Our Alignment

NIS2 Minimum Security Measures

runZero continuously discovers and maps all connected assets across the internal and external attack surface supporting the ability to perform robust risk assessments and craft informed security policies for information systems.

runZero provides detailed asset inventories and identification of exposures helping ensure that all procured and developed systems are identified, adhere to security policies, and are free from known vulnerabilities.

runZero delivers a centralized view of all employee assets and interconnections supporting the implementation of precise data access controls that ensure sensitive information is segmented and handled securely.

runZero helps organizations assess authentication enforcement by identifying assets missing MFA, outdated authentication protocols, or unencrypted communication paths.

runZero helps organizations assess effectiveness by identifying gaps in asset coverage (unknown and unmanaged devices), unpatched systems, weak or missing security controls, and misconfigurations.

runZero ensures organizations have an up-to-date, continuously refreshed asset inventory to track critical systems, validate backups, and support business continuity during an active incident.

runZero highlights security hygiene issues, such as outdated operating systems or missing endpoint protection, providing actionable insights to reinforce training programs.

runZero provides visibility into third-party connected assets, helping organizations assess supplier-related security risks, monitor vendor-managed or accessed systems, and ensure compliance with security requirements.

runZero enables faster incident response by providing real-time asset visibility, helping security teams quickly locate affected systems, assess their exposure, and determine root cause analysis.

runZero identifies all assets and interconnections across the environment aiding in the decisions to where encryption should be applied.

Achieve Compliance

How runZero supports NIS2 requirements

runZero directly supports many NIS2 provisions related to asset visibility, inventory management, and vulnerability discovery, while also enabling programmatic approaches for protecting environments, detecting events, and responding to incidents. Its robust capabilities provide organizations with a single tool and source of truth across IT, OT, IoT, and external environments, ensuring compliance as operations and threats evolve.

Many NIS2 provisions require the integration of multiple security controls, programs, and policies working together to achieve compliance. runZero indirectly supports several of these provisions by supplying critical elements as part of a broader approach, contributing to compliance efforts that go beyond the specific areas it directly addresses.

Interested in a guided tour?

Support Types:

All

Direct

Indirect

National Cybersecurity Strategy

Requirement		Support	How runZero Helps
Chapter 2, Article 7, Section 1.D	Adopt a mechanism to identify relevant assets and an assessment of the risks in that Member State	Direct	Discovers all assets across IT, OT, IoT, cloud, mobile, and remote environments. Provides detailed asset information, including operating systems, services, hardware, and installed software. Assigns risk levels to assets based on identified vulnerabilities and configurations. Offers pre-built queries and automated analysis to detect vulnerabilities and insecure configurations. Provides continuous monitoring and goal tracking to maintain up-to-date asset and risk assessments.
Chapter 2, Article 7, Section 1.A	Objectives and priorities of the Member State’s cybersecurity strategy covering in particular the sectors referred to in Annexes I and II	Indirect	runZero can help identify and assess assets within critical sectors (such as energy, healthcare, etc.) as outlined in Annexes I and II, which aids in setting cybersecurity priorities based on asset visibility and exposure. While runZero does not define national objectives, the data it provides can inform strategic decision-making regarding asset protection and risk prioritization.
Chapter 2, Article 7, Section 1.E	An identification of the measures ensuring preparedness for, responsiveness to and recovery from incidents, including cooperation between the public and private sectors	Indirect	runZero can indirectly support preparedness and responsiveness by providing a comprehensive inventory of assets that need to be protected. It does not directly manage incident response, but its data can be essential for identifying assets at risk during incidents.
Chapter 2, Article 7, Section 1.G	A policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2557 for the purpose of information sharing on risks, cyber threats, and incidents as well as on non-cyber risks, threats and incidents and the exercise of supervisory tasks, as appropriate	Indirect	runZero can indirectly support information sharing by providing detailed data on exposed assets and vulnerabilities, which can be shared between competent authorities. However, it does not facilitate or manage the sharing of information itself.
Chapter 2, Article 7, Section 2.A	Addressing cybersecurity in the supply chain for ICT products and ICT services used by entities for the provision of their services	Indirect	runZero can help identify third-party ICT products and services in use, which contributes to supply chain security by giving organizations visibility into potential third-party risks. However, it does not directly manage or secure the supply chain itself.
Chapter 2, Article 7, Section 2.C	Managing vulnerabilities, encompassing the promotion and facilitation of coordinated vulnerability disclosure under Article 12(1)	Indirect	runZero helps identify vulnerabilities related to the assets it discovers, which can contribute to managing vulnerabilities. However, it does not directly handle vulnerability disclosure programs but could provide data for reporting purposes.
Chapter 2, Article 7, Section 2.E	Promoting the development and integration of relevant advanced technologies aiming to implement state-of-the-art cybersecurity risk-management measures	Indirect	runZero indirectly promotes advanced cybersecurity measures by providing critical insights into asset exposure and potential risks, enabling the implementation of better risk management. However, it does not develop or integrate these technologies directly.
Chapter 2, Article 7, Section 2.H	Relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity information sharing between entities in accordance with Union law	Indirect	runZero can support information-sharing by providing detailed data on exposed assets and vulnerabilities, which could be shared between entities. However, it does not facilitate or enforce the sharing of information itself.
Chapter 2, Article 7, Section 2.I	Strengthening the cyber resilience and the cyber hygiene baseline of small and medium-sized enterprises, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs	Indirect	runZero’s visibility into asset inventory and exposure can help SMBs understand their cyber risk, indirectly supporting cyber hygiene improvements. However, runZero does not directly provide guidance or assistance.
Chapter 2, Article 7, Section 2.J	Promoting active cyber protection	Indirect	runZero promotes active cyber protection by helping organizations discover unknown or unmanaged assets, which is a crucial step in securing environments. It doesn't directly implement active protection measures but plays a role in enabling them by identifying at-risk assets.
Chapter 2, Article 7, Section 4	Member States shall assess their national cybersecurity strategies on a regular basis and at least every five years on the basis of key performance indicators	Indirect	runZero can indirectly support the assessment of national cybersecurity strategies by providing key data on asset discovery, risk exposure, and vulnerabilities across organizations within sectors. This data can contribute to the evaluation of cybersecurity performance and progress toward national goals. While runZero does not define or manage performance indicators, the visibility it provides can be integral to measuring an organization's or nation’s cybersecurity posture. runZero can support ENISA and national authorities by offering detailed insights into asset management, risk exposure, and system vulnerabilities. These insights can inform key performance indicators and help align national cybersecurity strategies with the Directive’s requirements. However, runZero does not directly assist in the development or updating of national strategies, as this is within the purview of ENISA and national authorities.

Competent Authorities and Single Points of Contact

Requirement		Support	How runZero Helps
Chapter 2, Article 8, Section 2	The competent authorities referred to in paragraph 1 shall monitor the implementation of this Directive at national level	Indirect	runZero can assist competent authorities by providing visibility into assets and vulnerabilities, helping them monitor and assess compliance with cybersecurity standards.

National Cyber Crisis Management Frameworks

Requirement		Support	How runZero Helps
Chapter 2, Article 9, Section 1	Each Member State shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities	Indirect	runZero does not play a role in the formal designation or establishment of cyber crisis management authorities. This responsibility lies with the Member States and involves administrative decisions beyond runZero’s scope. While runZero does not provide direct resources for authorities, it can indirectly support cyber crisis management authorities by offering crucial asset visibility and insights into exposed assets during cybersecurity incidents. This data can help authorities assess the scope of incidents more effectively. runZero does not engage in aligning cybersecurity efforts with general national crisis management frameworks. Its role is primarily technical, focusing on asset discovery and risk management, not in coordinating national crisis frameworks.
Chapter 2, Article 9, Section 3	Each Member State shall identify capabilities, assets and procedures that can be deployed in the case of a crisis for the purposes of this Directive	Indirect	runZero provides comprehensive asset discovery and visibility capabilities. It allows authorities to identify critical assets within an organization or infrastructure that may need protection or action during a cybersecurity crisis. These capabilities help identify potential vulnerabilities and assets that require immediate attention during large-scale incidents, supporting crisis response efforts.
Chapter 2, Article 9, Section 4.D	National preparedness measures, including exercises and training activities	Indirect	While runZero does not conduct exercises or training, it can provide valuable data for cybersecurity exercises by identifying critical assets and vulnerabilities. This information can be used in simulations or training activities to improve preparedness for cybersecurity incidents.
Chapter 2, Article 9, Section 4.E	The relevant public and private stakeholders and infrastructure involved	Indirect	runZero can indirectly support the identification of infrastructure involved in crisis response by offering comprehensive visibility into an organization’s assets. This can help stakeholders understand the critical components of their infrastructure that need protection or response measures in a crisis.

Computer Security Incident Response Teams (CSIRTs)

Requirement		Support	How runZero Helps
Chapter 2, Article 10, Section 1	Each Member State shall designate or establish one or more CSIRTs. The CSIRTs may be designated or established within a competent authority	Indirect	runZero can assist CSIRTs by providing critical asset visibility and exposure information, helping them identify vulnerable systems and assets across sectors referred to in Annexes I and II. While runZero does not handle incident response directly, it provides valuable data to support the incident-handling process by identifying potentially compromised assets or vulnerabilities.
Chapter 2, Article 10, Section 2	Member States shall ensure that each CSIRT has adequate resources to carry out effectively its tasks as set out in Article 11(3)	Indirect	runZero can indirectly support CSIRTs by offering tools that streamline asset discovery and vulnerability management, allowing CSIRTs to focus their resources on effective incident response and mitigation. However, runZero does not provide resources directly.
Chapter 2, Article 10, Section 4	The CSIRTs shall cooperate and, where appropriate, exchange relevant information in accordance with Article 29 with sectoral or cross-sectoral communities of essential and important entities.	Indirect	While runZero does not facilitate cooperation directly, the data it provides on exposed assets and vulnerabilities can support information-sharing between CSIRTs and sectoral entities. This data can form the basis for understanding the scope of incidents and vulnerabilities across sectors.

Requirements, Technical Capabilities and Tasks of CSIRTs

Requirement		Support	How runZero Helps
Chapter 2, Article 11, Section 2	Member States shall ensure that their CSIRTs jointly have the technical capabilities necessary to carry out the tasks referred to in paragraph 3	Indirect	runZero can indirectly support CSIRTs by providing advanced technical capabilities related to asset discovery, vulnerability identification, and network visibility. These capabilities are crucial for incident detection and response, which are key CSIRT tasks. However, runZero is not a complete solution for all CSIRT technical needs and does not cover all aspects of incident management. runZero does not provide or manage staffing resources for CSIRTs. It offers tools that can enhance technical capabilities, but the allocation of resources and staffing levels is a matter for Member States and CSIRT management.
Chapter 2, Article 11, Section 3.A	Monitoring and analysing cyber threats, vulnerabilities and incidents at national level and, upon request, providing assistance to essential and important entities concerned regarding real-time or near real-time monitoring of their network and information systems	Indirect	runZero provides asset discovery, vulnerability identification, and risk exposure analysis, which can assist CSIRTs in monitoring and analyzing cyber threats and vulnerabilities. While it does not provide real-time monitoring capabilities, the data it gathers helps organizations and CSIRTs understand their network posture and address vulnerabilities.
Chapter 2, Article 11, Section 3.B	Providing early warnings, alerts, announcements and dissemination of information to essential and important entities concerned as well as to the competent authorities and other relevant stakeholders on cyber threats, vulnerabilities and incidents	Indirect	Through the Rapid Response program, runZero provides early warnings and alerts to essential and important entities regarding cyber threats and vulnerabilities. This capability supports CSIRTs in disseminating critical information to stakeholders in near real-time, helping to mitigate incidents proactively.
Chapter 2, Article 11, Section 3.C	Responding to incidents and providing assistance to the essential and important entities concerned, where applicable	Indirect	runZero helps by identifying vulnerable or exposed assets that may be part of an incident, offering key information for incident response. However, runZero does not directly respond to incidents or provide hands-on incident management; this is within the purview of CSIRTs.
Chapter 2, Article 11, Section 3.D	Collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness regarding cybersecurity	Indirect	runZero can indirectly support forensic data collection by identifying compromised assets or areas of exposure that can be examined further. While it does not perform forensic analysis, its data helps inform risk assessments and situational awareness by mapping out the asset landscape.
Chapter 2, Article 11, Section 3.F	Provide a proactive scan of the network and information systems of the entity concerned to detect vulnerabilities with a potential significant impact	Direct	Performs active scanning to identify devices and detect vulnerabilities. Utilizes passive discovery to monitor network traffic and uncover vulnerabilities without impacting performance. Combines active scanning and passive discovery for comprehensive asset visibility, including unmanaged devices. Provides rapid vulnerability detection, enabling prompt remediation to mitigate potential significant impacts.
Chapter 2, Article 11, Section 3.I	Carry out proactive non-intrusive scanning of publicly accessible network and information systems of essential and important entities	Direct	Conducts unauthenticated, active scanning to identify assets and detect vulnerabilities without requiring credentials or agents. Provides detailed asset inventories, including information on operating systems, services, and hardware, facilitating the identification of insecure configurations. Performs scans efficiently, minimizing the impact on network performance and ensuring the uninterrupted functioning of services. Enables CSIRTs to prioritize scanning tasks based on risk assessments, focusing on the most critical assets and vulnerabilities.
Chapter 2, Article 11, Section 4	The CSIRTs shall establish cooperation relationships with relevant stakeholders in the private sector, with a view to achieving the objectives of this Directive.	Indirect	runZero can indirectly support CSIRTs in establishing cooperation with private sector stakeholders by providing visibility into assets, vulnerabilities, and risks across different organizations. The data runZero collects can be shared with relevant stakeholders, facilitating informed collaboration and decision-making to meet the cybersecurity objectives of the Directive. While runZero does not directly manage these relationships, the insights it provides are valuable for fostering cooperation between CSIRTs and private sector entities.
Chapter 2, Article 11, Section 5.A	Incident-handling procedures	Indirect	runZero indirectly supports standardized incident-handling procedures by providing comprehensive visibility into assets and vulnerabilities that are critical for responding to incidents. While runZero does not directly establish or promote incident-handling standards, the detailed data it provides can be used within standardized frameworks to improve response efforts.
Chapter 2, Article 11, Section 5.B	Crisis management	Indirect	runZero’s asset discovery and vulnerability identification capabilities provide crucial information that can inform crisis management strategies. It indirectly supports standardized crisis management practices by offering the data needed to manage assets and mitigate risks during a cybersecurity crisis, though it does not create or enforce crisis management protocols.
Chapter 2, Article 11, Section 5.C	Coordinated vulnerability disclosure under Article 12(1)	Indirect	runZero helps identify vulnerabilities across networks and systems, which is an essential step in coordinated vulnerability disclosure processes. While it does not directly manage or promote the disclosure process, the insights it provides can be used by CSIRTs and other stakeholders to align with standardized vulnerability disclosure practices.

Coordinated Vulnerability Disclosure and a European Vulnerability Database

Requirement		Support	How runZero Helps
Chapter 2, Article 12, Section 1.A	Identifying and contacting the entities concerned	Indirect	runZero can help identify the entities concerned by providing detailed visibility into networks, assets, and vulnerabilities. This information is crucial for understanding which entities might be affected by a vulnerability. While runZero does not handle contacting entities, it provides the foundational data needed for CSIRTs to do so effectively.
Chapter 2, Article 12, Section 1.C	Negotiating disclosure timelines and managing vulnerabilities that affect multiple entities	Indirect	runZero indirectly supports the management of vulnerabilities by identifying them across multiple entities. This helps CSIRTs understand the scope of the vulnerabilities and prioritize remediation efforts. However, runZero does not participate in negotiating disclosure timelines, which is a task for the designated CSIRT.
Chapter 2, Article 12, Section 2.A	Information describing the vulnerability	Indirect	runZero helps organizations discover vulnerabilities in their ICT products and services by providing detailed asset visibility and vulnerability identification. This data can be used to describe vulnerabilities, contributing valuable information for the European vulnerability database, although runZero itself does not manage the database or submit data directly.
Chapter 2, Article 12, Section 2.B	The affected ICT products or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited	Indirect	runZero identifies the specific ICT products and services affected by vulnerabilities, offering insights into the conditions under which they might be exploited. This information can help assess the severity of vulnerabilities and the impact on affected entities, supporting the content that would be included in the European vulnerability database.
Chapter 2, Article 12, Section 2.C	The availability of related patches and, in the absence of available patches, guidance provided by the competent authorities or the CSIRTs addressed to users of vulnerable ICT products and ICT services	Indirect	runZero provides insights into whether systems have available patches for identified vulnerabilities or if they remain unpatched. While runZero does not issue patches or provide direct mitigation guidance, the data it supplies is critical for CSIRTs or competent authorities in crafting guidance and mitigating risks when reporting vulnerabilities to the database.

Cybersecurity Risk-management Measures

Requirement		Support	How runZero Helps
Chapter 4, Article 21, Section 1	Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations	Indirect	Asset Discovery and Visibility: runZero provides comprehensive visibility into an organization’s network, identifying all assets and systems in use. This foundational step helps organizations understand their security landscape, which is critical for managing risks effectively. Risk Management: By identifying vulnerabilities, misconfigurations, and other security gaps across networked systems, runZero enables organizations to assess their exposure to risks. This allows them to implement technical and operational measures that are proportionate to the risks identified. State-of-the-art Security Insights: runZero aligns with modern cybersecurity practices by providing real-time vulnerability data, making it easier for organizations to adopt security measures that meet the latest European and international standards. Incident Prevention and Impact Minimization: runZero helps organizations identify vulnerable or compromised assets before incidents occur, reducing the likelihood of incidents that could affect service recipients or other services. If an incident happens, runZero's asset data can help quickly identify the affected areas, supporting efforts to minimize the incident’s impact. Proportionality of Security Measures: runZero helps organizations tailor their security efforts by offering insights into the size and scope of their asset inventory and exposure to threats. This assists organizations in scaling their security measures appropriately, based on the entity's size, the risks they face, and the potential severity of incidents.
Chapter 4, Article 21, Section 2.A	Policies on risk analysis and information system security	Indirect	runZero helps organizations conduct risk analysis by providing asset visibility, identifying vulnerabilities, and highlighting security gaps. This data supports the development of effective risk management policies. While runZero does not create policies directly, it enables organizations to base their policies on accurate and up-to-date asset and risk information.
Chapter 4, Article 21, Section 2.B	Incident handling	Indirect	runZero helps monitor for at-risk assets and exposed vulnerabilities, providing critical information that supports incident response efforts. It does not manage the incident response process itself but provides the data necessary to facilitate efficient incident handling.
Chapter 4, Article 21, Section 2.C	Business continuity, such as backup management and disaster recovery, and crisis management	Indirect	runZero provides insights into critical assets and services that are essential for business continuity and disaster recovery planning. It does not manage backup or disaster recovery directly but helps organizations identify which systems are vital to protect for continuity.
Chapter 4, Article 21, Section 2.D	Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers	Indirect	runZero can identify third-party services and products within an organization's infrastructure, helping to evaluate the security implications of supply chain dependencies. While it doesn't assess suppliers directly, it provides visibility into assets to support supply chain security evaluations.
Chapter 4, Article 21, Section 2.E	Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure	Indirect	runZero continuously identifies vulnerabilities across an organization's network and information systems, supporting secure development and maintenance practices. It does not manage system acquisition or development directly but aids in ensuring vulnerabilities are identified and disclosed appropriately.
Chapter 4, Article 21, Section 2.F	Policies and procedures to assess the effectiveness of cybersecurity risk-management measures	Indirect	runZero provides ongoing visibility into the organization’s assets and security posture, enabling continuous assessment of risk management effectiveness by identifying vulnerabilities and security gaps. While runZero does not create policies or procedures, it provides the necessary data to assess the effectiveness of existing measures.
Chapter 4, Article 21, Section 2.G	Basic cyber hygiene practices and cybersecurity training	Indirect	runZero supports cyber hygiene by helping organizations identify outdated or misconfigured systems that may increase security risks, promoting best practices. It does not provide training directly, but the insights it generates can inform the need for training on cybersecurity weaknesses.
Chapter 4, Article 21, Section 2.H	Policies and procedures regarding the use of cryptography and, where appropriate, encryption	Indirect	runZero does not manage cryptographic policies or encryption practices, but it can identify assets or services where encryption may be missing or misconfigured, indirectly supporting efforts to secure communications.
Chapter 4, Article 21, Section 2.I	Human resources security, access control policies and asset management	Indirect	runZero helps track and manage assets, providing visibility into devices and systems that should be secured, including those related to human resources or sensitive data. It doesn’t directly manage access control or human resource policies but supports the enforcement of security controls through asset visibility.
Chapter 4, Article 21, Section 2.J	The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate	Indirect	runZero does not provide multi-factor authentication (MFA) or secure communication solutions but can identify assets and systems where MFA is not being utilized, helping organizations enforce these security controls.
Chapter 4, Article 21, Section 3	Entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures	Indirect	runZero helps organizations identify and assess vulnerabilities in their infrastructure, including services and systems provided by suppliers and third-party service providers. By providing visibility into assets and their associated vulnerabilities, runZero aids in evaluating the security quality of suppliers. runZero does not directly assess suppliers' cybersecurity practices or secure development procedures but provides organizations with asset data and vulnerability insights to support these evaluations. runZero can help organizations assess their part of the critical supply chain by mapping assets and identifying weak points or exposed systems. This visibility supports organizations in aligning with coordinated security risk assessments conducted by Member States or other entities. runZero does not conduct or coordinate these risk assessments directly but provides key data to inform them.
Chapter 4, Article 21, Section 4	Member States shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures	Indirect	runZero helps organizations identify areas of non-compliance by highlighting vulnerabilities, misconfigurations, and insecure practices across their infrastructure. This insight enables organizations to take appropriate corrective measures to address security gaps. While runZero does not enforce corrective actions, it aids in identifying areas requiring remediation.
Chapter 4, Article 21, Section 5	Implementing acts laying down the technical and the methodological requirements of the measures referred to in paragraph 2 with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers	Indirect	runZero provides visibility into assets and services, helping organizations understand their infrastructure, including DNS, cloud computing, managed service providers (MSPs), and managed security service providers (MSSPs). This visibility can assist in ensuring compliance with the technical requirements laid out by the Commission. While runZero doesn’t directly define or implement these technical or methodological requirements, it helps monitor compliance by providing insights into system configurations, security gaps, and vulnerabilities. runZero can assist essential and important entities not explicitly listed (such as smaller service providers or non-IT-focused entities) by helping them assess and secure their critical assets, making it easier to comply with future requirements as the Commission releases them. runZero aligns with various cybersecurity best practices and international standards (e.g., vulnerability management, asset discovery). This alignment ensures that organizations using runZero can be better prepared to meet the standards and technical specifications mentioned by the Commission. runZero does not directly influence the creation of these standards but helps organizations apply these standards in managing their infrastructure.

Union Level Coordinated Security Risk Assessments of Critical Supply Chains

Requirement		Support	How runZero Helps
Chapter 4, Article 22, Section 1	Carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, taking into account technical and, where relevant, non-technical risk factors	Indirect	runZero can assist organizations by discovering and mapping their ICT assets, providing visibility into which critical services, systems, or products are in use. runZero can help identify vulnerabilities or misconfigurations in these assets, contributing to the security risk assessment process. It does not, however, perform a full supply chain risk assessment or assess non-technical factors such as vendor risks, which may be required for a comprehensive evaluation.
Chapter 4, Article 22, Section 2	Identify the specific critical ICT services, ICT systems or ICT products that may be subject to the coordinated security risk assessment referred to in paragraph 1.	Indirect	runZero’s asset discovery capabilities provide valuable insights into the use of critical ICT services, systems, or products within an organization, which could be relevant when identifying those that require further risk assessment. While runZero doesn’t directly identify critical ICT products for the Commission, it can help organizations inventory and monitor their use of such products, providing a foundation for further evaluation by external entities.

Reporting Obligations

Requirement		Support	How runZero Helps
Chapter 4, Article 23, Section 1	Where appropriate, entities concerned shall notify, without undue delay, the recipients of their services of significant incidents that are likely to adversely affect the provision of those services	Indirect	runZero helps identify impacted assets and vulnerabilities, providing essential data for reporting, but does not handle the direct submission of incident notifications. runZero provides visibility into affected services or systems, helping organizations determine which recipients may need to be notified, but it does not facilitate direct communication with recipients. runZero assists in identifying the geographical scope of affected assets, contributing to assessments of cross-border impact, but does not directly report on cross-border effects. runZero does not handle incident notification workflows or the forwarding of reports between authorities and CSIRTs. runZero provides data on the extent of the incident, helping organizations prepare reports for SPOCs, but does not manage the formal reporting process.
Chapter 4, Article 23, Section 2	Where applicable, Member States shall ensure that essential and important entities communicate, without undue delay, to the recipients of their services that are potentially affected by a significant cyber threat any measures or remedies that those recipients are able to take in response to that threat	Indirect	runZero can help identify which systems or services are vulnerable or affected by a significant cyber threat. This information can aid organizations in advising their recipients on specific measures or remedies to take. However, runZero does not handle direct communication with service recipients. It provides visibility into assets that can guide what measures should be communicated.
Chapter 4, Article 23, Section 3.A	Significant incident if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned	Indirect	runZero can assist in identifying affected systems and critical assets within the organization that are essential for operations. By providing comprehensive visibility into which systems are vulnerable or compromised, runZero helps assess the potential operational disruption. While runZero doesn’t directly assess financial loss, it aids in understanding the scope of the incident, which is a key factor in determining operational disruption that could lead to financial consequences.
Chapter 4, Article 23, Section 3.B	Significant incident if it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage	Indirect	runZero’s asset discovery capabilities can help identify compromised assets that may serve as a vector for further attacks, which could impact other organizations or individuals, potentially causing material or non-material damage. While runZero does not directly quantify the damage, it can map exposure paths and highlight risks that could propagate the incident beyond the organization, supporting the evaluation of potential wider impact.
Chapter 4, Article 23, Section 4.A	Report without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;	Indirect	runZero can rapidly discover and map assets that may be affected by an incident, allowing security teams to identify whether unlawful or malicious acts have impacted these assets. While runZero does not directly manage incident notifications, it aids in discovering affected systems, which can inform the early warning report.
Chapter 4, Article 23, Section 4.B	Report without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact	Indirect	runZero’s asset discovery and fingerprinting capabilities can assist organizations in identifying the scope and severity of the incident by revealing which systems are impacted and providing indicators like exposed services and vulnerabilities. It supports the gathering of initial incident data but doesn’t handle the actual incident notification submission.
Chapter 4, Article 23, Section 4.C	Report upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates	Indirect	runZero can help generate asset-level data and updates for inclusion in intermediate status reports as organizations monitor and mitigate incidents. This data may include updates on affected devices or mitigated vulnerabilities. The responsibility of reporting still lies outside runZero, but it provides crucial data for reporting.
Chapter 4, Article 23, Section 4.D	Provide a final report not later than one month after the submission of the incident notification	Indirect	runZero can assist in the root cause analysis by revealing unpatched or vulnerable assets that may have contributed to the incident. The platform can identify applied mitigation measures by detecting changes in the security posture of assets after patches or updates are applied, supporting final reporting efforts.
Chapter 4, Article 23, Section 4.E	Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident	Indirect	runZero’s ongoing asset monitoring capabilities provide updated information on an organization's security posture, enabling progress reporting on mitigation efforts and the incident's current status. Final report responsibilities remain with incident response teams, but runZero assists with critical data collection.
Chapter 4, Article 23, Section 5	The CSIRT or the competent authority shall provide, without undue delay and where possible within 24 hours of receiving the early warning referred to in paragraph 4	Indirect	runZero can assist in this process by providing real-time visibility into affected assets and potential vulnerabilities that contributed to the significant incident. This can help inform the CSIRT’s feedback and operational advice by giving a clear understanding of the impacted environment. However, runZero does not handle direct incident communication or advice. runZero does not provide direct technical support to entities or manage incident reporting to law enforcement. It could indirectly support technical analysis by providing asset visibility and exposure data, which might be used by CSIRTs in their investigations.
Chapter 4, Article 23, Section 10	Shall provide to the competent authorities under Directive (EU) 2022/2557 information about significant incidents, incidents, cyber threats and near misses notified in accordance with paragraph 1 of this Article and with Article 30 by entities identified as critical entities under Directive (EU) 2022/2557	Indirect	runZero can support this by helping identify assets within critical entities, which can be important for understanding the scope of incidents and threats. However, runZero does not directly participate in the information-sharing process between authorities.