Annex I sectors above 250 staff or €50M turnover.
Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
SERVICE PRACTICE · NIS2 COMPLIANCE
NIS2 scoping and Art. 21 implementation.
We confirm whether you are an essential or important entity, implement the ten Article 21 measures, set up the Article 23 incident reporting workflow, and train your management body under Article 20. Pre-supervisory readiness reviews included.
NIS2.DESK · LAST 30 DAYS● LIVE
Entities scoped (essential vs important)12
Article 21 measures implementedacross 6 mandates47
Significant incidents reported24 h warning filed3
Suppliers reviewed under Art. 21(d)128
Management body briefings held8
Authority correspondence logged14
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / NIS2 IN 60 SECONDS
Scope and entity types.
Annex II sectors and mid-sized Annex I entities.
Postal services, waste, chemicals, food, manufacturing, digital providers, research. Above 50 staff or €10M turnover.
National transposition deadlines have passed.
Member states transposed NIS2 into national law throughout 2024-2025. Supervisory authorities are now actively scoping and enforcing across the EU.
IMPORTANT ENTITIES
Up to €7M or 1.4% turnover
Article 34 administrative fines for governance, reporting, or measure failures.
ESSENTIAL ENTITIES
Up to €10M or 2% turnover
Article 34 maximum tier. Plus personal liability of management bodies under Article 20.
§ 02 / ARTICLES IN SCOPE
Measures and reporting.
ARTICLE 21 · RISK MANAGEMENT MEASURES
Art. 21(a)Risk analysis and policyDocumented information security policy and risk approach.
Art. 21(b)Incident handlingDetection, response, and recovery capability.
Art. 21(c)Business continuityBackup management, disaster recovery, crisis communication.
Art. 21(d)Supply chain securitySecurity of network and information systems acquisition.
Art. 21(e-j)Technical measuresCryptography, MFA, access control, vulnerability handling, secure development.
ARTICLE 23 · INCIDENT REPORTING
Art. 23(1)Significant incident definitionSevere operational disruption, financial loss, or affects other entities.
Art. 23(4)(a)24-hour early warningTo the CSIRT or competent authority, indicating suspected malicious cause.
Art. 23(4)(b)72-hour incident notificationUpdated assessment, indicators of compromise, initial mitigations.
Art. 23(4)(c)1-month final reportDetailed description, type of threat, applied and ongoing mitigations.
Art. 20Management body accountabilityApproval of measures and oversight; mandatory training; personal liability.
§ 03 / ENGAGEMENT MODELS
Engagement models.
FULLMOST POPULAR
NIS2 Programme Implementation
Scoping confirmation, Article 21 measures, incident reporting workflow, supply chain controls, management body training, pre-supervisory readiness review.
- →Essential vs important confirmation
- →Ten Article 21 measures
- →24h-72h-1mo reporting workflow
- →Management training under Art. 20
GAP3-4 WK
NIS2 Gap Assessment
Independent gap review against the Article 21 measures and Article 23 workflow. Maturity score, prioritised gap register, executive readout.
- →Maturity baseline
- →Gap register, priority-scored
- →Risk-weighted roadmap
- →Board-ready readout
OPSMONTHLY
NIS2 Operations Retainer
Ongoing operations: supplier reviews under Art. 21(d), incident triage and reporting, management body briefings, authority liaison.
- →Supplier reviews (Art. 21(d))
- →Incident triage and filing
- →Quarterly management briefings
- →Authority correspondence
§ 04 / SCOPE
Scope of work.
01 / 04
Scoping and governance
- Essential vs important determination
- Annex I and II sector mapping
- Group-level scoping for subsidiaries
- Management body roles and approvals
- Reporting cadence to the board
02 / 04
Article 21 measures
- Risk analysis methodology
- Incident handling procedures
- Business continuity and crisis
- Supply chain security framework
- Cryptography, MFA, vulnerability handling
03 / 04
Incident reporting
- 24h early-warning template
- 72h notification template
- 1-month final report template
- CSIRT and authority contact register
- Internal escalation runbook
04 / 04
People and authority
- Management body training (Art. 20)
- Role-based staff awareness
- Authority correspondence
- Pre-supervisory readiness reviews
- Annual programme report
§ 05 / INCIDENT WORKFLOWSee sample incident readoutPDF · 8 PP
Incident reporting workflow.
NIS2 Article 23 adds a 24-hour early warning and a 72-hour notification on top of GDPR Article 33. We pre-build the workflow, prepare the templates and triage the incident as soon as it is detected.
24h early warning
We file
72h notification
We file
1-month final report
We file
Crisis-team coordination
Included
SAMPLE.INCIDENT.READOUTOCT 2026
Significant incident detectedT+0 h
Early warning filed (Art. 23(4)(a))T+18 h
Incident notification filed (Art. 23(4)(b))T+62 h
Containment confirmedT+5 d
Final report delivered (Art. 23(4)(c))T+24 d
Authority responseNo follow-up actions
SIGNED. JELENA NOVAK, PARTNER. CYBERSECURITY AND NIS2
§ 06 / SELECTED WORK
All case studies →Recent engagements.
CASE 01Energy operator · Essential entity
NIS2 Article 21 implemented before the national deadline. Zero critical findings.
34
Sites covered
5 mo
Time to compliance
0
Critical findings
SCOPENIS2 · Art. 21 · Supply chain controls
CASE 02Telecom operator · Essential entity
Group-level scoping confirmed essential status across 8 entities.
8
Entities scoped
4
Jurisdictions
0
Authority queries
SCOPENIS2 · Scoping · Reporting workflow
CASE 03B2B SaaS · Important entity
Article 21 measures and reporting workflow set up across 11 EU jurisdictions.
11
Jurisdictions
10
Measures implemented
4
Management briefings
SCOPENIS2 · Art. 21 · Art. 23 · Art. 20 training
§ 07 / WHY THIS MATTERS
NIS2 enforcement.
160,000+
EU entities now in scope of NIS2
€10M / 2%
Maximum fine for essential entities (Art. 34)
24 h
Early-warning window for significant incidents
72 h
Incident notification deadline (Art. 23(4)(b))
TREND 01
Management bodies are personally liable
Article 20 makes management bodies responsible for approving the risk-management measures and overseeing implementation. Authorities have begun fining individuals, not just the entity.
TREND 02
Supply chain is the new scope of audit
Article 21(d) requires assessment of direct suppliers and service providers. Authorities now request documented vendor reviews as standard.
TREND 03
Group-level scoping is non-trivial
Subsidiary structures, EU establishment rules, and main-establishment principles drive which authority is competent. Wrong assumptions trigger re-filings.
§ 08 / FAQ
Common questions.
01How do we know if we are in scope?+
Two tests. First, sector: Annex I or Annex II of NIS2. Second, size: above 50 staff or €10M turnover (important) or above 250 staff or €50M turnover (essential). There are also size-independent triggers for certain sectors. We run the assessment in week one.
02We are based outside the EU but serve EU clients. Do we apply?+
Sometimes. Article 26 establishes scope for non-EU providers of specific services (DNS, cloud, datacentre, content delivery, online marketplace, online search, social networking). A representative in the EU may be required under Article 26(3).
03How long does NIS2 implementation take?+
4 to 6 months for a typical mid-market organisation. Two months on scoping, three months on Article 21 measures and reporting workflow, one month on management training and pre-supervisory readiness review.
04What happens at the 24-hour and 72-hour deadlines?+
At 24 hours, we file an early warning indicating suspected malicious cause to the CSIRT or competent authority. At 72 hours, we file the incident notification with updated assessment, indicators of compromise, and initial mitigations. We coordinate both filings, including authority follow-ups.
05Do we need ISO 27001 for NIS2?+
No. NIS2 does not mandate ISO 27001. The two frameworks overlap heavily in technical measures, so a single information security programme satisfies both. ISO 27001 certification is a business decision driven by customer and tender requirements.
06How do you handle group-level scoping?+
We map subsidiaries to sectors and size thresholds, establish main-establishment rules under Article 26, and define group reporting cadence. Where multiple jurisdictions apply, we coordinate the single point of contact and prevent double-filing.
§ 09 / RESOURCES
Templates and guides.
GUIDEPDF · 32 pages
NIS2 Implementation Guide
Article 21 measures translated into 60 practical controls, with reporting workflow templates and management training scripts.
Download ↓EMAIL REQUIRED
GUIDEPDF · 14 pages
Essential vs Important Scoping Decision Tree
Visual decision tree covering sector, size and size-independent triggers. Annexes I and II mapped to common business models.
Download ↓EMAIL REQUIRED
TEMPLATEPDF + DOCX
Article 23 Reporting Templates
Pre-built 24h early warning, 72h notification, and 1-month final report templates. Aligned with current authority guidance.
Download ↓EMAIL REQUIRED
§ 10 / RELATED PRACTICES
Related practices.
Cybersecurity & ISO 27001
Same controls, different framework. ISO 27001 Annex A covers most of NIS2 Article 21 technical measures.
Open practice →Data Protection & GDPR
Same incident, two clocks. GDPR Article 33 layers a 72-hour notification on top of the NIS2 24-hour CERT warning.
Open practice →Incident Response
Pre-built breach playbooks, authority notification templates, crisis-team coordination.
Open practice →11 / GET STARTED
Start your NIS2 programme.
Free initial meeting. Clear next steps. Indicative pricing within one business day.