We are voluntarily implementing Article 21 measures using Reglyze (the product) as both subject and tool. This is dogfooding, not regulatory obligation. We surface this page so you can verify what an AI-built NIS2 evidence base actually looks like before you buy.
Every policy, training record, supplier entry, and effectiveness KPI below was generated, scored, and reviewed inside Reglyze the product, by the founder of Reglyze the company, on the same plan our paying customers use.
We documented our entire NIS2 evidence base in under 1 hour.
Manual consultant estimate for comparison: 80–120 hours.
Wall-clock minutes from the dogfooding timing log (docs/research/self-compliance-timing.md). Includes AI generation, Cyril's editing, and the review packet. Excludes the 36-hour overnight gap between phases.
Manual baseline is the lower bound of typical EU NIS2 consultancy engagements for SMEs (5–25 staff): 10–15 days of senior consultant time at €80–100/hour. Source: market quotes from CLUSIF, Clusit, and APDC member networks (2025–2026).
19 May 2026
19 Aug 2026
Quarterly self-audit per Article 21(2)(f). Q2-2026 cycle ran 2026-05-19 — 5 KPIs reviewed, 4 on-target + 1 above-target, no below-target gaps. The cycle replaces prior PDFs in place on this page; metric and dates update with each cycle.
Reglyze (legal entity) is a 5-person, sub-€10M-turnover company — explicitly below the small-enterprise floor that Article 2(1) of the NIS2 Directive uses to bring entities into scope. We could not file an Article 23 incident notification with ANSSI even if we wanted to; we are out of the directive's scope. The honest reasons we still ship the evidence base on this page:
The 14 artifacts below cover the ten Article 21(2) cybersecurity risk-management measures plus Article 20(2) management-body training and Article 21(2)(f) effectiveness testing. Each row links to the redacted PDF when published; cards marked Summary only carry the abstract until Cyril completes the per-PDF redaction pass.
Master policy: risk analysis, governance, roles and responsibilities. Approved by Cyril (sole management body member) for the Reglyze entity.
Detection → triage → containment → eradication → recovery → lessons learned. Authority-comms path is voluntary for Reglyze (out of scope under Article 2(1)) but documented for completeness.
RTO/RPO targets per service tier, failover paths (Hetzner primary + Google Drive cold backup), and tabletop exercise cadence for the Reglyze SaaS itself.
Daily PostgreSQL dumps via rclone to Google Drive; 7-day on-box rotation; restore drill in deploy-rollback.md. Sized for a single founder's reach.
Vendor due-diligence checklist, DPA expectations, breach-notification cascade. Applies to the 7-vendor SaaS stack (Cloudflare, Hetzner, Anthropic, Stripe, GitHub, Resend, Google Drive).
Least-privilege model, MFA on every SaaS surface, joiner/mover/leaver flow (formally trivial at headcount 5 but documented). Sets the policy ceiling for future hires.
TLS 1.3 in-transit, AES-256 at-rest (PostgreSQL, MinIO, GDrive backup), key rotation cadence, no roll-your-own crypto. Inherited via SaaS vendors where applicable.
Asset inventory boundary (laptop + cloud accounts), labelling, lifecycle and decommissioning. Self-attested at solo scale; reviewed quarterly.
Onboarding security checklist, NDA template, training requirement and offboarding access-revocation steps. Sized for the first hire; current state self-attested.
Dependabot + GitHub security alerts as the inbound channel; severity-tiered SLA (critical < 7 days, high < 30 days); patch evidence in the commit history.
MFA enforced on every SaaS surface; preferred authenticator app (no SMS fallback); secured-channel matrix for sensitive comms (Signal for incidents, GitHub for code).
Quarterly self-audit cadence, KPI definitions (today: Mean Time To Detect < 2 days), review evidence stored alongside this page's last-audit timestamp.
Annual training curriculum for the management body (Article 20(2)) and staff (Article 21(2)(g)). At headcount 5 this is Cyril; flagged for third-party validation on next hire.
Cyril completed the Reglyze management-body training on 2026-05-17 (self-paced, self-attested). Valid until 2027-05-17. Honest about its solo-scale limitation.
The Reglyze management body completed Article 20(2) training inside the product on 2026-05-17. At headcount 5 with a single founder, the management body is one person; we flag this honestly as a solo-scale limitation that will trigger third-party-validated training on the next hire.
NIS2 Article 20(2) — Management-Body Training
Solo scale, self-paced, self-attested. Third-party validation flagged for next hire.
Reglyze runs on a 7-vendor SaaS stack. The register tracks data shared, residual risk score, and review cadence per supplier. We publish vendor names openly — see the Trust page for the live view.
| Vendor | Service | Criticality |
|---|---|---|
| Cloudflare | CDN, DNS, WAF, TLS termination | Critical |
| Hetzner Online GmbH | Cloud infrastructure / hosting | Critical |
| Anthropic | AI / LLM (Claude API for document generation) | Critical |
| Stripe | Payment processing and billing | Critical |
| GitHub | Source code hosting and CI/CD | Critical |
| Google Workspace + Drive (via rclone) | Off-site backup destination | High |
| Resend | Transactional email delivery | Medium |
Full register including residual-risk scores and review dates lives in the product. The criticality classification above maps to the audit_classification field (critical / important / standard) used by the supplier-review reminder cron.
The Q2-2026 cycle (the first quarterly Article 21(2)(f) audit) recorded 5 effectiveness KPIs against their stated targets: Mean Time To Detect (MTTD), Mean Time To Restore (MTTR), critical-patch SLA compliance, backup restore drill execution, and supplier review completion. KPI count will grow with new policies — the spine is locked.
| KPI | Article 21(2)(f) sub-control | Target | Q2-2026 observed | Status |
|---|---|---|---|---|
Mean Time To Detect (MTTD) Time from a cybersecurity event occurring to Reglyze detecting it. Hetzner uptime monitor + Docker healthchecks at solo-CTO scale; no SOC/SIEM. | nis2.21.2.f.1 | < 2 days | 0 incidents | On target |
Mean Time To Restore (MTTR) Time from incident detection to service fully restored. Pre-deploy backup + auto-rollback validated in two 2026-05 drills inside 3 min wall-clock. | nis2.21.2.f.2 | < 4 hours | 0 incidents | On target |
Critical patch SLA compliance Percentage of critical/high Dependabot security PRs merged within 7 days. Q2-2026: 3/3 (drizzle-orm, Next.js, @xmldom/xmldom). | nis2.21.2.f.3 | 100% | 100% | On target |
Backup restore drill execution Successful restore drills per quarter. Staging restore 2026-05-03 + auto-RESTORE_DB-on-smoke-fail validated 2026-05-15. | nis2.21.2.f.4 | ≥ 1 / quarter | 2 drills | Above target |
Supplier review completion Percentage of suppliers within review cadence. 7/7 vendors carry next_review_due_at in the future as of audit date. | nis2.21.2.f.5 | 100% | 100% | On target |
Per-KPI findings and corrective actions are recorded in effectiveness_reviews on the prod database (idempotent, append-only). Next cycle locks 2026-08-19.
Untested KPIs (MTTD, MTTR, supplier-review cadence) are honest dogfooding artefacts — Reglyze had zero cybersecurity incidents in Q2-2026, so the detection-and-restore controls could not be empirically validated. Patch SLA and backup restore drill are quantitatively validated.
Single audit_logs row stamps the cycle completion. Reviewer signature is digital — the dogfooding promise: the management body is Cyril, the sole admin who clicked through every screen.
Reglyze is NIS2 out-of-scope under Article 2(1); this audit is voluntary. Cadence locked to quarterly — same recommendation we make to paying customers.
This page is part of the Reglyze website, served as a static Next.js route, and the redacted PDFs live in version control alongside it. Anyone can verify the timeline:
Start a free scoping in five minutes. If you are out of scope under Article 2(1) like us, you can still build the voluntary evidence base on the Free tier. If you are in scope, Reglyze's Pro plan covers the full Article 21 surface with AI doc generation, supplier register, and quarterly audits.