing backdoored updates)? NIS2 Art.21 · CISA supply chain guidance [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 8]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 8]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 8]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 8]] <<elseif $d5_q is 8>> D5 · 8 / 8 - Container and Image Verification Do you verify the integrity of third-party containers and VM images before use (cryptographically verified registry or content trust)? NIS2 Art.21(2)(e) · NIST SSDF [[Yes - in place, applied, and verified|D5][$d5_score to $d5_score + 2; $d5_max to $d5_max + 2; $d5_q to 9]] [[Partial - exists but incomplete or not consistently applied|D5][$d5_score to $d5_score + 1; $d5_max to $d5_max + 2; $d5_q to 9]] [[No - control absent|D5][$d5_max to $d5_max + 2; $d5_q to 9]] [[N/A - not applicable; excluded from scoring|D5][$d5_q to 9]] <<else>> D5 Complete. Domain 5: Formal Trust & Verification · Score: $d5_score / $d5_max <<set $d5_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 6>><<set $progress_name to "Hypervisor & Cloud Sovereignty">><<set $progress_qmax to 8>><<set $progress_q to $d6_q>> <<include "WidgetDomainProgress">>

<<if $d6_q is 0>> ## D6: Hypervisor & Cloud Sovereignty What this domain covers: Jurisdictional and technical sovereignty of cloud and virtualisation. Data residency, encryption control, and exit strategy under NIS2 and DORA. 8 questions · NIS2: $f_nis2 · DORA: $f_dora [[Begin Domain 6 →|D6][$d6_q to 1; $d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 2]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 2]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 2]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 2]] <<elseif $d6_q is 2>> D6 · 2 / 8 - Customer-Managed Keys Do you use customer-managed encryption keys (BYOK/HYOK) for sensitive data at rest so the provider holds ciphertext but not keys? NIS2 Art.21(2)(e) · GDPR Art.32 [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 3]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 3]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 3]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 3]] <<elseif $d6_q is 3>> D6 · 3 / 8 - Data Residency and Sovereignty Clauses Do cloud and managed service contracts include explicit data residency and sovereignty clauses (ownership, governance, return on termination)? GDPR Art.28 · DORA Art.28–30 [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 4]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 4]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 4]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 4]] <<elseif $d6_q is 4>> D6 · 4 / 8 - Hypervisor and Abstraction Layer Integrity Do you verify and monitor the integrity of hypervisor, container runtime, or platform abstraction layers underlying critical workloads? NIS2 Art.21(2)(e) [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 5]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 5]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 5]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 5]] <<elseif $d6_q is 5>> D6 · 5 / 8 - Cloud Concentration Risk Have you assessed cloud provider concentration risk (operational resilience if primary provider is unavailable or changes terms)? NIS2 Art.21 · DORA Art.25 (ICT continuity) [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 6]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 6]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 6]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 6]] <<elseif $d6_q is 6>> D6 · 6 / 8 - Confidential Computing Have you evaluated confidential computing (TEE, attested execution) for high-sensitivity workloads? NIS2 Art.21(2)(e) [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 7]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 7]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 7]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 7]] <<elseif $d6_q is 7>> D6 · 7 / 8 - Cloud Configuration Drift Do you monitor and alert on cloud configuration drift (security groups, IAM, storage permissions, encryption settings)? NIS2 Art.21(2)(e) [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 8]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 8]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 8]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 8]] <<elseif $d6_q is 8>> D6 · 8 / 8 - Cloud Exit Strategy Do you have a tested exit strategy - documented, verified process for migrating critical workloads away from your primary provider? NIS2 Art.21 · DORA Art.25 [[Yes - in place, applied, and verified|D6][$d6_score to $d6_score + 2; $d6_max to $d6_max + 2; $d6_q to 9]] [[Partial - exists but incomplete or not consistently applied|D6][$d6_score to $d6_score + 1; $d6_max to $d6_max + 2; $d6_q to 9]] [[No - control absent|D6][$d6_max to $d6_max + 2; $d6_q to 9]] [[N/A - not applicable; excluded from scoring|D6][$d6_q to 9]] <<else>> D6 Complete. Domain 6: Hypervisor & Cloud Sovereignty · Score: $d6_score / $d6_max <<set $d6_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 7>><<set $progress_name to "Data Jurisdiction & Unicity">><<set $progress_qmax to 8>><<set $progress_q to $d7_q>> <<include "WidgetDomainProgress">>

<<if $d7_q is 0>> ## D7: Data Jurisdiction & Unicity What this domain covers: Where your data is legally - residency, lawful access risk, and unicity (single source of truth). GDPR and NIS2 impose security and breach obligations. 8 questions · GDPR: $f_gdpr · NIS2: $f_nis2 [[Begin Domain 7 →|D7][$d7_q to 1; $d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 2]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 2]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 2]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 2]] <<elseif $d7_q is 2>> D7 · 2 / 8 - International Transfer Governance Do you document and govern international transfers (third countries) with appropriate safeguards (adequacy, SCCs, BCRs)? GDPR Ch.V [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 3]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 3]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 3]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 3]] <<elseif $d7_q is 3>> D7 · 3 / 8 - Data Residency Documentation Have you documented where critical and personal data is stored and processed (region, jurisdiction, sub-processors)? GDPR Art.28 · NIS2 Art.21 [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 4]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 4]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 4]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 4]] <<elseif $d7_q is 4>> D7 · 4 / 8 - Lawful Access Risk Assessment Have you assessed the risk of lawful access requests (government, law enforcement) to your data in each jurisdiction where you operate or store data? GDPR Art.48 · NIS2 [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 5]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 5]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 5]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 5]] <<elseif $d7_q is 5>> D7 · 5 / 8 - Data Minimisation and Retention Do you apply data minimisation and have documented retention and deletion schedules for all personal data categories? GDPR Art.5 · Art.32 [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 6]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 6]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 6]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 6]] <<elseif $d7_q is 6>> D7 · 6 / 8 - Breach Response and Notification Do you have a documented and rehearsed personal data breach response procedure (including GDPR 72-hour notification)? GDPR Art.33–34 · NIS2 Art.23 [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 7]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 7]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 7]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 7]] <<elseif $d7_q is 7>> D7 · 7 / 8 - Processor and Sub-Processor Governance Do all processor contracts include GDPR Art.28–compliant terms (instructions, security, sub-processors, audit, return)? GDPR Art.28 [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 8]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 8]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 8]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 8]] <<elseif $d7_q is 8>> D7 · 8 / 8 - Unicity and Master Data Do you maintain a defined unicity strategy for critical master data (single source of truth, reconciliation, golden records)? NIS2 Art.21 · DORA (data quality where applicable) [[Yes - in place, applied, and verified|D7][$d7_score to $d7_score + 2; $d7_max to $d7_max + 2; $d7_q to 9]] [[Partial - exists but incomplete or not consistently applied|D7][$d7_score to $d7_score + 1; $d7_max to $d7_max + 2; $d7_q to 9]] [[No - control absent|D7][$d7_max to $d7_max + 2; $d7_q to 9]] [[N/A - not applicable; excluded from scoring|D7][$d7_q to 9]] <<else>> D7 Complete. Domain 7: Data Jurisdiction & Unicity · Score: $d7_score / $d7_max <<set $d7_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 8>><<set $progress_name to "AI Supply Chain & Platform Dependency">><<set $progress_qmax to 8>><<set $progress_q to $d8_q>> <<include "WidgetDomainProgress">>

<<if $d8_q is 0>> ## D8: AI Supply Chain & Platform Dependency What this domain covers: Provenance, jurisdiction, and governance of AI systems you use or deploy. EU AI Act and NIS2 impose risk-based obligations. 8 questions · EU AI Act: $f_aiact · NIS2: $f_nis2 [[Begin Domain 8 →|D8][$d8_q to 1]] <<elseif $d8_q is 1>> D8 · 1 / 8 - AI Systems Inventory Do you maintain an inventory of all AI systems in use (commercial tools, embedded AI, systems processing personal or critical data)? EU AI Act Regulation (EU) 2024/1689 · NIST AI RMF 2.0 · NIS2 Art.21 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 2]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 2]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 2]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 2]] <<elseif $d8_q is 2>> D8 · 2 / 8 - Training Data and Provenance Have you assessed training data provenance and governance for AI systems you use (including high-risk or Annex III)? EU AI Act Art.10 (data governance for high-risk AI) · GDPR Art.5 (where personal data) · NIST AI RMF 2.0 · NIST-AI-600-1 (Generative AI Profile, Jul 2024) · ISO/IEC 42001 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 3]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 3]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 3]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 3]] <<elseif $d8_q is 3>> D8 · 3 / 8 - AI Data Processing Jurisdiction Do you document and control where AI inference runs (prompts, outputs, retention) for systems processing personal or critical data? GDPR · NIS2 Art.21 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 4]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 4]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 4]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 4]] <<elseif $d8_q is 4>> D8 · 4 / 8 - AI Governance Policy Do you have a documented AI governance policy (permitted/prohibited uses, human oversight, evaluation of new tools)? EU AI Act · NIS2 Art.21 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 5]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 5]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 5]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 5]] <<elseif $d8_q is 5>> D8 · 5 / 8 - AI Vendor Terms Have you reviewed AI platform terms (data retention, training opt-out, use of inputs for training) for systems processing your data? EU AI Act Art.13 (provider instructions to deployers) · GDPR Art.28 · ISO/IEC 42001 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 6]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 6]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 6]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 6]] <<elseif $d8_q is 6>> D8 · 6 / 8 - EU AI Act Deployer Obligations & Concentration Risk Have you assessed whether any AI system you deploy falls within the high-risk categories defined in Annex III of the EU AI Act - and if so, whether you are meeting the deployer obligations that became enforceable on 2 August 2026? This question covers two connected controls: your legal classification duty and your operational dependency risk.

Part 1 - Annex III Classification Annex III defines eight categories of AI use cases that are automatically classified as high-risk under Article 6(2). If your organisation deploys AI in any of these categories, the full Chapter III compliance burden applies to you as a deployer: 1. Biometrics - real-time and post-remote biometric identification; emotion recognition; biometric categorisation inferring sensitive attributes 2. Critical infrastructure - AI used as a safety component in management of road traffic, water, gas, heating, or electricity supply 3. Education and vocational training - AI that determines access to, or evaluates performance in, educational institutions or vocational qualifications 4. Employment, worker management, and access to self-employment - AI used for recruitment, CV screening, promotion, task allocation, or monitoring and evaluation of workers 5. Access to essential private and public services - AI used in credit scoring, life and health insurance risk assessment, emergency call prioritisation and dispatch, benefit eligibility assessment 6. Law enforcement - AI used to assess the risk of a natural person offending or re-offending; polygraph-type systems; profiling in criminal investigations 7. Migration, asylum, and border control - AI for assessing irregular migration risk, applications for visas or asylum, border surveillance 8. Administration of justice and democratic processes - AI assisting courts in fact research or applying law to facts; AI influencing elections Note: systems that only perform a narrow procedural task, improve a previously completed human decision without replacing it, or prepare an assessment without determining its outcome may qualify for the Article 6(3) non-high-risk exemption - but the burden of documenting that exemption rests on the provider, and as a deployer you should confirm it has been documented before deployment.

Part 2 - Your Obligations as a Deployer (Article 26) Article 26 sets out the specific obligations for organisations that deploy high-risk AI systems, distinct from those that develop them. These obligations apply from 2 August 2026 for Annex III systems, and from 2 August 2027 for high-risk AI embedded in regulated products (medical devices, machinery, aviation, automotive): - Use in accordance with instructions (Art. 26(1)): You must deploy the system only within the conditions of its intended purpose as specified in the provider's instructions for use. Applying the system to a population or context not covered by the provider's technical documentation is a compliance breach. - Human oversight (Art. 26(2)): You must assign oversight responsibility to named individuals with the necessary competence, training, and authority. Oversight cannot be left to a generic policy; a specific person or role must be accountable for each high-risk deployment. - Input data quality (Art. 26(4)): Where the input data is under your control, you must ensure it is relevant and sufficiently representative for the intended purpose. In a recruitment screening or benefit eligibility tool, data quality is your responsibility, not the provider's. - Log retention (Art. 26(6)): You must retain automatically generated logs for a minimum of six months where those logs are accessible to you. These are the primary evidence base for incident investigations and regulatory audits. - Serious incident reporting (Art. 26(5)): You must report serious incidents - defined as those directly or indirectly causing death, serious harm, or irreversible disruption of critical infrastructure - to the provider and to the relevant national market surveillance authority. - Informing affected persons (Art. 26(11)): Where an Annex III system makes or assists in making decisions affecting natural persons, you must inform those persons that they are subject to an AI system. This obligation rests on you as deployer, not only on the provider. - Fundamental Rights Impact Assessment (Art. 27): Public authorities deploying Annex III systems, and private organisations deploying Annex III systems in credit scoring, employment, education, or essential services, must conduct a Fundamental Rights Impact Assessment before deployment. The FRIA must document impacts on groups at risk of discrimination and how those risks will be mitigated. - EU database registration (Art. 26(8)): If you are a public authority deploying an Annex III system, verify that the system is registered in the EU AI database before use. If it is not, you may not use it.

Part 3 - What You Should Be Receiving from Your Provider (Arts. 11 and 13) Article 11 requires providers to draw up technical documentation before placing a high-risk AI system on the market, covering: the system's design logic and intended purpose; data governance practices; testing and validation methodology; accuracy metrics and known performance limitations; human oversight mechanisms; and the conditions under which performance may degrade. As a deployer, you have the right to this documentation on request and should be holding it. Article 13 requires that every high-risk AI system be accompanied by instructions for use that include: provider identity and contact details; the system's capabilities, limitations, and accuracy metrics; any foreseeable circumstances that could cause failure or harmful outputs; instructions for interpreting the system's outputs; and input data specifications. Your Article 26 obligations cannot be met without the Article 13 instructions - if your provider cannot supply them, this is itself a supply chain compliance gap.

Part 4 - Concentration Risk Separately from your classification and compliance obligations: have you assessed your operational dependency on a single AI provider - and your continuity position if that provider changes terms, becomes unavailable, or is subject to export controls or sanctions? For organisations with EU or UK operations, this is directly relevant to DORA Art. 28 if AI infrastructure qualifies as a critical ICT service, and to NIS2 Art. 21 supply chain risk management requirements. Score Yes if: you have completed an Annex III classification review for all AI systems you deploy; you have documented your Art. 26 obligations and assigned human oversight; and you have assessed concentration risk across your AI supply chain. Score Partial if classification review or oversight assignment is incomplete. Score No if neither has been done. EU AI Act Regulation (EU) 2024/1689 · Art. 6 (classification rules) · Annex III (high-risk use cases) · Art. 9 (risk management system) · Art. 11 (technical documentation) · Art. 13 (transparency to deployers) · Art. 26 (deployer obligations) · Art. 27 (Fundamental Rights Impact Assessment) · NIST AI RMF 2.0 · NIST-AI-600-1 · ISO/IEC 42001 · NIS2 Art. 21 · DORA Art. 28 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 7]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 7]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 7]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 7]] <<elseif $d8_q is 7>> D8 · 7 / 8 - AI Output Monitoring Do you monitor AI outputs for unexpected disclosures, accuracy drift, and adverse decisions (with escalation and human review)? EU AI Act (high-risk) · NIS2 Art.21 [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 8]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 8]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 8]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 8]] <<elseif $d8_q is 8>> D8 · 8 / 8 - AI Incident Response Do you have a documented process for responding to AI supply chain or integrity incidents (e.g. provider announcing compromised training or inference)? NIS2 Art.23 · EU AI Act [[Yes - in place, applied, and verified|D8][$d8_score to $d8_score + 2; $d8_max to $d8_max + 2; $d8_q to 9]] [[Partial - exists but incomplete or not consistently applied|D8][$d8_score to $d8_score + 1; $d8_max to $d8_max + 2; $d8_q to 9]] [[No - control absent|D8][$d8_max to $d8_max + 2; $d8_q to 9]] [[N/A - not applicable; excluded from scoring|D8][$d8_q to 9]] <<else>> D8 Complete. Domain 8: AI Supply Chain & Platform Dependency · Score: $d8_score / $d8_max <<set $d8_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $progress_domain to 9>><<set $progress_name to "ICT Vendor & Third-Party Risk">><<set $progress_qmax to 8>><<set $progress_q to $d9_q>> <<include "WidgetDomainProgress">>

<<if $d9_q is 0>> ## D9: ICT Vendor & Third-Party Risk What this domain covers: Governance of third parties that underpin your ICT operations. NIS2 and DORA impose third-party and concentration risk requirements. 8 questions · NIS2: $f_nis2 · DORA: $f_dora [[Begin Domain 9 →|D9][$d9_q to 1; $d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 2]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 2]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 2]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 2]] <<elseif $d9_q is 2>> D9 · 2 / 8 - Contractual Security and Sovereignty Do critical ICT vendor contracts include security baselines, data sovereignty/residency clauses, and audit rights? NIS2 Art.21 · DORA Art.28–30 · GDPR Art.28 [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 3]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 3]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 3]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 3]] <<elseif $d9_q is 3>> D9 · 3 / 8 - Concentration Risk Assessment Have you conducted a formal ICT concentration risk assessment (exposure where multiple critical functions depend on same vendor or geography)? NIS2 Art.21 · DORA Art.29 [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 4]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 4]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 4]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 4]] <<elseif $d9_q is 4>> D9 · 4 / 8 - Exit Strategy and Substitutability Do you have a tested exit strategy and substitutability assessment for critical ICT vendors (max tolerable disruption, verified alternative)? NIS2 Art.21 · DORA Art.25 [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 5]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 5]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 5]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 5]] <<elseif $d9_q is 5>> D9 · 5 / 8 - Vendor Security Requirements Do critical vendors meet your documented security requirements, with contracts requiring incident notification within a defined SLA? NIS2 Art.21(2)(d) · DORA Art.28 [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 6]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 6]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 6]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 6]] <<elseif $d9_q is 6>> D9 · 6 / 8 - Fourth-Party Visibility Do you have visibility into the ICT dependencies of your critical vendors (and whether fourth-party failure could cascade to you)? NIS2 Art.21(2)(d) [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 7]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 7]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 7]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 7]] <<elseif $d9_q is 7>> D9 · 7 / 8 - Vendor Incident Notification Testing Have you tested vendor incident notification with at least one critical ICT vendor (e.g. tabletop) in the last 12 months? NIS2 Art.23 · DORA [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 8]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 8]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 8]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 8]] <<elseif $d9_q is 8>> D9 · 8 / 8 - Ongoing Vendor Monitoring Do you perform ongoing monitoring and periodic reassessment of critical ICT vendors (security posture, compliance, contract adherence)? NIS2 Art.21 · DORA Art.28–30 [[Yes - in place, applied, and verified|D9][$d9_score to $d9_score + 2; $d9_max to $d9_max + 2; $d9_q to 9]] [[Partial - exists but incomplete or not consistently applied|D9][$d9_score to $d9_score + 1; $d9_max to $d9_max + 2; $d9_q to 9]] [[No - control absent|D9][$d9_max to $d9_max + 2; $d9_q to 9]] [[N/A - not applicable; excluded from scoring|D9][$d9_q to 9]] <<else>> D9 Complete. Domain 9: ICT Vendor & Third-Party Risk · Score: $d9_score / $d9_max <<set $d9_done to true>> [[Return to Hub →|DomainHub]] <</if>>

<<set $d1_ratio to 0>><<if $d1_max > 0>><<set $d1_ratio to $d1_score / $d1_max>><</if>> <<if $d1_ratio >= 0.875>><<set $d1_mat to 4>><<elseif $d1_ratio >= 0.625>><<set $d1_mat to 3>><<elseif $d1_ratio >= 0.375>><<set $d1_mat to 2>><<elseif $d1_ratio >= 0.125>><<set $d1_mat to 1>><<else>><<set $d1_mat to 0>><</if>> <<set $d2_ratio to 0>><<if $d2_max > 0>><<set $d2_ratio to $d2_score / $d2_max>><</if>> <<if $d2_ratio >= 0.875>><<set $d2_mat to 4>><<elseif $d2_ratio >= 0.625>><<set $d2_mat to 3>><<elseif $d2_ratio >= 0.375>><<set $d2_mat to 2>><<elseif $d2_ratio >= 0.125>><<set $d2_mat to 1>><<else>><<set $d2_mat to 0>><</if>> <<set $d3_ratio to 0>><<if $d3_max > 0>><<set $d3_ratio to $d3_score / $d3_max>><</if>> <<if $d3_ratio >= 0.875>><<set $d3_mat to 4>><<elseif $d3_ratio >= 0.625>><<set $d3_mat to 3>><<elseif $d3_ratio >= 0.375>><<set $d3_mat to 2>><<elseif $d3_ratio >= 0.125>><<set $d3_mat to 1>><<else>><<set $d3_mat to 0>><</if>> <<set $d4_ratio to 0>><<if $d4_max > 0>><<set $d4_ratio to $d4_score / $d4_max>><</if>> <<if $d4_ratio >= 0.875>><<set $d4_mat to 4>><<elseif $d4_ratio >= 0.625>><<set $d4_mat to 3>><<elseif $d4_ratio >= 0.375>><<set $d4_mat to 2>><<elseif $d4_ratio >= 0.125>><<set $d4_mat to 1>><<else>><<set $d4_mat to 0>><</if>> <<set $d5_ratio to 0>><<if $d5_max > 0>><<set $d5_ratio to $d5_score / $d5_max>><</if>> <<if $d5_ratio >= 0.875>><<set $d5_mat to 4>><<elseif $d5_ratio >= 0.625>><<set $d5_mat to 3>><<elseif $d5_ratio >= 0.375>><<set $d5_mat to 2>><<elseif $d5_ratio >= 0.125>><<set $d5_mat to 1>><<else>><<set $d5_mat to 0>><</if>> <<set $d6_ratio to 0>><<if $d6_max > 0>><<set $d6_ratio to $d6_score / $d6_max>><</if>> <<if $d6_ratio >= 0.875>><<set $d6_mat to 4>><<elseif $d6_ratio >= 0.625>><<set $d6_mat to 3>><<elseif $d6_ratio >= 0.375>><<set $d6_mat to 2>><<elseif $d6_ratio >= 0.125>><<set $d6_mat to 1>><<else>><<set $d6_mat to 0>><</if>> <<set $d7_ratio to 0>><<if $d7_max > 0>><<set $d7_ratio to $d7_score / $d7_max>><</if>> <<if $d7_ratio >= 0.875>><<set $d7_mat to 4>><<elseif $d7_ratio >= 0.625>><<set $d7_mat to 3>><<elseif $d7_ratio >= 0.375>><<set $d7_mat to 2>><<elseif $d7_ratio >= 0.125>><<set $d7_mat to 1>><<else>><<set $d7_mat to 0>><</if>> <<set $d8_ratio to 0>><<if $d8_max > 0>><<set $d8_ratio to $d8_score / $d8_max>><</if>> <<if $d8_ratio >= 0.875>><<set $d8_mat to 4>><<elseif $d8_ratio >= 0.625>><<set $d8_mat to 3>><<elseif $d8_ratio >= 0.375>><<set $d8_mat to 2>><<elseif $d8_ratio >= 0.125>><<set $d8_mat to 1>><<else>><<set $d8_mat to 0>><</if>> <<set $d9_ratio to 0>><<if $d9_max > 0>><<set $d9_ratio to $d9_score / $d9_max>><</if>> <<if $d9_ratio >= 0.875>><<set $d9_mat to 4>><<elseif $d9_ratio >= 0.625>><<set $d9_mat to 3>><<elseif $d9_ratio >= 0.375>><<set $d9_mat to 2>><<elseif $d9_ratio >= 0.125>><<set $d9_mat to 1>><<else>><<set $d9_mat to 0>><</if>> <<set $overall_score to $d1_mat + $d2_mat + $d3_mat + $d4_mat + $d5_mat + $d6_mat + $d7_mat + $d8_mat + $d9_mat>> <<set $active_count to 9>> <<set $overall_avg to $overall_score / 9.0>> <<if $overall_avg <= 0>><<set $posture to "Absent">><<elseif $overall_avg < 1>><<set $posture to "Critical Risk">><<elseif $overall_avg < 2>><<set $posture to "Declared">><<elseif $overall_avg < 3>><<set $posture to "Defined">><<elseif $overall_avg < 3.6>><<set $posture to "Verified">><<else>><<set $posture to "Sovereign">><</if>>

## Results: Domain Maturity Scores <<if $org_name is not "">>$org_name · <</if>>Clewline Sovereignty Gap Analysis D1 Silicon & Hardware: $d1_score / $d1_max → Maturity $d1_mat / 4 - <<if $d1_mat >= 3>>✓ On track<<elseif $d1_mat >= 2>>⚠ Baseline<<else>>✗ Gap<</if>> D2 Firmware & Kernel: $d2_score / $d2_max → $d2_mat / 4 - <<if $d2_mat >= 3>>✓<<elseif $d2_mat >= 2>>⚠<<else>>✗<</if>> D3 Embedded & Edge: $d3_score / $d3_max → $d3_mat / 4 - <<if $d3_mat >= 3>>✓<<elseif $d3_mat >= 2>>⚠<<else>>✗<</if>> D4 Vulnerability Gov.: $d4_score / $d4_max → $d4_mat / 4 - <<if $d4_mat >= 3>>✓<<elseif $d4_mat >= 2>>⚠<<else>>✗<</if>> D5 Formal Trust: $d5_score / $d5_max → $d5_mat / 4 - <<if $d5_mat >= 3>>✓<<elseif $d5_mat >= 2>>⚠<<else>>✗<</if>> D6 Cloud Sovereignty: $d6_score / $d6_max → $d6_mat / 4 - <<if $d6_mat >= 3>>✓<<elseif $d6_mat >= 2>>⚠<<else>>✗<</if>> D7 Data Jurisdiction: $d7_score / $d7_max → $d7_mat / 4 - <<if $d7_mat >= 3>>✓<<elseif $d7_mat >= 2>>⚠<<else>>✗<</if>> D8 AI Supply Chain: $d8_score / $d8_max → $d8_mat / 4 - <<if $d8_mat >= 3>>✓<<elseif $d8_mat >= 2>>⚠<<else>>✗<</if>> D9 ICT Vendor Risk: $d9_score / $d9_max → $d9_mat / 4 - <<if $d9_mat >= 3>>✓<<elseif $d9_mat >= 2>>⚠<<else>>✗<</if>> Overall average: $overall_avg / 4 · Posture: $posture Maturity: 0=Absent · 1=Declared · 2=Defined · 3=Verified · 4=Sovereign [[View Posture Summary →|POSTURE]]

## Overall Posture: $posture <<if $posture is "Absent">> ### Absent - No verified controls No domain has reached a measurable maturity level yet. Complete all nine domains (answer each question) to establish your baseline. Until then, posture cannot be assessed. <<elseif $posture is "Critical Risk">> ### Critical Risk - Trust is unexamined Your infrastructure is operating on trust claims that have never been verified. Three immediate priorities: 1) Asset inventory and vulnerability management (D4). 2) UEFI Secure Boot and TPM measured boot (D2). 3) Cloud key jurisdiction assessment (D6/D7). <<elseif $posture is "Declared">> ### Declared - Policies exist; controls do not yet match them The gap is between what the document says and what the system does. Three priorities: 1) Convert policy controls to technical controls in gap domains. 2) Rehearse NIS2 Art.23 incident notification. 3) Run your first supply chain integrity assessment (D5). <<elseif $posture is "Defined">> ### Defined - Controls in place; continuous verification is the next step Your controls are documented, consistently applied, and auditable. Three priorities: 1) Move gap domains toward continuous measurement. 2) Address DORA TLPT if significant financial entity. 3) EU AI Act Annex III compliance deadline is 2 August 2026 - complete your deployer classification review, assign named human oversight responsibility, and obtain Art. 11 technical documentation from all providers now. <<elseif $posture is "Verified">> ### Verified - Continuously measured and attested Three priorities: 1) Evaluate Post-Quantum Cryptography migration readiness. 2) Complete DORA RoI and concentration risk documentation (D9). 3) Require verifiable supply chain integrity from critical ICT providers. <<elseif $posture is "Sovereign">> ### Sovereign - Trust is technically provable Three priorities: 1) Maintain and extend formal verification coverage. 2) Lead your supply chain - require SLSA Level 3+, hardware SBOM from critical providers. 3) EU AI Act Annex III obligations apply from August 2026 - verify that all high-risk AI providers hold conformity assessments and can supply Art. 11 technical documentation on request; make this a procurement condition. <<else>> ### Posture summary Your assessment results are below. If the posture archetype did not display, use the overall average as the primary indicator. <</if>> Overall average maturity: $overall_avg / 4.0 · Posture: $posture [[Export Report & Next Steps →|EXPORT]]

## Export & Next Steps Your assessment is complete. You can copy or save the report below. What you're saving The report is a plain-text summary containing: your organisation name (if you gave it), sector and jurisdiction, which regulatory frameworks apply to you (NIS2, DORA, CRA, GDPR, EU AI Act), each domain’s maturity score (0–4), and your overall posture. No individual answers are included; only the scores and the overall summary. Where it's stored This assessment runs in your browser only. We do not collect, store, or send your answers or the report to any server. If you copy the text below, it stays on your device until you paste it somewhere (e.g. a document or email). If you save (e.g. copy into a file and save as .txt, or use your browser’s “Save page as” or “Print to PDF”), the file is saved only where you choose, on your computer or your organisation’s storage. You control the only copy.

<<set $overall_score to $d1_mat + $d2_mat + $d3_mat + $d4_mat + $d5_mat + $d6_mat + $d7_mat + $d8_mat + $d9_mat>> <<set $overall_avg to $overall_score / 9.0>> <<if $overall_avg <= 0>><<set $posture to "Absent">><<elseif $overall_avg < 1>><<set $posture to "Critical Risk">><<elseif $overall_avg < 2>><<set $posture to "Declared">><<elseif $overall_avg < 3>><<set $posture to "Defined">><<elseif $overall_avg < 3.6>><<set $posture to "Verified">><<else>><<set $posture to "Sovereign">><</if>>

Report (copy or save the text below)

CLEWLINE - SOVEREIGNTY GAP ANALYSIS <<if $org_name is not "">>Organisation: $org_name <</if>>Sector: <<if $sector is "finance">>Financial Services<<elseif $sector is "healthcare">>Healthcare<<elseif $sector is "energy">>Energy / CNI<<elseif $sector is "government">>Government<<elseif $sector is "tech">>Technology<<else>>Other<</if>> | Jurisdiction: <<if $jurisdiction is "eu">>EU<<elseif $jurisdiction is "uk">>UK<<elseif $jurisdiction is "ukeu">>UK and EU<<else>>Global<</if>> FRAMEWORK PROFILE: NIS2 $f_nis2 · DORA $f_dora · CRA $f_cra · GDPR $f_gdpr · EU AI Act $f_aiact DOMAIN MATURITY (0-4): D1 $d1_mat | D2 $d2_mat | D3 $d3_mat | D4 $d4_mat | D5 $d5_mat | D6 $d6_mat | D7 $d7_mat | D8 $d8_mat | D9 $d9_mat OVERALL POSTURE: $posture ($overall_avg / 4.0) Based on Code, Chips and Control by Sal Kimmich clewline.com · hello@clewline.com

[[Run Another Assessment →|Start]]