Controls

128

Total Controls

Across NIS2, DORA and AI Act

Compliant Controls

Partial Controls

Missing Controls

Control ▴	Regulation ▴	Category ▴	Status ▴	Evidence	Owner ▴
Multi-factor authentication	NIS2	Access control	Compliant	Okta policy	CTO
Incident response process	NIS2	Security governance	Partial	Incident playbook	Security Lead
Data encryption at rest	NIS2	Data protection	Compliant	Encryption policy	CTO
Supply chain security review	NIS2	Vendor risk	Missing	—	Compliance
ICT risk management framework	DORA	Risk management	Partial	Framework doc	Compliance
Third-party ICT monitoring	DORA	Vendor risk	Missing	—	Security team
Business continuity testing	DORA	Operational resilience	Compliant	BCP test report	CTO
Digital operational resilience testing	DORA	Testing	Partial	Test results	Security Lead
AI system risk classification	AI Act	AI governance	Missing	—	AI Lead
Dataset quality documentation	AI Act	Data governance	Partial	Dataset description	Data team
Human oversight policy	AI Act	Governance	Missing	—	Legal
AI transparency notice	AI Act	Transparency	Compliant	User disclosure	Legal

AI System	Risk Level	Controls Required	Compliance Status
Fraud Detection Model	High Risk	12 controls required	Partial
Chatbot Assistant	Limited Risk	4 controls required	Compliant
Recruitment AI	High Risk	14 controls required	Missing documentation

Action	Control	Priority	Assigned To	Due Date	Status
Create risk classification matrix	AI system risk classification	Critical	M. Kowalski	Apr 15, 2026	In Progress
Document AI system inventory	AI system risk classification	High	T. Schmidt	Apr 30, 2026	Pending
Implement third-party ICT monitoring	Third-party ICT monitoring	Critical	Security team	Apr 20, 2026	Pending
Create supply chain security review process	Supply chain security review	High	Compliance	May 1, 2026	Pending
Generate human oversight policy	Human oversight policy	High	Legal	May 15, 2026	Pending
Upload FRIA documentation	AI system risk classification	Medium	J. Dreyer	Mar 12, 2026	Done

AI Documentation

3 AI systems require documentation

NIS2 Evidence

2 NIS2 controls missing evidence

DORA Update

1 DORA control outdated

Control Name

AI system risk classification

Description

Organizations must classify AI systems according to the EU AI Act risk categories (unacceptable, high, limited, minimal risk).

Applicable Regulation

AI Act

Required Evidence

Implementation Guidance

Related Controls

Remediation Actions

Create risk classification matrix

Critical

Due: Apr 15, 2026 · Assigned: M. Kowalski

Document AI system inventory

High

Due: Apr 30, 2026 · Assigned: T. Schmidt

Upload FRIA documentation

Done

Completed: Mar 12, 2026 · J. Dreyer