Yesterday was the ENSIA deadline for submitting the final accounts to the ministries.

And in the days leading up to it, the same thing happened in many local authorities.
SharePoint folders being combed through one last time.
Email exchanges that had to be tracked down.
We know that ritual. It comes round every year.
Chasing up interim reports. Reconstructing the burden of proof from email exchanges. Drafting a council statement whilst the information required is scattered across ten different locations.

The point is not that local authorities do not take their information security seriously. Policies are in place. Owners have been appointed. But the moment someone has to demonstrate what has actually been carried out, it turns out there is no overview.

Year after year.
And this year, that gap is becoming more visible.

BIO2 has been the mandatory regulatory framework since March. The Cyber Security Act makes information security a legal duty of care with administrative liability. Not liability for the policy, but for its implementation.
That changes the conversation in the boardroom.
“We’re working on it” is no longer an acceptable answer.

What you need is not yet another control system piled on top of the rest. What you need is a single place where measures, ownership and the burden of proof are all integrated into the same workflow. That way, the current status isn’t something you have to piece together in April, but something you can access at any time.

That is what IRM360 was built for. The BIO2 government measures are included in the platform as verifiable controls, with linked actions, owners and documentation.
The ENSIA reporting then becomes not an annual quest, but an export of what has already been recorded throughout the year.

Sound familiar? Send us a message. We’ll show you exactly what that looks like in practice!