<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">
NIS2 evidence pack

Prove your NIS2 supply chain security will survive any disruption.

NIS2 holds your board personally liable for your suppliers’ resilience, and relying on a policy document won’t satisfy an auditor. The NIS2 evidence pack gives you a tested, signed record that your critical software can be recovered.

Tested recovery — not a policy on file.
Codekeeper’s NIS2 Evidence Pack for supply-chain and continuity puts your resilience plan to the test, and maps the results to NIS2’s specific proof requirements.
badge-nis2 NIS2
solutions_badge_dora DORA
badge-iso-27001-v2 ISO 27001
badge-soc2 SOC 2
solutions-ffiec FFIEC
One pack, recognized by every framework that asks whether your suppliers can recover.
The old way

A signed DR plan offers an empty promise of recoverability. You need proof.

The usual way to document supplier resilience is with a disaster recovery plan. Issue is, normally it's signed off, filed, and never tested — so no one really knows if the vendor’s software could be recovered.
Art. 21(2)(d) Managing each direct supplier relationship is your obligation.
Art. 20 Adds personal responsibility for your management.

An untested continuity plan leaves you exposed on both.

A PLAN FILED AND FORGOTTEN
Disaster recovery plan PDF
Signed · 14 Mar 2024
Not tested
Reassuring to file, but useless under audit and recovery pressure.
A team reviewing supplier resilience evidence together
Why we built it

We put the NIS2 Evidence Pack together because compliance teams kept coming up short during audits.

10+
securing mission-critical and regulated software
3 500+
companies protected
ISO 27001
certified
24 hrs
to go live

How we package your compliance.

These six capabilities take your supply-chain and continuity plans from theory to hard evidence.

Tested recovery

A real build-and-run test confirms the supplier’s software recovers; the result is recorded in the pack.

Supplier-relationship evidence

Documents the resilience of each direct supplier relationship that NIS2 Article 21(2)(d) brings into scope.

Continuity proof

Captures backups, deposit currency, and recovery procedures for the Article 21(2)(c) continuity measure.

Effectiveness report

A repeatable report proving that your supplier-resilience measures work, aligned to the Article 21(2)(f) requirement.

Software Resilience Certificate

One signed artifact to serve as continuity proof in place of a folder of correspondence.

Always current

Daily automated syncs keep the deposit live, so the evidence reflects the software as it runs today.

How it works

NIS2 ready in three quick steps.

In review
AC
Acme Corp Depositor
BL
Beneficiary Ltd Beneficiary
AgreementTripartite escrow
Last deposit2 days ago
Active
NV
Northwind Depositor
FB
FinBank Beneficiary
AgreementSaaS escrow
Last depositToday

1. Point us at the provider you need to cover.

Connect the repository, or name a deposit you already hold with us.

Deposits
3 active · last verified today
Software Resilience Certificate
Software Resilience
Certificate
Passed

2. We run the exit test.

We pull the deposit, build it, and confirm it runs — on a schedule that keeps the result current.

Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified

3. The evidence lands in your dashboard.

The signed certificate and test results — dated and ready for review. Your Article 28 obligation now rests on a proven plan.

Set up in a day. From there, the pack stays current on its own.

Book a demo

These companies’ systems are protected, compliant, and resilient.

They made the decision. They built their resilience. They have peace of mind. You can too.
icon-google
icon-g2
“We’ve had a great experience with CodeKeeper. The setup process was smooth, and the team made everything very straightforward. Knowing our critical software assets are securely protected gives us real peace of mind. Their support has been responsive and professional, and the overall service has been reliable and easy to work with. Highly recommended.”
testimonial-circle-j

Jordan Adler

“We worked with Codekeeper as our escrow provider for major enterprise deployments and found them to be extremely professional, responsive, and flexible throughout.
I'd highly recommend Codekeeper. They clearly understand the realities of working with growing tech businesses and enterprise customers alike.”
testimonial-circle-r

Ross Kilshaw

I found Codekeeper's solution excellent for what I need. I scheduled a demo to better understand the possibilities. Very easy! It was a clear and straightforward meeting, focused exactly on what I needed. Excellent service!
testimonial-circle-t

Thiago Mendes

Airbus partner logo in muted style
Bayer partner logo in muted style
EU Parliament partner logo in muted style
General Motors partner logo in muted style
Intuit partner logo in muted style
Nestle partner logo in muted style
Pepsico partner logo in muted style
Pfizer partner logo in muted style
Framework mapping

One round of tested evidence repackaged for all your frameworks.

Test once, document once. The same pack answers NIS2, DORA, ISO 27001, SOC 2, and FFIEC.
badge-nis2
NIS2 — Art. 21(2)(c) Tested backup, disaster recovery, and supplier-relationship evidence
solutions-ffiec
FFIEC — NIST CSF 2.0 Third-party recovery mapped to the Recover function.
solutions-dora
DORA — Art. 28 / Arts. 24–25 Supplier resilience evidence for the ICT register of information.
badge-iso-27001-v2
ISO 27001 — A.5.30 ICT readiness for continuity, tested and documented.
badge-soc2
SOC 2 — CC9 Subservice organization and vendor continuity evidence
What's at stake

Have the proof ready, or build it under audit pressure.

Without it

  • Regulators find the gaps before you do.
  • Under Article 20, your management body is on the hook: authorities can ban individuals from their roles and publish their names for all to see.
€10M or 2% of global annual turnover, whichever is higher

With the evidence pack

  • Recovery tested, certificate signed, file ready before anyone asks.
  • Compliant with Article 21 — and sure the evidence holds if a supplier fails.
  • One pack also answers DORA, ISO 27001, and SOC 2.
Sample pack

Peek at what you get with the pack before you decide.

The redacted sample shows the certificate, a recovery-test result, and the supplier-resilience summary. See exactly what your auditor would see.
Recovery test · summary
Article 28 mapping
Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified
Get early access to the NIS2 Evidence Pack

We’ll send the sample pack and your early-access invite.

Suppliers won’t warn you before they fail. Don’t put your compliance on the line.

Pulling untested supply-chain evidence together under audit pressure is a recipe for non-compliance — by then it’s too late. The NIS2 Evidence Pack puts a tested, signed record in place before a supervisor weighs your continuity against Article 21's obligations.

Frequently asked questions

What is the NIS2 supply chain security evidence pack?
A documented set of evidence — a Software Resilience Certificate, recovery-test results, and supplier-resilience and continuity records — that proves your critical software suppliers can be recovered, mapped to NIS2 Article 21. It covers the supply-chain measure (21(2)(d)) and the business-continuity measure (21(2)(c)).
What does NIS2 require for supply chain security?
Article 21(2)(d) requires in-scope entities to manage the security of their direct supplier and service-provider relationships, including each supplier’s vulnerabilities and security practices. Article 20 makes management bodies responsible for approving and overseeing those measures.
How often does the recovery test need to be redone?
Article 21 expects your measures to be tested regularly and reviewed after any significant change, and a test only proves recovery as of the day it ran. Suppliers ship new versions constantly, so a result from last year may no longer reflect the software you actually depend on. Codekeeper can rerun the build-and-run test on a set schedule (annual, bi-annual, it's your choice) and keeps the deposit current with daily syncs, so the evidence stays true to the software as it runs today.
How is this different from a traditional escrow agreement?
A traditional agreement states recovery is possible. This pack proves it — with a real build-and-run test result and deposit-currency checks. 90% of traditional, untested deposits fail when tested; the pack is the testing and documentation that closes that gap.
Which regulations does this cover?
NIS2 primarily — Article 21(2)(c), (d), and (f). The same evidence maps to DORA third-party ICT risk, the CRA, ISO 27001 supplier-security controls, and SOC 2.
I’m a supplier to a NIS2-regulated company. Does this help me?
Yes. NIS2 obligations flow down through customer contracts to suppliers who aren’t directly in scope. The pack gives you proof of your own resilience to hand to NIS2-regulated customers, so their supply-chain due diligence doesn’t stall your deals.