NIS2 isn't paperwork. It's defences that work.
We help meet the technical and organizational requirements of the NIS2 directive — from a gap audit, through immutable backups and a tested recovery plan, to incident monitoring and procedures. We handle the IT side, not legal advice.
A regulation that comes down to one thing: survive the incident
NIS2 extends cybersecurity obligations to a far wider set of companies and their suppliers. In practice it's about being able to keep operating after an attack, outage or breach — and to report the incident on time. It isn't a one-off audit for the drawer; it's a set of capabilities you have to build and maintain.
What we do
- Gap audit — current state versus NIS2 requirements, with priorities
- Immutable, offsite backups resilient to ransomware
- Tested disaster recovery plan with a defined RTO and RPO
- Access control, MFA, clean permission management
- Monitoring and incident detection (24/7)
- Hardening of servers, networks and workstations
- Documented incident response and reporting procedures
How we work
- Audit — gap analysis and a report with a list of risks
- Plan — what to implement first, schedule and cost estimate
- Implementation — defences, backup, DR, procedures
- Maintenance — monitoring, recovery tests, procedure updates
Compliance is a continuous state. We reach it in a project, then maintain it — because an audit from a year ago won't stop today's incident.
Frequently asked questions
Does my company even fall under NIS2?
The directive covers a much wider set of entities than its predecessor — including many service providers, manufacturers and supply-chain companies, mid-sized ones too. If you're unsure, in the opening audit we help establish whether and to what extent it applies. We don't provide legal advice — we handle the technical and organizational side.
What do you technically need to be compliant?
Most often: backups resilient to incidents (immutable, offsite), a tested recovery plan, access control and MFA, monitoring and incident detection, system hardening, and documented procedures. NIS2 also requires the ability to report an incident within a set timeframe — that's a procedure, not just a tool.
Where do we start?
With an audit that shows the gap between your current state and the requirements. You get a list of gaps ranked by risk and a remediation plan with priorities — then you know what to do first and what it costs.
Is this a one-off or ongoing?
Both. We can bring the environment into compliance as a project, then keep it there on a retainer — because NIS2 is a continuous state, not a one-time certificate. Monitoring, recovery tests and procedure updates have to keep happening.
Not sure if NIS2 applies to you or what you need?
Free consultation — we'll check the scope and show you where to start.
Free consultation →