KUBERNETES COMPLIANCE
FOR AUDITORS,
NOT ENGINEERS.
k8s-eu-audit scans your Kubernetes clusters and maps findings directly
to NIS2 Article 21 and DORA ICT Risk requirements —
producing reports your auditors can actually read.
OPEN SOURCE · APACHE 2.0 · ZERO TELEMETRY
THREE TOOLS.
ZERO ANSWERS FOR AUDITORS.
Existing K8s security tools (Kubescape, Trivy, kube-bench) produce
raw JSON output for engineers — not compliance reports for auditors.
GRC platforms (Vanta, Drata, ServiceNow) don't touch infrastructure.
Their "Kubernetes coverage" is surface-level API checks only.
No product combines deep K8s scanning + native NIS2/DORA mappingreports designed for auditors. Until now.
~160,000 EU entities subject to NIS2 — fines up to €10M
22,000+ financial entities under DORA since January 2025
80% of organisations run Kubernetes in production (CNCF 2024)
ONE COMMAND.
THREE SCANNERS.
EU-MAPPED OUTPUT.
k8s-eu-audit orchestrates Kubescape, Trivy, and kube-bench —
then normalises their output into a unified NIS2 / DORA compliance view.
Works with any subset of scanners installed.
A missing scanner is a warning, not a failure.
→ READ-ONLY — never modifies cluster resources
→ OFFLINE CAPABLE — mappings embedded in the binary
→ CI/CD READY — --fail-on 70 exits non-zero if score drops below threshold
→ ZERO TELEMETRY — no phone-home, no analytics
→ EXTENSIBLE — new framework = new YAML file, no code changes
NIS2 & DORA.
MAPPED TO REAL K8S CONTROLS.
NIS2 — Article 21 (10 controls)
21.2(a) Risk analysis & information system security policies HIGH
21.2(b) Incident handling & audit logging CRITICAL
21.2(c) Business continuity & crisis management (PDB) HIGH
21.2(d) Supply chain security & image provenance CRITICAL
21.2(e) Network security & network policies HIGH
21.2(f) Vulnerability handling & CVE disclosure HIGH
21.2(g) Effectiveness assessment & CIS scoring MEDIUM
21.2(h) Cyber hygiene & RBAC basics MEDIUM
21.2(i) Access control, RBAC & asset management HIGH
21.2(j) MFA & continuous authentication controls CRITICALEach article is mapped to concrete Kubescape, Trivy, and kube-bench check IDs.
Auditors see articles. Engineers see check IDs. Both get what they need.
DORA — ICT Risk Management (5 pillars)
Art. 9 ICT risk management framework CRITICAL
Art. 10 ICT-related incident management CRITICAL
Art. 11 Digital operational resilience testing HIGH
Art. 28 ICT third-party risk management HIGH
Art. 30 Contractual arrangements & supply chain MEDIUMApplies to banks, insurers, payment processors, investment firms,
and their ICT providers. Luxembourg alone has 127 banks in scope.
Good fit if you are:
→ A compliance consultancy auditing Kubernetes environments
→ A regulated organisation under NIS2 or DORA
→ A CISO preparing for an external audit
→ An auditor who needs defensible, structured evidence
→ A DevOps team that needs to speak compliance to leadership
Not a fit if you want:
✗ A SIEM or real-time threat detection platform
✗ A full GRC document management system
✗ A replacement for Kubescape or Trivy (we use them)
✗ A managed security service or body leasing
6 YEARS. 300 CLUSTERS.
EU-SCALE GOVERNANCE.
Built by a contractor who operated Kubernetes at European Commission scale —
300 clusters under strict EU security governance and formal audit requirements.Contracting experience across regulated institutions: CSSF (Luxembourg financial
regulator), Mastercard, and CompuGroup Medical. The NIS2/DORA mappings reflect
how EU regulators actually examine infrastructure - not how vendors interpret
compliance from a distance.Security Clearance: Secret (NATO, ESA, EU)
INSTALL IN 60 SECONDS.
# Quick install
curl -sSL https://raw.githubusercontent.com/LetzCodeLuxembourg/k8s-eu-audit/main/scripts/install.sh | sh# Scan under NIS2
k8s-eu-audit scan --framework nis2# Generate HTML audit report
k8s-eu-audit scan --framework nis2 -o report.html# CI/CD gate — fail if score < 70%
k8s-eu-audit scan --framework nis2 --fail-on 70
13 Rue de Peppange
3378 Livange Roeser, Luxembourg
VAT / Numéro TVA LU32093804
[email protected]