Get in touch
NIS2 compliance

NIS2 readiness — before the supervisory authority asks.

A working NIS2 programme: scope confirmed, governance accepted by the management body, incident workflow tested, supply-chain controls in place, and the registration on file with the national authority that supervises you.

  • Scope decision documented, not assumed — essential vs. important entity.
  • Incident-reporting workflow tested against the 24h / 72h / 1 month clocks.
  • Management-body briefing pack and acceptance record.
  • NIS2 Directive
  • 24/72-hour reporting
  • Management-body sign-off
  • Supply-chain controls
When this is for you

The four moments NIS2 becomes urgent.

  • A customer in scope just made you a key supplier.

    NIS2 supply-chain controls flow downward. Your enterprise customer is now required to assess and document your security posture. The questionnaire arrives with a 30-day return.

  • Your national supervisory authority opened a registration window.

    Most member states require essential and important entities to register. Missing the window means a starting position with the regulator that is hard to recover.

  • You had a near-miss incident and the reporting clock would have been a disaster.

    24 hours to first notify, 72 to file a structured report, 1 month for the final. Without a tested workflow these deadlines are unreachable in practice.

  • The board has heard "personal liability" and wants a defensible answer.

    NIS2 makes the management body explicitly accountable. We translate the obligation into something a board can approve, oversee and document — not just a slide that says "compliant".

The engagement

Four phases — scope to supervisory registration.

Each phase has a defined output the supervisory authority recognises by name.

  1. 01

    Scope confirmation & classification 2 weeks

    Essential entity, important entity, out of scope — documented against the directive's sector annexes and your member-state transposition. Outputs: scope memo, classification rationale, register-or-don't decision.

  2. 02

    Governance & risk-management measures 4–6 weeks

    The ten Article 21 measures translated into operating controls. Management-body briefing, training and acceptance record. Risk register tied to the entities and services NIS2 covers — not a generic ISMS overlay.

  3. 03

    Incident workflow & supply-chain controls 3–5 weeks

    Detection criteria for "significant incident", escalation, communication templates for the 24h early warning, the 72h notification and the 1-month final report. Tested in a tabletop. Supplier assessments aligned to the same risk model.

  4. 04

    Registration & supervisory dialogue 2 weeks

    Registration with the national authority that supervises you, point-of-contact filed, and a documented audit-trail of the management-body decision. We sit alongside the responsible officer for first contact with the regulator.

Outcomes

What you'll have when we're done.

01

A defensible scope decision

Whether you fall under NIS2 — and as what class — written down with the reasoning, signed by the right party, and ready to show the supervisory authority on day one.

02

A management body that can sign off

Briefing pack, training record, decision log. The directors are not exposed because someone forgot to capture acceptance — the audit trail exists.

03

An incident workflow that meets the clock

24h, 72h and 1-month notifications drafted, owned, and tested against a tabletop. The first real incident is not the rehearsal.

04

Supply-chain controls that flow downward

Supplier assessment framework, contractual language, and a register that survives audit — so when a customer pushes their NIS2 obligation down to you, you can show them what is already in place.

From the practice
"NIS2 is the first cybersecurity regulation that explicitly puts the management body on the line. The companies that treat that as a paperwork problem will discover, the hard way, that it is a governance problem."

— Adam Gresh, Purple Dragon Cybersecurity

Frequently asked

Common questions, direct answers.

Are we actually in scope for NIS2?

NIS2 lands on a wider population than NIS1: digital infrastructure, cloud, managed services, postal, waste, food, manufacturing of critical products, research — plus their supply chains. If you operate in the EU and process data or services for any of those sectors, the answer is "probably". We confirm scope before scoping work.

What is the actual deadline?

NIS2 transposition deadline was October 2024 — most member states are now actively enforcing through their national supervisory authorities. There is no grace period for entities that should have registered already.

How is NIS2 different from ISO 27001?

ISO 27001 is a voluntary certification. NIS2 is law. ISO 27001 covers most of the controls NIS2 expects, but NIS2 adds explicit governance, supply-chain, and incident-reporting obligations on top — and personal liability for management bodies. ISO 27001 is the foundation; NIS2 is the regulatory wrapper.

Does management actually face personal liability?

Yes. NIS2 explicitly makes the management body responsible for approving and overseeing the cybersecurity risk-management measures. National laws can add fines, temporary management bans, and individual sanctions. This is not a "the security team will handle it" regulation.

What does the incident report look like?

Three deadlines: an early warning within 24 hours of awareness of a significant incident, a full incident notification within 72 hours, and a final report within one month. We build the workflow — detection criteria, escalation, communication templates — before you need it, not during.

Get a 30-min NIS2 scope check

No deck. A working session that confirms whether you are in scope and what the next 30 days should produce.

Talk to a security operator.

Tell us what you're trying to ship, what's stalled, or which buyer security review is up next. We work with companies across the EU, EEA and US — and we reply within one business day.

Get in touch

By submitting you agree to our privacy policy.