NIS2 Directive — Articles 21 and 23
D3 Morpheus — The Accountable Autonomous SOC
Autonomous. Audited. Defensible.
24 hours
Early warning to the CSIRT — Article 23(4)(a)
72 hours
Incident notification with initial assessment — Article 23(4)(b)
1 month
Final report — Article 23(4)(d)
1 trail
The same audit artifact produces evidence for all three obligations
Built for the regulated SOC that can’t hire its way out of the alert volume — and can’t accept AI it can’t defend. Morpheus automates L1 triage on every alert, automatically, and keeps going to L2 deep investigation. Up to 95% of alerts triaged and L2-investigated in under two minutes. Every decision traceable in one regulator-readable audit trail across all four autonomy levels. Built for SEC Item 1.05, NYDFS Part 500, HIPAA 45 CFR 164.312, NERC CIP-008-6, OCC 36-hour notification, NIS2, DORA, and BSI C5 evidence demands.
Morpheus does the L1 work — classification, enrichment, prioritization — and keeps going to L2 deep investigation. Attack Path Discovery, D3’s investigation engine, traces the attack across identities, endpoints, cloud, and email infrastructure. It reaches back 90 days of telemetry. It maps blast radius. It drafts the remediation. Morpheus does the legwork. Your analyst does the analysis.
Choose the level. Same engine, same audit format, no architectural fork: Level 1 — Deterministic. No AI in the chain. Level 2 — AI-Assisted. You approve every action. Level 3 — AI-Led. The Adaptive Tasking copilot drafts; you oversee each command-risk tier. Level 4 — Autonomous. End-to-end triage and remediation. Pick the mode that fits your environment, regulator, or MSSP customer. Morpheus arrives pre-trained, then self-learns from your team’s best practices, threat and vulnerability reports, your SOPs. Predictable annual subscription across all four autonomy levels.
A full package — AI SOC, SOAR, and case management — with one control panel for triage, investigation, vulnerability triage, trend reporting, and compliance. One audit trail per incident — every action, every decision, every task, system or human, fully auditable, nothing hidden. Not a black box. Not a fleet of agents to reconcile. The trail maps to SEC, NYDFS, HIPAA, NERC CIP, NIS2, DORA, BSI C5, and the EU AI Act. 800+ self-healing integrations that fix themselves when vendors push API changes. Trusted by Fortune 500 enterprises and the world’s largest MSSPs.
What NIS2 Requires
Articles 21 and 23 — Risk Management and the Reporting Clock
Two articles do most of the operational work. Article 21 sets the measures. Article 23 sets the clock.
Article 21 — Cybersecurity Risk-Management Measures
Article 21 requires essential and important entities to adopt appropriate and proportionate technical, operational, and organizational measures. The minimum list covers risk analysis and information-system security policies, incident handling, business continuity, supply-chain security, network and system security, vulnerability handling and disclosure, basic cyber hygiene and training, cryptography, access control and asset management, and the use of multi-factor authentication. Management bodies must approve those measures and oversee their implementation — and can be held personally accountable for breaches of cybersecurity duties.
Morpheus addresses incident handling, vulnerability handling, and the evidentiary side of governance directly. Attack Path Discovery is the investigation engine. The Cybersecurity Triage Reasoning Graph constrains every reasoning step. The deterministic SOAR runbook underneath produces the artifact a management body can read: every escalation, every approval, every remediation, in plain language, in order.
Article 23 — Incident Reporting
Article 23 sets three deadlines for significant incidents. A 24-hour early warning to the competent CSIRT or authority. A 72-hour incident notification with an initial assessment of severity, impact, and indicators of compromise. A 1-month final report with detailed description, root cause, applied and ongoing mitigations, and cross-border impact. Intermediate status updates may be required on request, and the clocks run from awareness, not from confirmation.
The reporting fields a CSIRT expects at each stage come from the same continuous audit trail Morpheus produces during the investigation. The 24-hour early warning, the 72-hour notification, and the 1-month final report read from one source — not three reconstructions across separate tools.
24-Hour Early Warning
Awareness, indication of significance, suspicion of malicious cause, and any cross-border impact. Morpheus surfaces these from the L2 investigation that completed in under two minutes — not from a forensic effort that begins after the alarm.
72-Hour Notification
Severity, impact assessment, and indicators of compromise. The Morpheus trail records the IOCs that Attack Path Discovery surfaced, the systems within blast radius, and the analyst approvals against each command-risk tier.
1-Month Final Report
Detailed description, root cause, applied and ongoing mitigations, and cross-border impact. The trail is the report’s spine. Morpheus exports it in a format the CSIRT, the management body, and external counsel can all read.
Beyond Compliance: How the Same Trail Serves Other Stakeholders
The audit trail Morpheus produces for NIS2 compliance is the same trail your organization can rely on outside the regulatory context.
Legal review. Litigation discovery, internal investigations, and external counsel review all need a defensible record of who did what, when, and why. The Morpheus trail surfaces every system action, every AI decision, every analyst approval — chronologically ordered, immutable, exportable.
Executive and board oversight. Audit committees, risk committees, and the C-suite increasingly want documented evidence of how cybersecurity decisions get made. The Morpheus trail produces the artifact: every escalation, every approval, every remediation — readable by a non-SOC stakeholder.
MSSP customer reporting. If your organization works with an MSSP partner running Morpheus across your tenant, the trail is the artifact your MSSP shares with you as proof-of-investigation. The same trail your regulator reads is the trail you receive from your service provider.
The architecture is the same in every case. The audience changes; the artifact does not.
Further reading: Mythos & NIS2 EU Compliance whitepaper.
faqs
NIS2 — Common Questions
Ten questions from regulated buyers, MSSP partners, and counsel preparing for Article 23 reporting.
What is the NIS2 Directive and which organizations does it apply to?
NIS2 (Directive (EU) 2022/2555) raises the EU-wide baseline for cybersecurity. It applies to essential and important entities across 18 sectors — energy, transport, banking, financial-market infrastructure, healthcare, drinking water, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing of critical products, digital providers, research, and managed-service providers. Member states transposed NIS2 into national law by 17 October 2024.
What does NIS2 Article 21 require?
Article 21 obliges essential and important entities to take appropriate and proportionate technical, operational, and organizational measures. The minimum measures include risk analysis and information-system security policies, incident handling, business continuity, supply-chain security, network and system security, vulnerability handling, basic cyber hygiene and training, cryptography, access control and asset management, and multi-factor authentication. Management bodies must approve those measures and oversee their implementation.
What does NIS2 Article 23 require for incident reporting?
Article 23 sets a three-stage reporting clock for significant incidents. A 24-hour early warning to the competent CSIRT or authority. A 72-hour incident notification with an initial assessment, severity, impact, and indicators of compromise. A 1-month final report with a detailed description, root cause, applied and ongoing mitigations, and cross-border impact. Intermediate status updates may be required on request.
How does D3 Morpheus help meet the 24-hour NIS2 early-warning requirement?
Morpheus triages every alert at L1 and keeps going to L2 deep investigation, with up to 95% of alerts triaged and L2-investigated in under two minutes. When the investigation indicates a significant incident, the same audit trail is the artifact your SOC and counsel use to draft the 24-hour early warning. Every system action, every AI decision, and every analyst approval is recorded in chronological order — the early-warning fields populate from a single source.
How does Morpheus produce the audit trail NIS2 supervisors expect?
Morpheus runs bounded reasoning inside deterministic governance. The Cybersecurity Triage Reasoning Graph constrains every reasoning step, and the deterministic SOAR runbook underneath produces one continuous, signed audit trail per incident across all four autonomy levels. The trail is immutable, exportable, and readable by a non-SOC stakeholder. The same artifact produces evidence for the 24-hour, 72-hour, and 1-month obligations under Article 23. See how the Agentic Task primitive bounds every reasoning step.
Can Morpheus support BSI C5 alongside NIS2 for DACH organizations?
Yes. The Morpheus audit trail maps to NIS2 evidence demands and the BSI C5 cloud-control catalog (DACH alignment) from the same artifact. Regulated buyers in Germany, Austria, and Switzerland stay at Levels 1 through 3 of the four-level autonomy model; the trail format does not change between levels. MSSP partners running Level 4 across their tenant book produce the same trail.
How does Morpheus handle the Article 21 governance and accountability requirement?
Article 21 requires that management bodies approve cybersecurity risk-management measures and supervise their implementation. Morpheus produces evidence at that altitude: every escalation, every approval, every remediation is recorded in plain language, suitable for an audit committee or risk committee. The four-level autonomy model lets the management body bound where AI may act independently and where a human must approve. The audit trail records which mode was active at every step.
Does Morpheus replace our SIEM, or work beside it?
Morpheus runs beside any SIEM — Microsoft Sentinel, Splunk, IBM QRadar, Google Chronicle, Elastic, and others — through Self-Healing Integrations across 800+ vendor connections. Attack Path Discovery traces incidents East-West across the stack (identities, endpoints, cloud, and email infrastructure) and reaches back 90 days of telemetry. Your SIEM stays your SIEM; Morpheus is the investigation and response layer that produces the NIS2 trail on top of it.
What are the supervisory powers and penalties under NIS2?
Competent authorities have on-site inspection powers, audit rights, the ability to require evidence of compliance with Article 21 measures, and the ability to require notification of affected recipients of services. Administrative fines for essential entities reach up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, up to €7 million or 1.4% of turnover. Management bodies of essential entities can be held personally accountable for breaches of cybersecurity duties.
How is Morpheus priced for organizations scoped under NIS2?
Morpheus is sold as an annual platform subscription sized to your SOC, with included AI investigation capacity designed for normal operations. The same trail format ships across all four autonomy levels and across MSSP multi-tenant deployments, so a regulated buyer’s artifact does not change as the SOC scales or as the autonomy level changes. Your specific agreement will confirm the commercial terms that apply to your deployment.
See the NIS2 audit trail Morpheus produces — one artifact, three deadlines.
Walk through a live incident with one of our solution engineers. We will show the 24-hour, 72-hour, and 1-month fields, populated from one continuous trail.