stm ai
ENRO
Work with us
← Back to all posts
Blog

NIS2COMPASS: Evidence-Linked AI for Verifiable Cybersecurity

Published 16 June 2026 Written by stm.ai In partnership with SmartClover SRL
NIS2cybersecuritycompliance automationAICLARASmartCloverEvidence Graph

An organisation can do serious cybersecurity work and still struggle to prove it. The team may have patched systems, reviewed access rights, monitored infrastructure, trained staff, handled incidents, and documented policies. Yet when a customer, auditor, regulator, or board member asks for evidence, the proof may still be scattered across email threads, ticketing systems, spreadsheet exports, vulnerability reports, dashboards, scanner outputs, and informal status notes.

That is the gap NIS2COMPASS is designed to address.

NIS2COMPASS — NIS2 Compliance, Monitoring, and Posture Assessment for Sectoral Security — is an evidence-driven compliance and resilience accelerator coordinated by AI STM Learning together with our partner SmartClover. The project focuses on a practical problem created by the NIS2 era: cybersecurity activity is no longer enough if the organisation cannot demonstrate what happened, when it happened, which obligation it supports, who reviewed it, and whether the underlying evidence can be trusted.

At AI STM Learning, we see this as a high-trust AI systems problem. NIS2 readiness depends on more than policies and technical controls. It depends on the ability to connect real security activity to structured, reviewable, audit-ready evidence. NIS2COMPASS builds that connection through a Compliance Evidence Graph, human-approved AI-assisted mapping, continuous monitoring, vulnerability validation, awareness activity, and sector-specific playbooks.

NIS2COMPASS overview: from scattered cybersecurity artefacts to audit-ready evidence

Figure 1. NIS2COMPASS turns scattered cybersecurity artefacts into structured, verifiable, audit-ready proof.

Why NIS2 changes the meaning of cybersecurity proof

The NIS2 Directive raises expectations for cybersecurity risk management, incident reporting, supply-chain security, vulnerability handling, business continuity, supervision, enforcement, and management accountability across important and essential sectors. In practice, this means that organisations must be able to show not only that controls exist, but that they are operating, reviewed, maintained, and supported by evidence.

The difficult part is that evidence rarely lives in one place. A vulnerability scan may show a weakness, but not the management decision around remediation. A policy may describe access control, but not prove that access reviews happened. A training record may demonstrate staff awareness activity, but not connect naturally to NIS2 control areas. A penetration-test report may contain valuable findings, but unless those findings are linked to affected systems, remediation actions, verification status, and approved evidence packs, they remain hard to reuse in a compliance context.

This is where conventional documentation starts to break down. A spreadsheet can list findings. A folder can store policies. A ticketing tool can track tasks. But none of these, alone, preserves the compliance argument. NIS2COMPASS treats that argument as something that must be engineered: evidence should have structure, provenance, integrity, ownership, review status, and a clear relationship to regulatory and operational requirements.

The Compliance Evidence Graph

At the centre of NIS2COMPASS is the Compliance Evidence Graph. It is a structured, versioned, traceable knowledge graph that connects cybersecurity artefacts to NIS2 controls, systems, owners, findings, remediation actions, approvals, timestamps, and integrity checks.

Instead of treating compliance as a flat checklist, the graph models relationships. A control can be linked to a policy. A policy can be linked to an approval. A vulnerability finding can be linked to an affected asset, a remediation action, a test result, and a final verification. A training record can be linked to a human-risk control. A monitoring event can be linked to detection coverage, incident-response procedures, and the evidence pack required for audit.

The Compliance Evidence Graph connects controls, systems, evidence, people, approvals, and provenance

Figure 2. The Compliance Evidence Graph connects controls, systems, evidence, people, approvals, and provenance into a structured audit trail.

The important point is not merely that data is collected. The important point is that every evidence item keeps its context. Each artefact can carry metadata such as source system, timestamp, version, classification level, review status, and integrity hash. The system can preserve the logic of the evidence trail: this artefact came from this system, supports this control, was reviewed by this role, changed at this time, and belongs in this evidence pack.

This is where AI becomes useful. NIS2COMPASS uses AI-assisted mapping to help classify incoming artefacts against candidate NIS2 controls and summarise technical context in a more readable form. But the AI does not make autonomous compliance conclusions. Its role is to reduce repetitive work, identify candidate relationships, and support the human reviewer. A proposed mapping only becomes authoritative after explicit human approval.

That boundary matters. In regulated and high-trust environments, AI cannot be a black box that produces confident compliance text disconnected from source evidence. STM’s approach is evidence-linked AI: outputs should remain tied to data lineage, rationale, provenance, and review workflows. This is consistent with how we build research-grade AI systems at stm.ai and with our broader work on cybersecurity-oriented AI through CLARA.

From cybersecurity activity to audit-ready proof

NIS2COMPASS is not designed to replace the cybersecurity tools an organisation already uses. Most teams already have systems that generate useful signals: monitoring alerts, vulnerability scan outputs, asset inventories, incident notes, access reviews, threat-intelligence indicators, training records, remediation tickets, and penetration-test findings. The practical question is whether those signals become reviewable evidence.

The project follows a clear operational journey. First, security activity produces artefacts. Then those artefacts are captured, normalised, tagged, and linked to relevant controls. AI assists by proposing classifications, summaries, and relationships. Human reviewers approve, correct, or reject those proposals. Approved evidence becomes part of an evidence pack, and the same evidence trail can later support audit, management reporting, remediation tracking, and continuous improvement.

From cybersecurity activity to audit-ready proof

Figure 3. AI accelerates mapping and summarisation, while people approve the evidence record and remain in control.

This process turns scattered operational signals into a compliance posture that can be inspected. A monitoring event becomes more than a log line. A vulnerability becomes more than a scanner export. A remediation action becomes more than a ticket marked “done”. A training campaign becomes more than an attendance number. Each item can be connected to controls, systems, owners, approvals, and evidence packs.

The result is a shift from compliance as periodic reconstruction to compliance as a living evidence layer. Instead of preparing from scratch when an audit approaches, the organisation can maintain a continuously improving view of what has been assessed, what has been fixed, what remains open, and which evidence supports each obligation.

A layered cybersecurity and compliance architecture

NIS2COMPASS combines several complementary layers. The governance and compliance layer maps policies, procedures, controls, and evidence packs. The Evidence Graph provides the structured link between technical facts and regulatory requirements. The monitoring and threat-intelligence layer supports early detection, event correlation, sector-relevant indicators, and detection rules. The validation and resilience layer brings penetration testing, breach simulations, vulnerability triage, and remediation verification into the same evidence trail. The human-factor layer connects awareness activity, phishing simulations, role-based training, and behavioural improvement to NIS2-relevant controls.

This architecture is intentionally practical. NIS2 compliance cannot be solved only by policy writing. It also cannot be solved only by technical tooling. The real value appears when governance, monitoring, validation, awareness, remediation, and audit evidence reinforce one another.

AI STM Learning coordinates the compliance and evidence architecture: the Evidence Graph, AI-assisted control mapping, human approval workflows, audit-ready evidence packs, traceability logic, and project coordination. SmartClover contributes operational cybersecurity and dissemination capacity, including monitoring evidence, threat-intelligence alignment, vulnerability assessment and penetration-testing coordination, remediation verification, awareness activity, and public-safe communication.

Together, the consortium covers the full path from evidence architecture to operational validation. The goal is not to produce another isolated report. The goal is to create a repeatable model that helps SMEs move from fragmented security work to demonstrable NIS2 readiness.

Why AI must stay close to the evidence

There is a tempting but dangerous shortcut in compliance automation: generate a polished report and call it readiness. NIS2COMPASS takes a different route. A generated report is useful only if the organisation can inspect the source artefacts behind it. A control status is meaningful only if the system can show why that status is justified. A summary is trustworthy only if it remains connected to evidence, reviewer decisions, timestamps, and provenance.

This is why NIS2COMPASS focuses on evidence-linked AI rather than free-floating compliance text. AI can help classify, summarise, normalise terminology, and reduce manual effort. But the durable value comes from the structured record underneath: the graph, the source links, the metadata, the approval history, and the integrity checks.

This design is also important for data sovereignty. Cybersecurity data is sensitive. Logs can reveal system architecture. Vulnerability details can become attacker guidance. Awareness metrics can raise privacy concerns if handled carelessly. NIS2COMPASS therefore follows an on-prem-first or controlled-hybrid mindset, where sensitive data remains within the organisation’s controlled perimeter and public outputs are sanitised, aggregated, or synthetic where appropriate.

Sector-aware evidence playbooks

NIS2COMPASS is built to be cross-sector, but not generic. The same regulatory obligation can require different evidence in different operational contexts.

In MedTech and manufacturing, the evidence trail may involve software and firmware changes, secure development practices, supplier controls, validation and testing records, production-environment considerations, role-based training, incident response, and quality-management interfaces. In digital infrastructure and hosting, the evidence trail may focus more strongly on asset inventories, access governance, server hardening, backup resilience, DDoS readiness, client isolation, capacity evidence, patch status, and incident-response runbooks.

Sector-aware evidence playbooks for MedTech, manufacturing, digital infrastructure, and hosting

Figure 4. NIS2COMPASS uses the same evidence framework across sectors while adapting the evidence patterns to domain-specific realities.

This is why NIS2COMPASS produces reusable sector playbooks rather than a single universal checklist. The common pattern is the Evidence Graph, but the evidence itself remains sector-aware. The project validates the approach across manufacturing and digital infrastructure environments and extends sector engagement through the MedTech ecosystem.

SmartClover brings regulated healthcare AI experience to this work through its public activity around clinician-led AI workflows, CerviGuard, DataGems, and trust-oriented product materials. That background aligns naturally with the NIS2COMPASS emphasis on controlled evidence, human review, privacy-aware design, and responsible disclosure.

What should be public, and what must remain private

A cybersecurity project should not create new cybersecurity risk through its own communication. NIS2COMPASS therefore separates public methodology from sensitive operational evidence.

Public outputs can include reusable playbooks, synthetic examples, schema descriptions, methodology notes, training patterns, sector-readiness lessons, and explanations of how evidence should be structured. These materials can help SMEs understand how to organise NIS2 readiness without exposing pilot-specific weaknesses.

Private outputs must remain private. Raw vulnerabilities, exploit details, internal architecture, credentials, personal data, pilot-specific weaknesses, operational logs, and sensitive remediation details should not appear in public dissemination. They belong inside controlled environments, shared only with authorised stakeholders under agreed responsible-disclosure and access-control procedures.

This distinction is central to both responsible cybersecurity and responsible AI. It allows the project to share what is useful while protecting the organisations and systems being improved.

Toward Compliance-as-a-Service

The longer-term ambition for NIS2COMPASS is a repeatable Compliance-as-a-Service model for organisations that need NIS2 support but cannot build a full compliance automation capability from scratch.

A practical service model would help an organisation establish a baseline, identify gaps, capture evidence, connect artefacts to NIS2 control areas, approve mappings, monitor improvements, validate resilience, train staff, and maintain audit-ready evidence packs over time. This is more useful than a one-off compliance report because it treats security and compliance as a living operational posture.

For SMEs in essential and important sectors, that distinction matters. Many do not need more abstract compliance language. They need a way to turn the security work they already do — and the improvements they still need to make — into evidence that is structured, reviewable, and trustworthy.

A compass for verifiable cybersecurity

NIS2COMPASS is built around a simple idea: cybersecurity work becomes more valuable when it can be proven.

The proof does not come from a folder of documents or an AI-generated summary alone. It comes from a structured evidence layer that connects controls, systems, artefacts, people, reviews, remediation actions, and timestamps. It comes from AI that helps experts work faster while staying close to source data. It comes from human approval, traceability, and careful separation between public knowledge and private security-sensitive detail.

That is the role of NIS2COMPASS: to help organisations move from fragmented activity to verifiable cybersecurity practice. The compass does not replace responsibility, and AI does not replace expert judgement. But together, evidence architecture, operational cybersecurity, and human-reviewed AI can make NIS2 readiness clearer, more measurable, and more trustworthy.

Further reading: AI STM Learning, CLARA by stm.ai, SmartClover, European Commission NIS2 Directive overview, and European Commission NIS2 FAQs.

← Back to all posts