CI/CD Security Audit — Compliance Mapping (NIS2 / PCI DSS)

This audit table maps CI/CD security controls to NIS2 Directive requirements and PCI DSS controls.
It supports risk management, supply chain security, and audit readiness for critical and payment-related systems.

🔐 Identity & Access Management (IAM)

Control	NIS2	PCI DSS	Yes	No
Least privilege enforced for CI/CD service accounts	Art. 21(2)(b)	Req. 7.2	⬜	⬜
Separation of human and pipeline identities	Art. 21(2)(d)	Req. 7.1	⬜	⬜
RBAC enforced for CI/CD systems	Art. 21(2)(b)	Req. 7.2	⬜	⬜
MFA enforced for CI/CD administrators	Art. 21(2)(a)	Req. 8.4	⬜	⬜
Privileged actions require approval	Art. 21(2)(d)	Req. 6.4	⬜	⬜

🔑 Secrets & Credential Management

Control	NIS2	PCI DSS	Yes	No
Secrets not stored in source code	Art. 21(2)(a)	Req. 3.4	⬜	⬜
Runtime secret injection	Art. 21(2)(a)	Req. 3.6	⬜	⬜
Environment-scoped credentials	Art. 21(2)(b)	Req. 7.2	⬜	⬜
Regular secret rotation	Art. 21(2)(c)	Req. 3.6.4	⬜	⬜
Secrets excluded from logs	Art. 21(2)(a)	Req. 10.5	⬜	⬜

📦 Software Supply Chain & Artifact Integrity

Control	NIS2	PCI DSS	Yes	No
Hardened CI/CD build environments	Art. 21(2)(e)	Req. 6.2	⬜	⬜
Artifact signing enforced	Art. 21(2)(e)	Req. 6.3	⬜	⬜
Artifact provenance and traceability	Art. 21(2)(e)	Req. 6.4	⬜	⬜
Artifact repositories are immutable	Art. 21(2)(a)	Req. 6.4	⬜	⬜
Only trusted artifacts promoted	Art. 21(2)(d)	Req. 6.4	⬜	⬜

🔗 Third-Party & CI/CD Integrations

Control	NIS2	PCI DSS	Yes	No
Third-party CI/CD tools formally approved	Art. 21(2)(e)	Req. 12.8	⬜	⬜
Third-party actions pinned to versions	Art. 21(2)(e)	Req. 6.3	⬜	⬜
Integrity of external CI/CD components verified	Art. 21(2)(e)	Req. 6.2	⬜	⬜
Community plugins restricted	Art. 21(2)(b)	Req. 6.2	⬜	⬜
Integration activity monitored	Art. 21(2)(c)	Req. 10.4	⬜	⬜

📊 Logging, Monitoring & Incident Readiness

Control	NIS2	PCI DSS	Yes	No
CI/CD pipeline activity fully logged	Art. 21(2)(c)	Req. 10.2	⬜	⬜
Logs include approvals and security events	Art. 21(2)(c)	Req. 10.3	⬜	⬜
Centralized logging enabled	Art. 21(2)(c)	Req. 10.5	⬜	⬜
Log retention aligned with policy	Art. 21(2)(c)	Req. 10.7	⬜	⬜
CI/CD logs support incident investigation	Art. 23	Req. 12.10	⬜	⬜

🛡️ Governance, Risk & Change Management

Control	NIS2	PCI DSS	Yes	No
CI/CD included in cybersecurity risk management	Art. 21	Req. 12.2	⬜	⬜
Segregation of duties enforced	Art. 21(2)(d)	Req. 7.1	⬜	⬜
Change approvals enforced via pipelines	Art. 21(2)(d)	Req. 6.4	⬜	⬜
Exceptions formally approved and documented	Art. 21(2)(b)	Req. 12.3	⬜	⬜
CI/CD security posture reviewed periodically	Art. 21(2)(f)	Req. 12.11	⬜	⬜

How to Use This NIS2 / PCI DSS Audit Table

Use for NIS2 cybersecurity risk assessments
Support PCI DSS Requirement 6 & 10 audits
Demonstrate CI/CD inclusion in organizational security governance
Attach evidence references in the Notes column
Reassess after pipeline or tooling changes

Related Resources

CI/CD Security
DevSecOps
Compliance
CI/CD Security Checklist for Enterprises

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.