Cybersecurity GRC · NIS2 Compliance

NIS2 compliance: from scoping
to demonstrable compliance.

Tens of thousands of entities across the EU are covered by NIS2, and many find out through a customer questionnaire or an inspection. I run your compliance as a program: an honest baseline, a prioritized plan, milestone-driven execution, board-level reporting.

The engagement

What the mission covers.

Scoping analysis

Are you covered, as an essential or important entity, and for which activities? The founding deliverable, usable internally and with your principals alike.

Gap analysis and action plan

Assessment against the requirements (governance, security measures, notification), including targeted technical audits. Every action gets an owner, a deadline and an evidence criterion, validated at board level.

Milestone-driven deployment

Governance cadence, action tracking, evidence documentation, team readiness. Compliance takes root in the governance, not in a binder.

Incident readiness

The 24-hour and 72-hour notification process ready to trigger, articulated with crisis management and business continuity, validated by exercise.

Special case

NIS2 and M&A deals: no grace period.

If the entity you are acquiring or divesting is in NIS2 scope, compliance applies on Day 1. The subject belongs in the due diligence and in the separation or integration plan: the natural articulation between this GRC practice and my carve-out and carve-in programs.

Compliance built to protect first, document second: the action plan always separates what reduces risk from what ticks boxes.
Frequently asked questions

What I get asked about NIS2.

How do I know whether my company is in scope?

Through a scoping analysis: crossing your sector of activity with the directive's 18 sectors, your headcount and revenue with the applicable thresholds, and checking the designation cases that apply regardless of size. It is the founding deliverable of the engagement, usually produced within days.

How long does compliance take?

From 4 to 12 months depending on the starting maturity and the scoping category. The action plan separates the measures that actually reduce risk, to be treated first, from those that document compliance.

What do executives concretely risk?

NIS2 introduces management-body accountability: they must approve cyber risk management measures and oversee their implementation. Beyond the financial penalties, executives' personal liability can be engaged in case of breach.

Free resource

Test your NIS2 maturity for free.

8 pillars, 34 questions, 7 minutes. Walk away with a snapshot of your exposure and your priorities.

Start the self-assessment

Know where you stand before someone asks.

One 30-minute call and you know whether you are covered, what comes first and under what conditions to move forward.

Book a qualification call

First call free, no commitment. See also the Cybersecurity GRC page.