The email-layer control your compliance frameworks require

NIS2, DORA and SOC 2 all ask the same three questions about email: is the top attack vector protected, can you prove it continuously, and do you detect incidents fast enough to report them on time? Sentaro answers all three.

Last updated 2026-07-09

Compliance is organizational. Controls are technical. We are the control.

No product makes you compliant with NIS2, DORA or SOC 2, and you should distrust any that claims to. Compliance lives in your governance, processes and documentation. But every framework requires technical controls, and email is where the requirements converge, because it is where most incidents begin: phishing, business email compromise and OAuth consent fraud. Sentaro is that control layer, plus the evidence that it operates, plus the detection your reporting deadlines depend on. Your GRC program owns the framework; Sentaro supplies the email-layer control, monitoring and proof it plugs in.

What each framework asks, and what Sentaro answers

NIS2

The EU's NIS2 directive requires risk management measures against exactly the attacks that arrive by email, supply chain vigilance, and incident reporting on a 24h/72h/one-month clock. Sentaro contributes the protection measure, flags compromised vendor mailboxes in your mail flow, and, when an email-borne incident happens, starts the reporting chain with detection and evidence instead of an empty page.

DORA

For financial entities, DORA demands ICT risk management, major-incident reporting on fixed timelines, and control of third-party ICT dependencies. Sentaro covers the detect-and-monitor expectations at the mailbox, supplies the who/what/when/scope that incident classification and reports require, and surfaces every third-party and AI service holding OAuth access to mail and files, feeding your ICT register with what is actually connected.

SOC 2

SOC 2 Type II is won or lost on evidence: controls that demonstrably operated all period. Sentaro maps to the Common Criteria where they touch email (threat detection and monitoring, incident detection and records, logical access via OAuth visibility, third-party insight) and generates the continuous logs your auditor tests, automatically, for the whole observation window.

The incident reporting chain, from detection to deadline

StageWhat happensWho owns it
DetectionSentaro identifies the email-borne attack in real timeSentaro
FactsWho was targeted, what was blocked or delivered, when, and how far it spreadSentaro
AssessmentIs this significant/major under your framework?You (with Sentaro's evidence)
Report24h/72h notifications (NIS2), timeline reports (DORA), incident records (SOC 2)You (with Sentaro's evidence)
Post-incidentFinal reports, lessons learned, control adjustmentsYou

Reporting deadlines are a race that starts before you know the race has begun. The first mile, knowing an incident happened and what it touched, is exactly what Sentaro automates.

Evidence that survives an audit

Auditors and supervisors have stopped accepting screenshots and intentions. What passes is continuous operation: logs that cover the whole period, alerts with dispositions, and visibility reports generated by the system rather than assembled the week before the audit. Because Sentaro monitors continuously, the evidence exists as a byproduct of protection, including the awkward parts other tools miss: which shadow IT and AI services your employees connected to company mailboxes, and which OAuth grants held what access when.

Works alongside your compliance program

Sentaro does not replace your GRC tooling, your auditor or your policies, and does not pretend to. It slots in as the email-layer control set they all reference: protection for the risk registers, evidence for the audits, detection for the incident process. One API connection to Google Workspace or Microsoft 365, value the same day.

This page is general guidance, not legal or audit advice.

FAQ

Does Sentaro make us NIS2, DORA or SOC 2 compliant?
No product does, and claims otherwise are a red flag. Compliance is your governance, processes and documentation. Sentaro provides the email-layer controls, continuous evidence and incident detection those frameworks require.
How does Sentaro help with incident reporting deadlines?
For email-borne incidents, Sentaro provides the detection that triggers your process and the facts (targets, actions, timestamps, scope) that early warnings and notifications must contain, so NIS2's 24/72-hour clocks and DORA's reporting timelines start with evidence.
What evidence does Sentaro produce for a SOC 2 Type II audit?
Continuous logs of threat detection and disposition, OAuth grant and access visibility, and monitoring reports spanning the observation period, mapped with your auditor to the relevant Common Criteria.
We are a supplier to NIS2-covered companies. Does this concern us?
Yes, indirectly: covered entities must manage supply chain security, and increasingly push requirements onto suppliers. Demonstrable email security and incident detection is one of the most commonly requested controls.
Do we still need our GRC platform?
Yes. GRC tools manage the program: policies, tasks, evidence collection across all domains. Sentaro is one of the actual controls the program depends on, and a source of the evidence it collects.

Put the control in place today

Connect Sentaro to Google Workspace or Microsoft 365 and the protection, monitoring and evidence start the same day.