Continuous control monitoring (CCM) is the practice of collecting, evaluating and recording compliance evidence from live systems on an automated, ongoing basis, rather than assembling that evidence manually at scheduled audit intervals. For European organisations operating under NIS-2, DORA and GDPR, the shift from point-in-time snapshots to CCM is no longer a best-practice recommendation; it is a practical necessity driven directly by the language of the regulations themselves. Deploying that monitoring stack on sovereign, non-US-controlled infrastructure adds a further layer of assurance: the compliance artefacts themselves never enter a jurisdiction where foreign law enforcement can compel disclosure.
Point-in-Time Audits Versus Continuous Control Monitoring
The difference between the two approaches is not merely operational; it is evidentiary. A point-in-time audit produces a photograph of your control environment on a specific date. CCM produces a continuous video feed with a tamper-evident timestamp on every frame.
Annual penetration tests and ISO 27001 certification audits demonstrate that controls existed and appeared effective on the day of assessment. They say nothing about the eleven months between reviews. A firewall rule change, a misconfigured backup job or a revoked certificate can open a material gap the day after the auditor leaves, and that gap will remain invisible until the next scheduled review.
NIS-2 Article 21 requires entities to adopt “appropriate and proportionate technical and organisational measures” and mandates ongoing monitoring as part of those measures. The NIS-2 Implementing Regulation (EU) 2024/2690, which entered into force in January 2025, specifies the technical and methodological requirements in detail, explicitly requiring monitoring of networks, systems and anomalous behaviour on a continuous basis. DORA Articles 5 through 16 establish a comprehensive ICT risk management framework for financial entities, and Article 8 specifically requires “continuous monitoring” of ICT systems, processes and tools. GDPR Article 32 requires organisations to implement measures ensuring “ongoing confidentiality, integrity, availability and resilience,” with the European Data Protection Board having noted in its guidance that supervisory authorities expect organisations to demonstrate sustained effectiveness, not a once-a-year snapshot.
According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach globally reached USD 4.88 million, the highest figure in the report’s history. The same report found that organisations with extensive use of security AI and automation saved an average of USD 2.22 million per breach compared to those without such capabilities (IBM, 2024). These figures give financial weight to the operational argument for automated, continuous monitoring.
Sovereign GRC Infrastructure: Keeping Compliance Data in Jurisdiction
Deploying compliance automation on sovereign infrastructure means that the monitoring stack, the evidence repository and the GRC platform itself are hosted in a jurisdiction where foreign law cannot compel disclosure.
Many regulated organisations currently rely on US-controlled SaaS compliance tools, including products from ServiceNow, OneTrust or Microsoft Purview. Each of these platforms is subject to the US CLOUD Act of 2018 and FISA Section 702, meaning that US law enforcement can in principle compel the provider to disclose customer data, including audit logs and compliance evidence, without notifying the data subject or the customer’s home supervisory authority. Routing your NIS-2 or DORA compliance telemetry through such a platform creates a jurisdictional exposure that the platform itself cannot contractually eliminate.
The alternative is a self-hosted GRC stack deployed on infrastructure that is physically and legally outside US reach. Switzerland is the preferred jurisdiction for many European regulated entities: it sits outside the EU but holds an EU adequacy decision under GDPR, and the revised Swiss Federal Act on Data Protection (revFADP), in force since September 2023, provides a robust domestic framework. Swiss providers are not subject to the CLOUD Act or FISA 702, making a Swiss-hosted evidence repository structurally inaccessible to US law enforcement.
Open-source GRC platforms deployable in this configuration include Eramba (a PHP-based GRC tool with risk registers, control libraries and evidence workflows) and self-hosted combinations of OpenCRE for control mapping, Wazuh for SIEM and log collection, and Nextcloud for document and evidence storage. Evidence is collected from Nextcloud audit logs, the identity provider (for access control attestation), backup platform logs (for DORA Article 12 and NIS-2 backup obligations) and the SIEM, all within the same sovereign environment, without any telemetry leaving for external SaaS endpoints.
IBM’s 2023 Cost of a Data Breach Report found that 45 percent of breaches involved data stored in the cloud, reinforcing why the location and legal status of the compliance data store matters as much as the primary data store (IBM, 2023).
Machine-Readable Control Frameworks and Automated Gap Detection
Automated gap detection requires control frameworks expressed in a format that software can parse, compare and evaluate against live system state.
NIST OSCAL (Open Security Controls Assessment Language) provides exactly this capability. OSCAL is a set of JSON and XML schemas published by NIST that represent control catalogues, system security plans and assessment results in a standardised, machine-readable form. By encoding your control library in OSCAL, you can map it simultaneously to NIST SP 800-53 Rev. 5 controls, BSI C5:2020 (the German Federal Office for Information Security’s Cloud Computing Compliance Controls Catalogue) and ISO/IEC 27001:2022 Annex A controls. From that unified representation, automated tooling can evaluate which controls are required by NIS-2 Implementing Regulation 2024/2690 and the DORA RTS on ICT risk management, identify gaps, and track remediation status without human rekeying.
| Framework | Scope | Machine-readable format | Relevant mapping target |
|---|---|---|---|
| NIST SP 800-53 Rev. 5 (OSCAL) | Comprehensive US federal control catalogue | OSCAL JSON/XML | DORA RTS technical measures, NIS-2 Art. 21 |
| BSI C5:2020 | Cloud-specific controls, widely used in DACH region | Spreadsheet / OSCAL community mappings | NIS-2 Implementing Regulation 2024/2690 |
| ISO/IEC 27001:2022 Annex A | International ISMS control reference | OSCAL community mappings | GDPR Art. 32, NIS-2 Art. 21, DORA Art. 9 |
A Single Control, Multiple Obligations: Structuring the Unified Control Library
The most efficient compliance architecture maps each technical control to all the regulatory obligations it satisfies, so that one evidence artefact closes multiple audit findings simultaneously.
Consider immutable backup logs stored in the same Swiss data centre as the primary operational data. This single configuration satisfies at least three distinct regulatory obligations: NIS-2 Article 21(2)(c) requires backup management and recovery; DORA Article 12 mandates backup policies, recovery testing and documented restoration procedures; and GDPR Article 32(1)(b) requires measures to ensure the ongoing integrity and availability of processing systems. If the backup job produces a signed, time-stamped log entry that is stored in an append-only object store within the sovereign environment, that one artefact, pointing to one system, can be cited in the NIS-2 evidence file, the DORA ICT risk register and the GDPR Article 32 technical measures record. Auditors across all three frameworks receive the same underlying evidence, with only the regulatory citation changing.
Policy-as-Code and Infrastructure-as-Code Scanning in the CCM Pipeline
Configuration drift is one of the most common sources of control failure in cloud and hybrid environments. A control that passes an annual audit can be silently broken by a routine infrastructure change the following week.
Infrastructure-as-code (IaC) scanning tools such as Checkov, Trivy or KICS evaluate Terraform, Helm and Ansible manifests against security policy rules before deployment, catching misconfigurations at the point of change rather than after the fact. When integrated into a CI/CD pipeline, every proposed infrastructure change produces a compliance check result that is automatically stored in the evidence repository.
Open Policy Agent (OPA), a CNCF project, extends this principle to runtime. OPA evaluates policy rules written in the Rego language against live infrastructure state, including Kubernetes admission requests, API gateway decisions and infrastructure plan outputs. Each evaluation produces a structured JSON decision log containing the policy name, the input evaluated, the decision reached and the timestamp. These logs are machine-readable attestation artefacts. Stored immutably in the sovereign evidence repository, they demonstrate to a national competent authority that a specific configuration satisfied a named control at a specific moment in time, without requiring the authority to access the live OPA instance.
Presenting CCM Evidence During Supervisory Inspections
The practical challenge during an on-site inspection is not having the evidence; it is presenting it in a form that an inspector can assess quickly without needing access to the compliance platform itself.
The recommended structure is a self-contained evidence package: a human-readable PDF summary of each control, its regulatory citation, its current status (pass, fail, exception) and the date of last evaluation, accompanied by the raw machine-readable artefacts (OSCAL assessment results, OPA decision logs, signed backup manifests) as attachments. Each artefact should be hashed and the hash recorded in the summary document, allowing the inspector to verify that the attached files have not been modified after export.
For GDPR supervisory authority inspections, Article 5(2) accountability requires that the organisation be able to demonstrate compliance proactively. The CCM evidence package satisfies this by providing a dated, signed, self-verifying record of control effectiveness. For NIS-2 competent authority inspections under the revised national transposition laws, the same package demonstrates compliance with the technical requirements specified in NIS-2 Implementing Regulation 2024/2690. For DORA examinations by financial supervisory authorities, the package maps directly to the ICT risk management documentation requirements of DORA Articles 5 through 16. One evidence format, three regulatory audiences.
FAQ
Why is a point-in-time penetration test or annual audit no longer sufficient for NIS-2 and DORA compliance?
NIS-2 Article 21 and DORA Article 8 both require ongoing monitoring of ICT systems, not evidence collected at a single point in time. A gap between two annual audits can span twelve months during which a control may have drifted or failed entirely. Continuous control monitoring closes that window by collecting telemetry and generating attestation artefacts in real time, giving competent authorities evidence of sustained effectiveness.
What is NIST OSCAL and why does it matter for sovereign compliance automation?
OSCAL (Open Security Controls Assessment Language) is a set of machine-readable formats published by NIST for representing security control catalogues, system security plans and assessment results. By encoding your control library in OSCAL, you can automatically map it to NIST SP 800-53, BSI C5 or ISO 27001 Annex A, detect gaps against NIS-2 Implementing Regulation 2024/2690 requirements, and produce standardised evidence artefacts that auditors can parse without accessing your compliance platform.
Can open-source GRC platforms such as Eramba replace commercial tools like ServiceNow GRC or OneTrust for regulated sectors?
Yes, provided they are deployed on sovereign, self-hosted infrastructure and integrated with your SIEM, identity provider and backup platform via API. Eramba supports control libraries, risk registers, evidence attachments and audit workflows. The key difference from commercial SaaS tools is that no telemetry leaves your environment, which eliminates CLOUD Act and FISA 702 exposure for the compliance data itself.
How does Open Policy Agent produce compliance attestation artefacts?
OPA evaluates policy rules written in the Rego language against real-time infrastructure state, such as Terraform plan outputs or Kubernetes admission requests, and returns a structured JSON decision log. Those decision logs, time-stamped and signed, constitute machine-readable attestation that a specific configuration satisfied or violated a named control at a specific moment. They can be stored immutably and presented to a competent authority as self-contained evidence without requiring live access to the OPA instance.
What makes Swiss hosting specifically relevant to compliance automation for EU regulated entities?
Switzerland holds an EU adequacy decision under GDPR, and the revised Swiss Federal Act on Data Protection (revFADP) came into force in September 2023. Critically, Swiss providers are not subject to the US CLOUD Act, the Patriot Act or FISA Section 702, meaning a US court order cannot compel a Swiss-only provider to disclose data. Storing compliance evidence, audit logs and control artefacts in a Swiss data centre therefore removes the foreign-jurisdiction risk that applies to US-controlled SaaS compliance tools.
