NIS 2 — The new European
cybersecurity standard
Transposed across EU member states since October 2024, NIS 2 drastically expands the scope of obligated organisations and tightens requirements. Does your organisation fall within its scope?
What is it and who does it affect?
NIS 2 replaces the NIS 1 directive and quadruples the number of obligated sectors. It affects both essential entities (energy, transport, banking, healthcare, digital infrastructure, water, public administration, space) and important entities (food, critical manufacturing, postal services, chemicals, waste, digital providers, R&D).
Applicability threshold: medium and large companies (more than 50 employees or more than €10M turnover) in affected sectors. Fines reach up to €10 million or 2% of annual global turnover for essential entities.
🔑 Key change: senior management is personally liable for compliance. The board of directors must approve risk management measures and may be held responsible in the event of non-compliance.
Core obligations
- Risk management — Documented risk-based cybersecurity policy, reviewed periodically.
- 24-hour notification — Early warning to the national CSIRT within the first 24h, detailed report within 72h.
- Supply chain security — Risk assessment of critical suppliers and technology partners.
- Business continuity — Incident recovery plans, backups, crisis management.
- Training and executive accountability — Management must receive specific training and assume personal responsibility.
- Encryption and access controls — Use of cryptography, multi-factor authentication and least-privilege access.
How we help you comply with NIS 2
This is not a one-off project: it is a continuous compliance and improvement programme. We adapt our intervention to wherever your organisation currently stands.
NIS 2 Diagnostic
Structured gap analysis against the directive's requirements. We identify your current maturity level, missing controls, and deliver a prioritised compliance roadmap by risk and cost.
Continuous Compliance
Monthly managed service: progressive implementation of controls, compliance reviews, policy updates and automated evidence collection to facilitate audits at any time.
Incident Management & Notification
NIS 2-aligned incident response protocol: alerts to the national CSIRT within the first 24h, detailed technical report within 72h and final report at 30 days. We minimise regulatory risk and operational impact.
vCISO for NIS 2
Virtual CISO with part-time dedication: we assume technical and regulatory responsibility before management and regulators. Ideal for organisations without an internal CISO that need to cover the executive liability required by the directive.
Training for Management and Teams
NIS 2 requires the board of directors to receive specific cybersecurity training. We design tailored programmes for senior management, middle management and technical teams, with attendance certificates to evidence compliance.
Supply Chain Security
NIS 2 requires you to assess the risk of your suppliers and technology partners. We conduct security audits of critical third parties, define contractual compliance clauses and establish continuous supply chain risk review processes.
Is your company within the scope of NIS 2?
Carry out an initial diagnostic with us and know your real situation within 48 hours.
Request Free NIS 2 Diagnostic