The NIS2 directive requires essential and important entities to implement cybersecurity measures. From risk assessments to incident response plans, we start immediately and deliver audit-ready evidence.

NIS2 applicability assessment, gap analysis, and compliance plan with clear milestones.
Critical asset identification, threat assessment, and risk management strategy development.
Infrastructure audits, vulnerability testing, and security control verification.
Procedures for detecting, responding to, and recovering from cyber incidents.
Supplier and partner security risk assessments per NIS2 directive requirements.
Employee training programs on cyber threats, phishing, and security best practices.
The NIS2 directive introduces strict sanctions for non-compliant entities across the EU:
Essential entities: up to €10M or 2% of annual turnover. Important entities: up to €7M or 1.4% of turnover. Management is personally liable.
NIS2 introduces personal liability for management — including temporary suspension from exercising managerial functions.
A cyber incident without a response plan can halt operations for days. Average downtime cost for large enterprises exceeds €9,000 per minute.
Authorities can conduct audits, demand compliance evidence, and order corrective measures — with public disclosure of findings.
The NIS2 directive applies to essential and important entities across 18 sectors throughout the EU.
We determine whether your organization is an essential or important entity, map your IT infrastructure, and identify gaps against NIS2 requirements.
We build a detailed plan with timelines, responsibilities, and implementation sequence prioritized by risk level.
We establish technical and organizational measures: security policies, access controls, incident response plans, and employee training.
Regular reviews, policy updates, and incident response plan testing. We provide continuous support for regulator communications.

NIS2 (Network and Information Systems Security Directive) is an EU directive that sets strict cybersecurity requirements for essential and important entities across 18 sectors — energy, transport, banking, healthcare, digital infrastructure, and more. The EU transposition deadline was October 2024, and Croatia's implementing regulation entered into force in November 2024.
Essential entities are large operators in critical sectors (energy, transport, healthcare, water supply, digital infrastructure) with stricter requirements and fines up to €10M or 2% of annual turnover. Important entities are medium and larger organizations in other covered sectors with fines up to €7M or 1.4% of turnover.
NIS2 fines reach up to €10 million or 2% of annual global turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. A key change is personal management liability — board members can be temporarily suspended if the organization fails to meet cybersecurity requirements.
NIS2 requires multi-stage reporting: an early warning to the national CERT within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with a severity assessment, and a final report within one month with detailed analysis and remediation measures.
NIS2 applies to medium and large organizations in 18 sectors: energy, transport, banking, financial markets, healthcare, water supply, digital infrastructure, postal services, waste management, chemicals, food, manufacturing, and digital service providers. If you have 50+ employees or turnover above €10M in a covered sector, NIS2 applies to you.
An incident response plan defines procedures for detecting, responding to, and recovering from cyber incidents. NIS2 requires the ability to report significant incidents within 24 hours, making clearly defined procedures, roles, and communication channels essential for compliance.
ISO 27001 is an international information security management standard that covers many NIS2 requirements. Organizations with ISO 27001 certification have a strong starting point, but NIS2 requires additional measures such as specific incident reporting timelines, supply chain security management, and cooperation with competent authorities.
We start immediately with a gap assessment and critical vulnerability identification. Basic security measures and incident response capabilities are established within the first weeks. Full compliance depends on organization size and IT complexity, but rapid response to critical gaps is our priority from day one.
Yes — the NIS2 directive requires regular security audits and testing. This includes vulnerability assessments, penetration testing, and security control effectiveness verification. For essential entities, competent authorities can conduct their own audits and request compliance evidence at any time.
A cybersecurity risk assessment identifies threats, vulnerabilities, and potential impacts for your organization. NIS2 requires a risk management approach that includes threat analysis, technical and organizational measures, and regular reassessment. It forms the foundation for all other security measures.
Free initial meeting to assess NIS2 applicability and your current cybersecurity posture. We start immediately.