About NIS2

The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” .

The NIS 2 Directive aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health, and digital infrastructure . It provides legal measures to boost the overall level of cybersecurity in the EU .

The directive covers a larger share of the economy and society by including more sectors, which means that more entities are obliged to take measures to increase their level of cybersecurity .

The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements .

Who is affected?

The NIS 2 Directive significantly expands the sectors and type of critical entities falling under its scope.

As a ground rule, companies from certain areas that meet these conditions are affected:

Essential Entities (EE):

  • at least 250 employees and
  • 50 Mil € revenue

Important Entities (IE):

  • at least 50 employees and
  • 10 Mil € revenue


NIS 2 covers areas such as

  • Essential Entities:
    • energy (electricity, district heating and cooling, oil, gas and hydrogen);
    • transport (air, rail, water and road); banking;
    • financial market infrastructures;
    • health including  manufacture of pharmaceutical products including vaccines;
    • drinking water;
    • waste water;
    • digital infrastructure (internet exchange points; DNS service providers;
    • TLD name registries; cloud computing service providers;
    • data centre service providers;
    • content delivery networks;
    • trust service providers;
    • providers of  public electronic communications networks and publicly available electronic communications services);
    • ICT service management (managed service providers and managed security service providers), public administration and space.

Important Entities:

    • postal and courier services;
    • waste management;
    • chemicals;
    • food;
    • manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
    • digital providers (online market places, online search engines, and social networking service platforms) and research organisations.

How can we help you prepare for the NIS2 Directive?

As you can see, the NIS2 Directive is a comprehensive and ambitious legislation that aims to improve the cybersecurity resilience of the EU. However, it also poses significant challenges and opportunities for organisations that fall under its scope.

That is why we offer expert consulting services to help you prepare for the NIS2 Directive and achieve compliance in a timely and efficient manner. Our services include:

  • Gap analysis: We will assess your current level of compliance with the NIS2 Directive and identify the gaps and areas for improvement.
  • Action plan: We will develop a tailored action plan to address the gaps and implement the necessary security measures and reporting obligations, based on your specific sector, subsector, or service.
  • Implementation support: We will provide you with the technical and organisational support to execute the action plan and achieve compliance with the NIS2 Directive, including risk management, vulnerability management, supply chain security, incident response, business continuity, and cyber hygiene.
  • Audit and review: We will conduct regular audits and reviews to monitor and evaluate your compliance with the NIS2 Directive and ensure that you maintain a high level of cybersecurity.
  • Training and awareness: We will provide you with training and awareness programmes to enhance your cybersecurity skills and knowledge, as well as to foster a culture of security within your organisation.

By choosing our consulting services, you will benefit from:

  • Expertise and experience: We have a team of certified and experienced cybersecurity consultants who have extensive knowledge of the NIS2 Directive and its requirements, as well as of the best practices and standards in the field.
  • Quality and efficiency: We use proven methodologies and tools to deliver high-quality and efficient consulting services that meet your needs and expectations.
  • Flexibility and adaptability: We tailor our consulting services to your specific situation and context, taking into account your sector, subsector, or service, as well as your size, scope, and resources.
  • Value and satisfaction: We offer competitive and transparent pricing for our consulting services, as well as a guarantee of satisfaction and compliance with the NIS2 Directive.

If you are interested in our consulting services or want to learn more about the NIS2 Directive and how it affects your organisation, please contact us today. We will be happy to assist you and answer any questions you may have.


How will we work ?

  • Have a first discussion with the project responsible from the customer’s side.

In this discussion we will establish which are the departments involved and who is responsible for each area.

  • Set up 2-4h interviews with the responsible of each area. In this process we fill in our questionnaire and calculate the security maturity for each security control.

This process can take several days, depending on the company size and availability of the responsible persons.

  • Create a report in Powerpoint (Executive summary) and Excel (Details about the findings) after the security questionnaire ist finalized.

This process can take 2-3 days, depending on how complexity of the company and the findings.

Our report contains the following:

    • Results of the analysis
      • Risks
      • Recommendations
        • for improvements of the basic cyber security.
        • for additional steps to be taken in order to pass the official audit.
  • Present the findings in a meeting with the management of the company and, ideally, with all responsible persons .