Status — compatibility pack mapped to Article 21(2). Berserk ApS is not directly in scope of NIS2 today: software publishing is not in Annex I or Annex II, the company is below the medium- enterprise size cap, and the self-hosted product is operated by you rather than by us. If you operate in a NIS2-scoped sector, you are subject to Article 21(d) supply-chain obligations and will need evidence from your software vendors to discharge them. The artefacts on this page — and the trust pack as a whole — exist primarily to give you that evidence.
The full internal applicability analysis — size cap, sector
analysis, MSP-borderline reasoning, and transposition triggers per
member state — is available to enterprise customers under NDA on
request to security@bzrk.dev.
NIS2 Article 21(2) requires entities to take "appropriate and proportionate technical, operational and organisational measures" across ten enumerated areas. We have an internal control set mapped to all ten — public extracts are linked below; full mapping under NDA via the internal control matrix.
| Art. 21(2) measure | Status | Public artefact / where it lives |
|---|---|---|
| (a) Policies on risk analysis and information system security | Partial | Twelve internal policies (NDA) cover the measure set; formal CEO approval + cross-policy review cadence are tracked in the control matrix (C-002, C-003 planned). Public extract: Trust Overview and Security Whitepaper. |
| (b) Incident handling | Partial | Internal incident-response policy + runbook (NDA); inbound channel via Coordinated Vulnerability Disclosure. Detection criteria and SIEM-style correlation tracked in the control matrix (C-006…C-012 partial / planned, R-DETECT-01..04). |
| (c) Business continuity, backups, disaster recovery, crisis management | Partial | BCP in place; first end-to-end recovery rehearsal scheduled — see Security Roadmap (R-RECOVERY-01). |
| (d) Supply-chain security | Yes | Pinned dependencies, vendored toolchain, daily scanning, per-image SBOM (/sbom.cdx.json), VEX-annotated exceptions; see Security Whitepaper §"Supply-chain controls". |
| (e) Security in network and information systems acquisition, development, and maintenance | Partial | Internal secure-development policy (NDA); Security Whitepaper §"Runtime safety properties". Threat-modelling gate, configuration baselines, and CVE-SLA codification still tracked in the control matrix (C-021, C-022, C-027, C-029). |
| (f) Policies and procedures to assess effectiveness of risk-management measures | Partial | Quarterly risk-register re-scoring + annual control-matrix review; first internal audit Q4 2026 (R-ISMS-01). |
| (g) Cyber hygiene practices and security training | Partial | Onboarding briefing exists; annual refresher session is roadmap (R-PEOPLE-01). |
| (h) Cryptography | Partial | Transit cryptography is in place (rustls with aws-lc-rs; AES-256-GCM, ChaCha20-Poly1305, Ed25519, ECDSA P-256 — see Security Whitepaper §"Product cryptography and encryption"). At-rest crypto + key-management remain partial: K8s control-plane CMK and SOPS for secret-at-rest are tracked (R-PROD-01, R-PROD-04). |
| (i) Human resources security, access control, asset management | Partial | HR + access policies in place; SSH 2FA enforcement and per-user prod accounts on roadmap (R-ACCESS-01, R-PROD-02). |
| (j) Use of MFA / continuous authentication, secure voice/video/text comms, secured emergency comms | Partial | 2FA enabled on Proton + GitHub; SSH 2FA enforcement scheduled (R-ACCESS-01). Voice/video/text comms over Proton + Signal. |
Berserk follows the staged-reporting model NIS2 Article 23 expects, even where we are not the directly-reporting entity:
Reporting destination follows the affected entity's member state:
| Affected entity | Reporting destination |
|---|---|
| Berserk ApS (Danish-domiciled) | CFCS / CSIRT-DK. |
| Customer in another EU/EEA member state (NIS2-scoped) | The customer's national CSIRT. We support the customer per the DPA notification commitments. |
| Sweden specifically (Cybersäkerhetslagen, in force 2026-01-15) | CERT-SE at MSB. |
For personal-data overlap see GDPR §"Personal-data breach notification". The role determines the route: for breaches of Berserk-controlled data we notify Datatilsynet under Article 33 (and data subjects under Article 34 where the breach poses high risk); for breaches of customer data we hold as processor under DPA, Article 33(2) governs — Berserk notifies the customer (the controller) without undue delay, target ≤24 hours from awareness, and the customer files with its supervisory authority and notifies data subjects.
The breach-notification tabletop is exercised every October and covers the NIS2 + GDPR clocks in a single drill. The internal compliance calendar that schedules it is NDA-only; the public extract of the review-cadence summary lives at ISO 27001 Readiness §"Review cadence".
What you'll typically need from us in procurement when you operate in an Annex I/II sector:
| Procurement ask | Where to find it |
|---|---|
| Vendor information-security programme | Internal policy set (twelve policies, NDA); public summary in the Security Whitepaper and Trust Overview. |
| Vulnerability disclosure mechanism | Coordinated Vulnerability Disclosure; /.well-known/security.txt. |
| SBOMs for shipped artefacts | CycloneDX 1.6 at /sbom.cdx.json inside every container; reproducible from tools/licenses/generate_sbom.py. |
| VEX for unfixed advisories | Embedded in the same SBOM (analysis.state = not_affected with justification). |
| Sub-processor visibility + change notice | Sub-processors (30-day change notice in the DPA). |
| Incident notification commitments | DPA Template §"Personal-data breach notification" + this page. |
| Vendor controls evidence | Filled CAIQ v4, ISO 27001 Readiness. |
| License posture for shipped third-party code | /THIRD_PARTY_LICENSES.txt in every container; CLI --licenses. |
For the consolidated public list of compliance items in flight (with target dates and the risk-register IDs they correspond to), see the Security Roadmap. Items most material to the NIS2 measure set above are R-RECOVERY-01 (DR rehearsal), R-PEOPLE-01 (annual awareness session), R-ACCESS-01 (SSH + console 2FA), R-PROD-02 (per-user prod accounts), and R-ISMS-01 (first internal audit + management review).
Under NDA on request to security@bzrk.dev:
2026-05-04. Re-reviewed annually in April alongside the internal NIS2 applicability memo, and on every event that materially changes the scope analysis (tracked internally).