Tens of thousands of entities across the EU are covered by NIS2, and many find out through a customer questionnaire or an inspection. I run your compliance as a program: an honest baseline, a prioritized plan, milestone-driven execution, board-level reporting.
Are you covered, as an essential or important entity, and for which activities? The founding deliverable, usable internally and with your principals alike.
Assessment against the requirements (governance, security measures, notification), including targeted technical audits. Every action gets an owner, a deadline and an evidence criterion, validated at board level.
Governance cadence, action tracking, evidence documentation, team readiness. Compliance takes root in the governance, not in a binder.
The 24-hour and 72-hour notification process ready to trigger, articulated with crisis management and business continuity, validated by exercise.
If the entity you are acquiring or divesting is in NIS2 scope, compliance applies on Day 1. The subject belongs in the due diligence and in the separation or integration plan: the natural articulation between this GRC practice and my carve-out and carve-in programs.
Through a scoping analysis: crossing your sector of activity with the directive's 18 sectors, your headcount and revenue with the applicable thresholds, and checking the designation cases that apply regardless of size. It is the founding deliverable of the engagement, usually produced within days.
From 4 to 12 months depending on the starting maturity and the scoping category. The action plan separates the measures that actually reduce risk, to be treated first, from those that document compliance.
NIS2 introduces management-body accountability: they must approve cyber risk management measures and oversee their implementation. Beyond the financial penalties, executives' personal liability can be engaged in case of breach.
8 pillars, 34 questions, 7 minutes. Walk away with a snapshot of your exposure and your priorities.
→Start the self-assessmentOne 30-minute call and you know whether you are covered, what comes first and under what conditions to move forward.
→Book a qualification callFirst call free, no commitment. See also the Cybersecurity GRC page.