The entry into force of the European directiveNIS 2 (Network and Information Security)marks a historic turning point for cybersecurity in Europe. Unlike the first version which only targeted operators of vital infrastructure, NIS 2 considerably broadens its scope. Now, thousands of SMEs, mid-sized companies and managed service providers (MSSPs) fall into the category of “Essential” or “Important Entities”.
Among the key obligations of this legislation is the obligation to implement incident management measures and to ensure impeccable traceability of all corrective actions undertaken on the network. For companies and their cyber service providers, understanding how to audit these actions is no longer an option, it is a legal constraint under penalty of heavy financial penalties.
NIS 2 incident management requirements
The NIS 2 directive requires a proactive and documented approach to cyber defense. It is no longer enough to block an attack in the background; you must be able to provehowyou blocked it,Whenthe action has been taken, andWhoauthorized this intervention.
Article 21 of the Directive explicitly states that entities must have incident response capabilities that are appropriate and proportionate to the risks. In the event of an audit by national authorities (such as ANSSI in France or BSI in Germany), the company must be able to provide detailed audit logs of the supervision infrastructure. If your security operations center (SOC) or orchestrator (SOAR) executes emergency commands without maintaining immutable and accountable records, your organization is out of compliance.
The accountability challenge for MSSPs and internal SOCs
For a cyber service provider (MSSP) that administers the Microsoft Security tenants of dozens of clients, or for an internal IT team managing a fleet of mid-sized companies, the main audit pitfall is the lack of real accountability.
In many artisanal architectures, remediation scripts or IT ticketing tools use a unified generic service account (a "shadow account") to call Microsoft Graph APIs. When a machine is isolated from the network or a user session is revoked, Microsoft's native audit log simply indicates:"Action performed by the SOAR-XYZ application".
In the eyes of an NIS 2 auditor, this traceability is insufficient. The tool is unable to link the technical action to the actual human operator who was in front of its screen and clicked the button. Accountability is broken.
Akuity SOC’s “Compliance by Design” architecture
The orchestratorAkuity SOCwas developed in Bavaria according to strict safety standards and European regulatory compliance. Its audit log management module (centralized in the configuration fileaudit.ts) natively resolves the accountability problem required by NIS 2.
1. Automatic context resolution
Whenever an active remediation action is triggered on the platform — whether it is a network isolation of an Intune-managed machine (ISOLATEDEVICE) or a global purge of a phishing email (SOFTDELETE_EMAIL) — the backend functionlogAuditintercepts the request. It parses the Supabase session token (sb-access-token) present in the server request cookies. The system immediately queries the Supabase Auth module to extract the exact email and UUID of the logged in analyst. The action is thus signed and imputed in an undeniable manner to a real human being.
2. The SOC 2 standardized JSON format
The generated audit logs are not simple lines of editable text. They are structured according to a standardized raw JSON schema, written directly to standard output (console.log). This payload records immutably:
- An accurate timestamp in ISO UTC format (
timestamp). - The context of the actor (
actorwith email and UUID). - The specific action performed (
action). - The perimeter of the workspace (
workspace_id). - The specific targets impacted (
targetssuch as the PC name or user UPN).
3. Guarantees for substantive tasks
If an action occurs without a user session token (for example, an automated scheduled cleanup task or a system script), the Akuity engine refuses to leave the box empty. It automatically attributes the event to the institutional actor"System", ensuring that no blind spots exist in the log timeline.
Conclusion: Transform constraint into shield
Complying with the NIS 2 directive should not be seen as yet another administrative chore. By adopting a sovereign orchestrator that integrates traceability and accountability deep into its code, you protect your customers and your business. You have an impeccable logbook for your official audits and you strengthen the trust of your business partners.
Bring your SOC operations into compliance with European requirements.> Discover our platformNIS 2 and SOC 2 compliant orchestrationand secure your audit logs today.