Your signing platform may be operating effectively and as designed. Under NIS2 scrutiny, you may be asked to evidence, under time pressure, every high-assurance signing event across your estate, with a complete and tamper-evident authorisation trail.
For most organisations, this is where confidence breaks down. Many cryptographic estates cannot evidence every high-assurance signing event that occurred in the previous 18 months, tie each event back to the authorisation chain behind it, and prove that record has not been altered.
ENISA’s updated NIS2 guidance draws a clear distinction that many programmes still collapse into a single control domain: the execution of a signature, and the evidence supporting that execution. These are separate obligations.
For high-assurance signing events, regulators and auditors expect more than proof that a valid signature was produced. They require evidence of the authorisation chain, the applicable policy, the key used, the artefact signed, and the controls applied at the point of signing. Cryptographic signing capability and integrity of evidence are separate requirements.
Your platform, whether HSM-backed, integrated with a CA, or embedded in a code-signing service, performs the act of signing. That function is generally well engineered. What is consistently underdeveloped is the independent record of the decision context: who or what initiated the request, under which policy, using which key, and with what authorisation chain. Even where such records exist, they are typically co-located with the signing system itself. This creates a structural weakness. If the platform is compromised or unavailable, the evidence may be incomplete, inaccessible or difficult to rely on independently: the integrity and availability of that evidence cannot be assumed. This is an evidence architecture problem.
Forwarding logs to a SIEM can improve visibility, but it does not automatically create assurance-grade evidence. For high-assurance cryptographic operations, evidence needs to be complete, contextual, tamper-evident, retained for the required period and independent enough to support audit, investigation and regulatory scrutiny.
The challenge becomes more acute as signing authority extends beyond human actors. Service identities, CI/CD pipelines, and increasingly autonomous agents can all produce valid signatures without a correspondingly clear, attributable authorisation path. Technical identity alone is not sufficient if the organisation cannot demonstrate the authorisation basis, policy decision and accountable ownership behind the activity.
For NIS2 readiness, the evidence architecture should exist as a distinct, tamper-evident layer, capable of surviving the compromise of the signing systems.
Signing capability is a baseline requirement under NIS2. The more mature control position is the ability to produce independent, verifiable evidence of how that capability is governed and exercised.