We had the pleasure of speaking at BSides Luxembourg 2026 with a talk entitled “Mapping the Invisible: Why System Cartography Matters for Security and Compliance”.
📺 The video of the talk is available online: Watch the talk on archive.org
Mapping the invisible
You can only properly protect what you know. It sounds obvious, and yet most organizations lack a complete and up-to-date view of their information system: forgotten applications, legacy servers, undocumented flows, invisible dependencies between business processes and technical infrastructure. These grey areas are precisely what become security blind spots — and gaping holes on the day of an incident.
Information system cartography is about making the invisible visible: representing the ecosystem, business processes, applications, data, infrastructure and their interconnections, across several coherent layers, in line with the ANSSI information system mapping guide.
A driver for security… and for compliance
Beyond its operational value — understanding the impact of a vulnerability, preparing a recovery plan, analyzing dependencies — cartography has become a regulatory requirement. The NIS2 directive and the ISO 27001 standard require organizations to know their assets, assess their criticality and keep track of them over time. It is impossible to demonstrate compliance without a living, structured inventory of the information system.
That is the role of Mercator, our open-source information system cartography tool, now deployed in more than 30 countries, in hospitals, universities, local authorities and public administrations. Mercator makes it possible to build and maintain this cartography across all the views defined by ANSSI, generate the reports expected by auditors, and connect the business view to the technical reality.
Thanks to the organizers
A big thank you to the BSides Luxembourg team for organizing this 2026 edition, and to the attendees for the rich discussions that followed the talk. These community conferences are precious moments for the open-source and cybersecurity community.
Going further
- 📺 The video of the talk
- 🗺️ Mercator on GitHub
- 📚 Mercator documentation
- 🇫🇷 The ANSSI information system mapping guide
Would you like to set up a cartography of your information system, or get support with your NIS2 / ISO 27001 journey? Contact us — Sourcentis offers professional support contracts for Mercator and Deming.