{
  "metadata": {
    "framework": "EU NIS2 Vendor Due-Diligence",
    "version": "v1.0",
    "publisher": "Claresia (mapped to Directive (EU) 2022/2555 + D.Lgs. 138/2024 Italian transposition)",
    "language": "en",
    "respondent": "Claresia S.r.l.",
    "respondent_contact": "security@claresia.com, dpo@claresia.com",
    "as_of": "2026-04-27",
    "status": "DRAFT — 25 questions reflecting NIS2 Article 21 controls + Article 23 incident reporting cooperation. Honest answers reflect actual control posture.",
    "context": "Claresia, as an ICT service provider to NIS2 in-scope customers (essential and important entities), supports customer NIS2 obligations through this due-diligence pack. Italian transposition: D.Lgs. 138/2024."
  },
  "questions": [
    {"id": "NIS2-21.A", "article": "Art. 21(2)(a) — Risk analysis & system security policies", "question": "Do you have a formal risk-analysis methodology and security policies covering ICT systems used to deliver the service to NIS2 in-scope customers?", "claresia_answer": "Yes — annual enterprise risk assessment + per-change risk review. SCUDO Framework (cc-aware-governance/framework.md) is the canonical security policy, mapped to GDPR + NIS2 + EU AI Act + Italian D.Lgs. 138/2024.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "NIS2-21.B", "article": "Art. 21(2)(b) — Incident handling", "question": "Do you have an incident-handling capability covering detection, analysis, containment, eradication, recovery, and post-incident review?", "claresia_answer": "Yes — incident-response.md covers full lifecycle. 72-hour customer notification per DPA Art. 11 + GDPR Art. 33. Italian Garante notification cooperation per D.Lgs. 196/2003.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "active"},
    {"id": "NIS2-21.C", "article": "Art. 21(2)(c) — Business continuity", "question": "Do you have business-continuity arrangements (backup, disaster recovery, crisis management)?", "claresia_answer": "Planned Q3 2026 with Mode B GA — RPO ≤ 1h, RTO ≤ 4h; cross-region replication eu-south-1 → eu-central-1; quarterly DR drills. Today scaffold-grade pre-customer.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "NIS2-21.D", "article": "Art. 21(2)(d) — Supply chain security", "question": "Do you ensure supply-chain security including assessment of suppliers and direct service providers?", "claresia_answer": "Yes — every sub-processor undergoes security review + DPA execution + annual reassessment. Public sub-processor list at https://claresia-trust.netlify.app/sub-processors. SCUDO Pillar D (Dati controllati) materialises sub-processor calls into the audit log so the supply chain is provable in real time.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active"},
    {"id": "NIS2-21.E", "article": "Art. 21(2)(e) — Secure procurement, development, maintenance", "question": "Do you address security in the acquisition, development, and maintenance of ICT systems?", "claresia_answer": "Yes — Secure SDLC per OWASP ASVS L2 + NIST SSDF. Every PR peer-reviewed, SAST + SCA + secret scan in CI. Vendor risk assessment before procurement. Patching: Critical 24h, High 7d.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-21.F", "article": "Art. 21(2)(f) — Effectiveness assessment", "question": "Do you have policies and procedures to assess the effectiveness of cybersecurity risk-management measures?", "claresia_answer": "Yes — annual effectiveness review + KPI dashboard (incident MTTR, vulnerability close rates, training completion, audit-chain coverage). Reviewed by leadership quarterly.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-21.G", "article": "Art. 21(2)(g) — Cyber-hygiene & training", "question": "Do you implement basic cyber-hygiene practices and provide cybersecurity training?", "claresia_answer": "Yes — onboarding + annual training mandatory. Phishing simulations quarterly. Cyber-hygiene: MFA, password manager, EDR on all endpoints, BYOD prohibited for production access.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-21.H", "article": "Art. 21(2)(h) — Cryptography", "question": "Do you implement policies and procedures regarding the use of cryptography and, where appropriate, encryption?", "claresia_answer": "Yes — AES-256 at rest, TLS 1.3 in transit, CMEK per tenant in Mode B/C. Key rotation: annual automated + on-demand customer-initiated. Key management via AWS KMS / Azure Key Vault / GCP KMS.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-21.I", "article": "Art. 21(2)(i) — Human resources, access control & asset management", "question": "Do you implement HR security, access control on least-privilege, and asset management?", "claresia_answer": "Yes — background checks, NDA, SCIM 2.0 deprovisioning. RBAC default-deny, monthly privilege review. SBOM per release, hardware inventory in MDM.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-21.J", "article": "Art. 21(2)(j) — MFA & secure communications", "question": "Do you enforce multi-factor or continuous authentication and use secure voice/video/text communications?", "claresia_answer": "Yes — MFA enforced via WorkOS + customer IdP; FIDO2 supported. Internal communications via Slack Enterprise + Google Workspace EU; customer communications via TLS 1.3 + signed webhooks.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "NIS2-23.1", "article": "Art. 23(1) — Notification of significant incidents", "question": "Do you cooperate with the customer's NIS2-regulated incident notification obligation (early warning within 24h, incident notification within 72h, final report within 1 month)?", "claresia_answer": "Yes — DPA Art. 11 commits Claresia to notify the Customer within 72h of becoming aware of a Personal Data Breach affecting Customer Data; Claresia will provide the technical evidence the Customer needs to file early warning, incident notification, and final report with ACN/CSIRT-IT.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "NIS2-23.2", "article": "Art. 23(2) — Significant cyber threat communication", "question": "Will you cooperate with the customer's obligation to inform recipients of services about significant cyber threats?", "claresia_answer": "Yes — Trust Center subscriber notifications + in-app banners + DPA contact email used to communicate significant cyber threats relevant to the Service. Customer remains responsible for downstream communication.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "active"},
    {"id": "NIS2-IT.1", "article": "D.Lgs. 138/2024 — Italian transposition", "question": "Are you aligned with the Italian NIS2 transposition (D.Lgs. 138/2024) including ACN registration and CSIRT-IT cooperation?", "claresia_answer": "Yes — Claresia S.r.l. is registered with ACN (Agenzia per la Cybersicurezza Nazionale) for the relevant Italian customer base. CSIRT-IT cooperation procedures documented in incident-response.md.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-IT.2", "article": "D.Lgs. 138/2024 — Compliance documentation", "question": "Do you provide the documentation customers need for their own ACN compliance reporting?", "claresia_answer": "Yes — this NIS2 vendor due-diligence pack is the canonical artefact; supplemented by SCUDO governance audit chain export and Annex II Technical and Organisational Measures from the DPA.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "NIS2-CG.1", "article": "Art. 20 — Corporate governance", "question": "Are senior management responsible for cybersecurity risk-management measures and have they received cybersecurity training?", "claresia_answer": "Yes — Founder + CTO + DPO accountable for cybersecurity. Annual cybersecurity training including AI-specific risks (prompt injection, data exfiltration, model abuse) is mandatory for all leadership.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-VL.1", "article": "Art. 12 — Vulnerability disclosure", "question": "Do you operate a coordinated vulnerability disclosure programme and report vulnerabilities to ENISA / CSIRTs as appropriate?", "claresia_answer": "Yes — security@claresia.com with 90-day disclosure window per ISO/IEC 29147. CVE assignment via MITRE upon validation. Coordination with CSIRT-IT for nationally-relevant findings. Bug bounty (HackerOne EU / Intigriti) planned Q3 2026.", "evidence_link": "https://claresia-trust.netlify.app/bug-bounty", "status": "planned"},
    {"id": "NIS2-AS.1", "article": "Art. 21(3) — Documentation of security measures", "question": "Can you provide documented evidence of the technical and organisational measures listed in Article 21(2)?", "claresia_answer": "Yes — DPA Annex II (Technical and Organisational Measures), SCUDO Framework, this NIS2 pack, and the in-flight ISO 27001:2022 certification (Q3 2026) collectively constitute the evidence package.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "NIS2-CR.1", "article": "Art. 24 — Use of European cybersecurity certification schemes", "question": "Do you use or plan to use European cybersecurity certification schemes (e.g., EUCC, EUCS) where applicable?", "claresia_answer": "Planned — ISO 27001:2022 certification (Q3 2026), ISO 42001:2023 (Q4 2026). EUCS (EU Cybersecurity Certification Scheme for Cloud Services) adoption monitored as the scheme finalises; target adoption Q1-Q2 2027.", "evidence_link": "https://claresia-trust.netlify.app/certifications", "status": "planned"},
    {"id": "NIS2-LR.1", "article": "Art. 31 — Sanctions cooperation", "question": "Do you cooperate with the customer's response to enforcement actions or fines under NIS2?", "claresia_answer": "Yes — Claresia provides documented evidence and cooperates fully with the Customer's response to ACN, Garante, or other regulatory enforcement under DPA Art. 13 (Audit Rights) + applicable cooperation clauses in the MSA.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "NIS2-SD.1", "article": "Art. 21(2)(d)+(e) — Software development security", "question": "Do you apply security in software development including secure coding standards and dependency management?", "claresia_answer": "Yes — OWASP ASVS L2 + NIST SP 800-218 (SSDF) practices. SCA via Dependabot + Snyk. SBOM generated per release. Critical CVEs patched within 24h.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "NIS2-CL.1", "article": "Art. 21(2)(c) — Cloud security", "question": "Do you implement cloud-specific security measures (workload isolation, network segmentation, region pinning)?", "claresia_answer": "Yes — Postgres RLS in Mode A; dedicated Postgres + dedicated KMS in Mode B; customer cloud (BYOC) in Mode C. Region pinning via SCUDO Pillar D — default eu-south-1 (Milano), no egress outside EEA without DPA addendum.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned"},
    {"id": "NIS2-IR.1", "article": "Art. 21(2)(b) — Incident reporting tooling", "question": "Do you provide tooling that allows the customer to file regulatory incident notifications?", "claresia_answer": "Partial — incident timeline + audit chain export available via Command Center; Customer compiles regulatory notification using these inputs. Direct ACN/CSIRT-IT filing remains the Customer's responsibility.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "active"},
    {"id": "NIS2-PT.1", "article": "Art. 21(2)(b) — Penetration testing", "question": "Are penetration tests performed at planned intervals and remediated?", "claresia_answer": "Planned Q2 2026 — engagement with Cure53 / NCC Group EU. Findings tracked to closure with severity-based SLAs.", "evidence_link": "https://claresia-trust.netlify.app/pen-test", "status": "planned"},
    {"id": "NIS2-MN.1", "article": "Art. 21(2)(b) — Monitoring & detection", "question": "Do you operate continuous monitoring and threat detection across production systems?", "claresia_answer": "Planned Q3 2026 — Datadog EU / Honeycomb-with-EU-tenant for centralised observability + AWS GuardDuty / Azure Defender / GCP Security Command Center for cloud-native threat detection. SLO burn-rate alerts auto-page on-call.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "NIS2-DR.1", "article": "Art. 21(2)(c) — DR readiness exercise", "question": "Are disaster-recovery exercises performed and lessons-learned acted upon?", "claresia_answer": "Quarterly DR drills planned Q3 2026 with Mode B GA. Lessons-learned tracked in the engineering backlog and surfaced in the quarterly Trust Center digest.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"}
  ]
}