
NIS2 Compliance
NIS2, without the panic
Gap assessment, remediation plan, and ongoing compliance support. Built by people who know what regulators actually accept
Most gap assessments delivered within four weeks.
NIS2 is broad. Compliance has to be specific
NIS2 references twenty-plus control areas across governance, risk, supply chain, incident reporting, and resilience. Most organisations don't know where they stand or where to start. We translate the directive into a concrete programme your team can execute.
What we deliver
Everything you need, nothing you don't
Turn regulation into a plan, not a panic. We help you understand what applies, close the right gaps first, and build the evidence you need to prove it.
Structured assessment against all NIS2 control areas. Findings prioritised by regulatory risk and operational effort.
Twelve to eighteen month roadmap with owned actions, milestones, and budget guidance.
Board mandate, risk register, control ownership, and policy stack required by the directive.
Third-party risk register, supplier security clauses, and ongoing monitoring approach.
Procedures and playbooks for the 24-hour early warning, 72-hour notification, and full report deadlines.
Evidence pack, audit dossier, and rehearsal sessions before the regulator visits.
From scoping to sustained compliance
A structured five-phase programme with clear outputs at every stage
Scope
Confirm in-scope entities, essential vs important classification, and group boundaries.
Assess
Structured gap assessment across all control areas. Interviews, evidence review, and technical sampling.
Report
Findings ranked by risk and effort. Executive summary, technical detail, and prioritised roadmap.
Remediate
We support remediation directly or hand off to your team. Quarterly check-ins to keep momentum.
Sustain
Annual reassessment, ongoing control monitoring, and audit support.
Broader than most organisations expect
NIS2 catches a wider set of organisations than most expect. Scope depends on sector, size, and group structure.
Essential entities
Energy, transport, banking, financial market infrastructure, healthcare, water, digital infrastructure.
- Strictest obligations under the directive
- Supervisory authority oversight by default
Important entities
Postal, waste management, chemicals, food, manufacturing, digital providers, research.
- Ex-post supervisory model
- Same control requirements, lighter inspection regime
Supply chain partners
Suppliers to essential entities feeling the contractual pull from regulated customers.
- Customer-driven NIS2 security requirements
- Supplier security clauses increasingly standard
Pre-emptive adopters
Organisations using NIS2 as a baseline regardless of in-scope status.
- Competitive differentiation with regulated customers
- Future-proofing ahead of scope creep
What organisations ask before starting
Common questions about NIS2 scope, timelines, and how we work.
Scope depends on sector, size, and group structure. We confirm scope as part of the first conversation. Most organisations underestimate which entities are caught.