radial-burst-dark

NIS2 Compliance

NIS2, without the panic

Gap assessment, remediation plan, and ongoing compliance support. Built by people who know what regulators actually accept

Most gap assessments delivered within four weeks.

NIS2 is broad. Compliance has to be specific

NIS2 references twenty-plus control areas across governance, risk, supply chain, incident reporting, and resilience. Most organisations don't know where they stand or where to start. We translate the directive into a concrete programme your team can execute.

What we deliver

Everything you need, nothing you don't

Turn regulation into a plan, not a panic. We help you understand what applies, close the right gaps first, and build the evidence you need to prove it.

Gap Assessment

Structured assessment against all NIS2 control areas. Findings prioritised by regulatory risk and operational effort.

Remediation Roadmap

Twelve to eighteen month roadmap with owned actions, milestones, and budget guidance.

Governance Setup

Board mandate, risk register, control ownership, and policy stack required by the directive.

Supply Chain Review

Third-party risk register, supplier security clauses, and ongoing monitoring approach.

Incident Reporting

Procedures and playbooks for the 24-hour early warning, 72-hour notification, and full report deadlines.

Audit Preparation

Evidence pack, audit dossier, and rehearsal sessions before the regulator visits.

From scoping to sustained compliance

A structured five-phase programme with clear outputs at every stage

1

Scope

Confirm in-scope entities, essential vs important classification, and group boundaries.

2

Assess

Structured gap assessment across all control areas. Interviews, evidence review, and technical sampling.

3

Report

Findings ranked by risk and effort. Executive summary, technical detail, and prioritised roadmap.

4

Remediate

We support remediation directly or hand off to your team. Quarterly check-ins to keep momentum.

5

Sustain

Annual reassessment, ongoing control monitoring, and audit support.

Broader than most organisations expect

NIS2 catches a wider set of organisations than most expect. Scope depends on sector, size, and group structure.

Essential entities

Energy, transport, banking, financial market infrastructure, healthcare, water, digital infrastructure.

  • Strictest obligations under the directive
  • Supervisory authority oversight by default

Important entities

Postal, waste management, chemicals, food, manufacturing, digital providers, research.

  • Ex-post supervisory model
  • Same control requirements, lighter inspection regime

Supply chain partners

Suppliers to essential entities feeling the contractual pull from regulated customers.

  • Customer-driven NIS2 security requirements
  • Supplier security clauses increasingly standard

Pre-emptive adopters

Organisations using NIS2 as a baseline regardless of in-scope status.

  • Competitive differentiation with regulated customers
  • Future-proofing ahead of scope creep

What organisations ask before starting

Common questions about NIS2 scope, timelines, and how we work.

Scope depends on sector, size, and group structure. We confirm scope as part of the first conversation. Most organisations underestimate which entities are caught.

Let's talk

Start with a gap assessment

Discovery call this week. Scoped assessment.