NIS2 Compliance Services — Meet EU Cybersecurity Requirements
NIS2 requires essential and important entities across 18 sectors to implement cybersecurity measures or face fines up to €10M. We deliver NIS2 gap assessments, policy implementation, and audit-ready compliance.
Our NIS2 Compliance Services
NIS2 Gap Assessment & Scoping
Entity classification, security posture mapping against all 10 Article 21 measures, and a prioritized compliance roadmap.
Risk Management Framework
All-hazards risk management framework covering threat identification, risk treatment plans, and continuous monitoring.
Incident Reporting & Response Setup
Complete incident management capability with 24h/72h/1-month reporting workflows and tabletop exercises.
Supply Chain Security Program
Critical supplier assessments, contractual security clauses, and ongoing vendor risk monitoring per Article 21(2)(d).
Governance & Board Reporting
Board-level governance structures, management training, and accountability documentation for Article 20 compliance.
Compliance Monitoring & Audit Readiness
Compliance dashboards, internal audit schedules, evidence collection, and ongoing policy review cycles.
What Happens Without NIS2 Compliance?
The NIS2 directive introduces strict sanctions for non-compliant entities across the EU:
Fines Up to €10 Million
Essential entities: up to €10M or 2% of annual turnover. Important entities: up to €7M or 1.4% of turnover. Management is personally liable.
Personal Liability for Management
NIS2 Article 20 holds management personally liable for cybersecurity oversight. Board members face temporary suspension from managerial functions for non-compliance.
Operational Disruptions & Downtime
Without documented incident response plans, average recovery exceeds 23 days after a significant cyber incident. Unstructured response leads to extended downtime and cascading failures.
Supply Chain Exclusion
NIS2-compliant customers must verify supplier security posture under Article 21(2)(d). Non-compliant suppliers risk exclusion from major EU enterprise and public sector contracts.
NIS2 Directive — What You Need to Implement
Article 21 defines 10 minimum cybersecurity measures that all essential and important entities must implement.
10 Minimum Measures (Art. 21)
- Risk analysis and information system security policies
- Incident handling, business continuity, and crisis management
- Supply chain security and secure system acquisition practices
- Cryptography, access control, MFA, and cybersecurity training
Essential vs Important Entities
- Essential: Annex I sectors (energy, transport, banking, health, digital infrastructure, space)
- Important: Annex II sectors (postal, waste, chemicals, food, manufacturing, digital providers)
- Essential: 250+ employees or €50M+ turnover — proactive supervision and audits
- Important: 50+ employees or €10M+ turnover — reactive enforcement on incidents
Timeline & Compliance Deadlines
- October 2024: EU transposition deadline — enforcement powers active across member states
- November 2024: Croatia's implementing regulation entered into force (SOA as authority)
- Incident reporting: 24h early warning, 72h notification, 1-month final report
- Ongoing: regular security audits, policy reviews, training, and supply chain evaluations
How We Deliver NIS2 Compliance
Scoping & Entity Classification
We classify your organization as essential or important under NIS2 and define the compliance boundary across business units and systems.
NIS2 Gap Assessment
We audit your cybersecurity posture against all 10 Article 21 measures, scoring each for maturity and prioritizing gaps by risk level.
Implementation & Remediation
We implement policies, incident response plans, supply chain programs, access controls, and training — all documented for regulatory audit.
Audit Readiness & Ongoing Support
We prepare compliance evidence packages, conduct audit simulations, and provide quarterly reviews with continuous monitoring.
Frequently Asked Questions About NIS2 Compliance
NIS2 applies to medium and large organizations (50+ employees or €10M+ turnover) in 18 sectors across Annexes I and II — energy, transport, banking, healthcare, digital infrastructure, manufacturing, and more. Certain entities like DNS providers and trust service providers must comply regardless of size.
Essential entities face fines up to €10M or 2% of global turnover. Important entities face up to €7M or 1.4% of turnover. NIS2 also introduces personal liability — board members can be suspended from managerial functions.
The EU transposition deadline was October 2024. Croatia's law entered into force in November 2024. There is no grace period — enforcement powers are active and essential entities face proactive audits now.
NIS2 requires multi-stage reporting: a 24-hour early warning to the national CSIRT, a 72-hour notification with severity assessment, and a final report within one month with root cause analysis. Missing any deadline is a compliance violation.
ISO 27001 covers about 70-80% of NIS2 requirements. Key NIS2 gaps include mandatory 24-hour incident reporting, specific supply chain security obligations, personal management liability, and registration with national authorities.
Article 20 requires management to approve and oversee cybersecurity measures. Board members must undergo cybersecurity training and face personal liability — including suspension — if the organization fails to comply.
Generally no — NIS2 targets organizations with 50+ employees or €10M+ turnover. However, DNS providers, trust service providers, and sole providers of essential services must comply regardless of size. Small suppliers may face indirect requirements through contracts.
We start immediately with entity classification and gap assessment. Most organizations achieve initial NIS2 compliance in 3 to 6 months depending on size and existing security maturity.
Related Compliance Services
NIS2 Industries We Serve
Start Your NIS2 Compliance Assessment
Free initial consultation to determine your NIS2 entity classification and identify compliance gaps. We start immediately.