← Home Quickstart Security Pricing Contact

NIS2 and DORA Compliance

Q: Does C4CI store my Azure infrastructure data in Europe?

Yes. C4CI is a Belgian company (C4CI Group Belgium) operating a sovereign SaaS platform on Azure with data residency in European regions. This supports data sovereignty requirements under NIS2 and GDPR.

Q: Can I export compliance reports for auditors?

Yes. Enterprise and PAYG tiers include compliance report export — an architecture snapshot with scan timestamp, drift delta, and audit log entries. PDF export is available on Pro and above.

Q: How do I prove architecture matches infrastructure at a specific point in time?

Every scan creates an immutable timestamped snapshot. You can retrieve and export the architecture state for any scan in your 30-day history. This serves as point-in-time evidence for NIS2 Article 23 incident reporting and DORA Article 13 post-incident review.

Q: Is C4CI itself certified (SOC 2, ISO 27001)?

C4CI is in early access (as of March 2026). Formal certifications are on the roadmap for Enterprise tier validation. For the current security posture — architecture, controls, and technical measures — see the security page.

C4CI helps teams show that documented Azure architecture matches live infrastructure — one of the core evidence problems behind NIS2 Article 21 and DORA ICT risk management. Live diagrams, drift detection, and auditability reduce the amount of manual compliance reconstruction.

C4CI is a Belgian company operating a sovereign SaaS platform with data residency in European Azure regions. It is built for organisations subject to the EU Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA). The tables below map specific article requirements to current C4CI capabilities. Features and pricing as of March 2026.

NIS2 Article 21 — Technical Measures Coverage

NIS2 Article 21 requires essential and important entities to implement risk management measures across ten categories. The table maps each relevant category to the C4CI capabilities that support evidence collection.

Article	Requirement	C4CI feature	Tier
Art. 21(2)(a)	Policies on information system security	Continuous architecture documentation — live diagrams replace stale Visio/draw.io files	Free+
Art. 21(2)(b)	Incident handling — detection and response	Drift detection provides change visibility and prioritisation signals that support incident review and response workflows.	Pro+
Art. 21(2)(c)	Business continuity — backup, disaster recovery, crisis management	Documented recovery objectives, backup coverage, and disaster recovery runbooks. Current platform targets: RPO < 4 hours, RTO < 1 hour.	Platform-level
Art. 21(2)(e)	Security in network and information systems acquisition and development	Infrastructure-as-Diagram: all IaC changes flow through OpenTofu + PR review. No direct Azure mutations.	Enterprise / PAYG
Art. 21(2)(g)	Cybersecurity risk-management practices — access control	RBAC optimisation: identifies unused role assignments and over-privileged access across subscriptions	Enterprise
Art. 21(2)(h)	Policies and procedures on cryptography and encryption	AES-256 encryption at rest for tenant PII, TLS at ingress, and identity-backed least-privilege access to the control plane.	Platform-level
Art. 21(2)(i)	Human resources security — security awareness	Visual architecture diagrams make infrastructure understandable to non-specialists — reduces human error risk	Free+
Art. 21(2)(j)	Supply chain security	K8s image tag drift detection: flags containers running unapproved image versions across AKS namespaces	Pro+

DORA — ICT Risk Management Coverage

The Digital Operational Resilience Act (DORA) applies to financial entities in the EU and their critical ICT third-party providers. The key articles here are the ones most relevant to architecture evidence, recovery posture, and auditability: Articles 6, 11, 12, 13, and 17.

Article	Requirement	C4CI feature	Tier
Art. 6 — ICT risk management	Identify, classify and document ICT assets	Automatic discovery and C4 diagram generation from Azure Resource Graph — all resources classified by type and relationship	Free+
Art. 11 — ICT business continuity	Document and test RPO and RTO	Documented recovery objectives and multi-AZ platform design. Current platform targets: RPO < 4 hours, RTO < 1 hour.	Platform-level
Art. 12 — Backup policies	Backup systems, data restoration testing	Backup cadence every 6 hours, plus documented restore and database recovery procedures in platform operations runbooks.	Platform-level
Art. 13 — Learning and evolving	Post-incident review and lessons learned	30-day drift history: compare architecture state before and after any incident. Exportable timeline for post-mortem.	Enterprise / PAYG
Art. 17 — ICT-related incident management	Log and track all incidents	Immutable audit records for control-plane mutations, with operational logs and traces handled separately for observability.	All tiers

What auditors receive

When preparing for a NIS2 or DORA audit, C4CI can produce the following artefacts on Enterprise and PAYG tiers:

Architecture snapshots — timestamped C4 diagrams (L1–L3) showing the exact state of your Azure infrastructure at any point in the 30-day scan history. Exportable as PDF with scan metadata.
Drift delta reports — a structured diff showing what changed between two snapshots, severity-scored and with the remediation action taken for each item.
Audit log export — a complete record of all control-plane mutations in C4CI (approvals, rejections, code generation events) from the immutable audit log.
Compliance coverage report — a percentage score showing how much of your documented architecture is verified against live infrastructure, with a breakdown by resource type and risk category.

Frequently asked questions

Does C4CI store my Azure infrastructure data in Europe?

Yes. C4CI is a Belgian company (C4CI Group Belgium) operating a sovereign SaaS platform on Azure with data residency in European regions. This supports data sovereignty requirements under NIS2 and GDPR.

Can I export compliance reports for auditors?

Yes. Enterprise and PAYG tiers include compliance report export — an architecture snapshot with scan timestamp, drift delta, and audit log entries. PDF export is available on Pro and above.

How do I prove architecture matches infrastructure at a specific point in time?

Every scan creates an immutable timestamped snapshot. You can retrieve and export the architecture state for any scan in your 30-day history. This serves as point-in-time evidence for NIS2 Article 23 incident reporting and DORA Article 13 post-incident review.

Is C4CI itself certified (SOC 2, ISO 27001)?

C4CI is in early access (as of March 2026). Formal certifications are on the roadmap for Enterprise tier validation. For the current security posture — architecture, controls, and technical measures — see the security page.

Get started

Drift detection is available on Pro and above. Compliance reporting remains available on Enterprise and PAYG tiers. Contact us for compliance questionnaires, security reviews, or enterprise procurement.

View Enterprise pricing — includes full compliance reporting
Drift detection docs — how the comparison engine works
Security page — Reader-role trust, auditability, and platform security overview
Contact us — compliance questionnaires and enterprise inquiries

← Home Quickstart Security Pricing Contact

NIS2 and DORA Compliance

NIS2 Article 21 — Technical Measures Coverage

Article	Requirement	C4CI feature	Tier
Art. 21(2)(a)	Policies on information system security	Continuous architecture documentation — live diagrams replace stale Visio/draw.io files	Free+
Art. 21(2)(b)	Incident handling — detection and response	Drift detection provides change visibility and prioritisation signals that support incident review and response workflows.	Pro+
Art. 21(2)(c)	Business continuity — backup, disaster recovery, crisis management	Documented recovery objectives, backup coverage, and disaster recovery runbooks. Current platform targets: RPO < 4 hours, RTO < 1 hour.	Platform-level
Art. 21(2)(e)	Security in network and information systems acquisition and development	Infrastructure-as-Diagram: all IaC changes flow through OpenTofu + PR review. No direct Azure mutations.	Enterprise / PAYG
Art. 21(2)(g)	Cybersecurity risk-management practices — access control	RBAC optimisation: identifies unused role assignments and over-privileged access across subscriptions	Enterprise
Art. 21(2)(h)	Policies and procedures on cryptography and encryption	AES-256 encryption at rest for tenant PII, TLS at ingress, and identity-backed least-privilege access to the control plane.	Platform-level
Art. 21(2)(i)	Human resources security — security awareness	Visual architecture diagrams make infrastructure understandable to non-specialists — reduces human error risk	Free+
Art. 21(2)(j)	Supply chain security	K8s image tag drift detection: flags containers running unapproved image versions across AKS namespaces	Pro+

DORA — ICT Risk Management Coverage

Article	Requirement	C4CI feature	Tier
Art. 6 — ICT risk management	Identify, classify and document ICT assets	Automatic discovery and C4 diagram generation from Azure Resource Graph — all resources classified by type and relationship	Free+
Art. 11 — ICT business continuity	Document and test RPO and RTO	Documented recovery objectives and multi-AZ platform design. Current platform targets: RPO < 4 hours, RTO < 1 hour.	Platform-level
Art. 12 — Backup policies	Backup systems, data restoration testing	Backup cadence every 6 hours, plus documented restore and database recovery procedures in platform operations runbooks.	Platform-level
Art. 13 — Learning and evolving	Post-incident review and lessons learned	30-day drift history: compare architecture state before and after any incident. Exportable timeline for post-mortem.	Enterprise / PAYG
Art. 17 — ICT-related incident management	Log and track all incidents	Immutable audit records for control-plane mutations, with operational logs and traces handled separately for observability.	All tiers

What auditors receive

When preparing for a NIS2 or DORA audit, C4CI can produce the following artefacts on Enterprise and PAYG tiers:

Architecture snapshots — timestamped C4 diagrams (L1–L3) showing the exact state of your Azure infrastructure at any point in the 30-day scan history. Exportable as PDF with scan metadata.
Drift delta reports — a structured diff showing what changed between two snapshots, severity-scored and with the remediation action taken for each item.
Audit log export — a complete record of all control-plane mutations in C4CI (approvals, rejections, code generation events) from the immutable audit log.
Compliance coverage report — a percentage score showing how much of your documented architecture is verified against live infrastructure, with a breakdown by resource type and risk category.

Frequently asked questions

Does C4CI store my Azure infrastructure data in Europe?

Can I export compliance reports for auditors?

Yes. Enterprise and PAYG tiers include compliance report export — an architecture snapshot with scan timestamp, drift delta, and audit log entries. PDF export is available on Pro and above.

How do I prove architecture matches infrastructure at a specific point in time?

Is C4CI itself certified (SOC 2, ISO 27001)?

Get started

View Enterprise pricing — includes full compliance reporting
Drift detection docs — how the comparison engine works
Security page — Reader-role trust, auditability, and platform security overview
Contact us — compliance questionnaires and enterprise inquiries