Cybersecurity & NIS2 Compliance Services

NIS2 (Network and Information Systems Security Directive) is an EU directive that sets strict cybersecurity requirements for essential and important entities across 18 sectors — energy, transport, banking, healthcare, digital infrastructure, and more. The EU transposition deadline was October 2024, and Croatia's implementing regulation entered into force in November 2024.

Essential entities are large operators in critical sectors (energy, transport, healthcare, water supply, digital infrastructure) with stricter requirements and fines up to €10M or 2% of annual turnover. Important entities are medium and larger organizations in other covered sectors with fines up to €7M or 1.4% of turnover.

NIS2 fines reach up to €10 million or 2% of annual global turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. A key change is personal management liability — board members can be temporarily suspended if the organization fails to meet cybersecurity requirements.

NIS2 requires multi-stage reporting: an early warning to the national CERT within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with a severity assessment, and a final report within one month with detailed analysis and remediation measures.

NIS2 applies to medium and large organizations in 18 sectors: energy, transport, banking, financial markets, healthcare, water supply, digital infrastructure, postal services, waste management, chemicals, food, manufacturing, and digital service providers. If you have 50+ employees or turnover above €10M in a covered sector, NIS2 applies to you.

An incident response plan defines procedures for detecting, responding to, and recovering from cyber incidents. NIS2 requires the ability to report significant incidents within 24 hours, making clearly defined procedures, roles, and communication channels essential for compliance.

ISO 27001 is an international information security management standard that covers many NIS2 requirements. Organizations with ISO 27001 certification have a strong starting point, but NIS2 requires additional measures such as specific incident reporting timelines, supply chain security management, and cooperation with competent authorities.

We start immediately with a gap assessment and critical vulnerability identification. Basic security measures and incident response capabilities are established within the first weeks. Full compliance depends on organization size and IT complexity, but rapid response to critical gaps is our priority from day one.

Yes — the NIS2 directive requires regular security audits and testing. This includes vulnerability assessments, penetration testing, and security control effectiveness verification. For essential entities, competent authorities can conduct their own audits and request compliance evidence at any time.

A cybersecurity risk assessment identifies threats, vulnerabilities, and potential impacts for your organization. NIS2 requires a risk management approach that includes threat analysis, technical and organizational measures, and regular reassessment. It forms the foundation for all other security measures.