Last updated: 2026-05-22

Compliance

Tabletop and resilience exercises are a regulatory requirement under DORA, NIS2, NIST CSF, ISO 27001, SOC 2, HIPAA and the German KRITIS / BSI Act. ScenX maps every exercise action to the relevant control so you can produce the evidence auditors actually ask for.

What ScenX helps you with

For each framework below, the platform generates exercise plans that target the specified controls and produces an evidence pack ready to attach to your audit workpapers.

DORA

Art. 24 – 26

Digital Operational Resilience Act (EU) 2022/2554

Run threat-led penetration testing and digital operational resilience exercises with documented evidence. Map exercise actions to ICT risk management requirements.

NIS2

Art. 21

Directive (EU) 2022/2555

Demonstrate the cybersecurity risk-management measures, including incident handling and business continuity, with auditable exercise reports.

NIST CSF 2.0

Govern, Identify, Protect, Detect, Respond, Recover

NIST Cybersecurity Framework 2.0

Score exercise actions against the six functions and 23 categories of CSF 2.0; track maturity over time.

ISO/IEC 27001:2022

Annex A.5.24, A.5.30

Information Security Management Systems

Provide evidence of incident management planning (A.5.24) and ICT readiness for business continuity (A.5.30).

SOC 2

CC7.3, CC7.4, CC7.5

Trust Services Criteria

Document the design and operation of incident response controls for the Security and Availability TSCs.

HIPAA

§ 164.308(a)(7)

Health Insurance Portability and Accountability Act

Test the contingency plan, including disaster recovery and emergency mode operations, required by the Security Rule.

KRITIS (BSIG)

§§ 8a, 8b, 30, 32

German BSI Act - Critical Infrastructure (IT-SiG 2.0 + NIS2-Umsetzungsgesetz)

Run TOM-aligned exercises that satisfy the §8a state-of-the-art duty, drill the §8b/§32 reporting timelines (24 h early warning, 72 h notification, 1-month final report) and produce evidence for the biennial §8a(3) audit.

How the mapping works

Every exercise action recorded in ScenX is tagged against one or more framework controls and scored as Tested, Partial or Untested. The compliance dashboard rolls these up to a per-control coverage view so you can see which controls have not been exercised in the current reporting period — and close the gap before the auditor finds it. Reports can be exported as PDF or CSV for inclusion in your evidence binder.

See how exercises drive coverage

DPA and security questionnaires

For technical controls see the Security page. Data Processing Addendums (DPAs) and customer security questionnaires are available on request via tom@scenx.ai.

Need a deeper dive?

Our free guide The CISO’s Guide to Cyber Resilience Testing walks through DORA Articles 24–27, NIS2’s ten minimum measures and the German BSIG §8a/§32 duties with a 12-month implementation roadmap.

Get the free guide