NIS2 and certificate management
sslbrain supports compliance with NIS2 Article 21 through documented, monitored, self-healing certificate processes, an immutable audit log, and evidence export ready for your auditor.
NIS2 Article 21: how sslbrain covers the requirements
Mapping the NIS2 Article 21 controls that touch cryptographic infrastructure to concrete sslbrain features. sslbrain supports compliance; it does not replace your overall ISMS.
| NIS2 control | sslbrain feature |
|---|---|
| Risk analysis and information system security policies | Policy Management with pre-seeded templates, immutable audit log, documented renewal and remediation plans. |
| Incident handling | Notification relay with escalation, retry logic for renewals, audit log with full event history for the auditor. |
| Cryptography and encryption | Auto DNS, Auto DNS+, ACME automation, policy enforcement of TLS protocols, cipher suites, and key types. |
| Access control and RBAC | 10 RBAC users from Pro, AD/LDAP integration on Pro+, separate permissions for view, administration, and key access. |
| Asset management | Endpoint discovery, certificate inventory, ARI-aware expiry tracking, central view of all managed endpoints. |
| Supply-chain security | Module signing, agent inspectability, source-available appliance code, signed component distribution from sslbrain Cloud. |
| Audit logs | Immutable audit log, JSON and CEF SIEM export, evidence bundles ready for the auditor, configurable retention per account. |
sslbrain supports compliance with the controls listed above. NIS2 compliance is contextual and determined by your overall control environment and supervisory authority.
Sample audit log line
sslbrain writes every event to an immutable audit log that can be exported to SIEM. Both formats below come from the same event.
{
"ts": "2026-04-27T14:32:11Z",
"event": "cert_rotated",
"user": "alice@example.dk",
"policy": "Mozilla Modern Required",
"endpoint": "lb-prod-01.example.dk",
"cert_subject": "CN=app.example.dk",
"ca": "Let's Encrypt",
"outcome": "success",
"audit_id": "01HZ8N9JK..."
}Sample audit log line, ready for SIEM import.
CEF:0|sslbrain|appliance|<version>|cert_rotated|Certificate rotated|3|src=alice@example.dk dst=lb-prod-01.example.dk msg=Mozilla Modern Required ca=LetsEncrypt outcome=successThe same event in CEF format for ArcSight, Splunk, Sentinel, and Elastic.
One-click audit-evidence export for your auditor
Assemble an evidence bundle for a chosen time range in one click. The bundle contains audit log, certificate events, policy evaluations, and deployment history as JSON, CEF, and CSV, plus a human-readable summary. Per-account retention is configurable to match your audit cycle.
What sslbrain provides
sslbrain is not compliance software. It is a certificate management tool that supports compliance with the requirements NIS2 places on cryptographic infrastructure.
Documented processes
Every certificate operation is recorded in an immutable audit log with timestamp, user, and outcome. Renewal plans live in the system, not in a script on someone's machine.
Monitoring and alerts
Dashboard with real-time status on every certificate. Notifications on failure, expiry, and unexpected behaviour. No silent failures.
Self-healing automation
Automatic renewal with retry logic and escalation. When a renewal fails, sslbrain retries and alerts the administrator.
Role-based access
RBAC with separate permissions for view, administration, and key management. Every action is traceable to a specific user.
Encrypted vault
Private keys live in an encrypted vault. Key material is never available in cleartext on disk.
Source-available code
sslbrain is source-available. The code can be inspected, reviewed, and assessed by your organisation or a third party.
Frequently asked questions
Which NIS2 Article 21 controls does sslbrain support?
sslbrain supports compliance with controls related to cryptography, incident handling, access control, asset management, supply-chain security, audit logging, and documented processes. It is concrete support for risk management, not a certification.
How long is the audit log retained?
The audit log is immutable and retained for the lifetime of the appliance database and backup volume. A configurable per-account minimum retention covers NIS2-relevant audit cycles. SIEM export provides additional long-term retention outside sslbrain.
Which SIEM formats are supported?
The audit log exports as JSON, CEF, or CSV. Each line carries timestamp, event type, actor, target, policy id, CA, outcome, and a unique audit id.
How does evidence export for auditors work?
A single click in the UI assembles an evidence bundle for a chosen time range. The bundle contains audit log, certificate events, policy evaluations, and deployment history as JSON, CEF, and CSV, plus a human-readable summary.
What does sslbrain not cover for NIS2?
sslbrain covers the cryptographic control surface around TLS certificates and their lifecycle. It is not a full ISMS platform. NIS2 compliance requires multiple controls across your organisation; sslbrain provides one concrete control for the part of the risk picture that concerns TLS.
Get started with sslbrain
Join the list for Community or a paid edition. We'll be in touch the moment your edition is ready.