Organisations do not all need the same NIS2 support. Some need to establish whether they are in scope and where to begin. Others need independent assurance that their compliance position is credible. Some need a structured programme that can move from regulatory interpretation to governance, implementation and sustained compliance.
Each engagement is designed to produce board-ready findings, prioritised actions and evidence that can support management oversight.
Understand whether NIS2 applies to you, how much work is involved, and how to structure your response from the start.
Test whether your NIS2 position is credible, well-evidenced and ready for leadership, audit or supervisory review.
Build the governance, ownership model and delivery structure for a practical, sustained NIS2 programme.
The engagement options above are delivered using two proprietary frameworks. Executive briefings for each are available to download below.
Establishing scope, readiness, and programme direction in five days
Moves from NIS2 uncertainty to a confident programme decision, with outputs that feed directly into mobilisation.
How to run a NIS2 programme that delivers sustained compliance.
Provides a working structure for every phase, from mobilisation, through board oversight, to sustained compliance.
NIS2 applies to public and private entities in one of 18 sectors listed in Annex I or Annex II of the Directive, provided the entity meets the medium enterprise size threshold: at least 50 employees or €10 million annual turnover. Certain categories fall within scope regardless of size. Where the organisation operates across multiple EU Member States, scope must be assessed against each country's national transposition legislation separately, as Member States have implemented the Directive in different ways.
The sector and size criteria are a starting point, not a definitive answer. National competent authorities retain the power to designate additional entities beyond the standard thresholds. If your organisation operates in energy, transport, banking, financial infrastructure, healthcare, water, digital infrastructure, or a number of other sectors, a scope analysis is the right first step.
For essential entities, infringements of the Article 21 security obligations or Article 23 incident notification requirements can attract fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, the maximum is €7 million or 1.4% of worldwide annual turnover. The calculation basis is worldwide turnover, not EU revenue alone.
Beyond fines, NIS2 introduces personal accountability provisions. Natural persons with managerial responsibility can be held personally liable. For essential entities, competent authorities can request a court to temporarily prohibit a chief executive officer or legal representative from exercising their functions where prior enforcement measures have proved ineffective. Board-level engagement is a legal requirement, not a governance preference.
Article 21 sets out ten categories of security measure: risk analysis and security policies, incident handling, business continuity and disaster recovery, supply chain security, secure system acquisition and development, effectiveness testing, cyber hygiene and training, cryptography, human resources security and access control, and multi-factor authentication. These are ongoing obligations, not a one-time checklist.
Article 23 adds strict incident notification timelines: a 24-hour early warning to the national CSIRT or competent authority, a fuller notification within 72 hours, and a final report within one month. Article 20 places specific obligations on the management body to approve the security measures and oversee their implementation, with personal liability for those who fail to do so.
Internal teams cannot easily challenge their own work or produce an independent view of the compliance position. NIS2 carries personal liability for management body members: a board that has relied entirely on internal self-assessment is in a weaker position if a supervisory authority asks difficult questions. External involvement also brings direct programme experience, including how to sequence workstreams, where programmes of this type typically lose coherence, and what a supervisory authority expects to find.
The diagnostic is a deliberately bounded starting point. Five working days, spread over two to three weeks, produces a clear picture of scope, readiness, and what a programme needs to look like before any further investment is made. It is a low-commitment way to establish whether, and how, external support adds value.
Yes. The three engagements are designed for different starting positions. The NIS2 Compliance Verification is for organisations that have done substantive work and need an independent view of whether the position is credible, well-evidenced, and ready for leadership, audit, or supervisory review. It is not a restart: it works with what already exists, identifies where the gaps are, and produces a prioritised remediation view.
Where the work underway is a programme that needs better structure, governance, or delivery design, the Programme Design engagement can provide that without displacing what has already been built. The starting point is a conversation about where things currently stand.
Yes. The work covers the full range of NIS2 sectors, from energy, transport, and healthcare to digital infrastructure, financial services, and public administration. Sector matters because the applicable national transposition, the relevant competent authority, and the supervisory expectations vary between sectors as well as between jurisdictions.
Multinational engagements are a regular part of the work. Where an organisation operates across multiple EU Member States, the programme needs to account for genuine legal variation between national implementations rather than treating one jurisdiction as the default for all. Each entity's position is mapped against the applicable national law rather than a single-country template.
The starting point is a 20-minute advisory call to understand the organisation's current position and which engagement makes sense. There is no obligation following that call.
If a diagnostic is the right next step, the pre-work is modest: a document request covering corporate structure, service descriptions, headcount and turnover figures, existing legal analysis, and current governance and policy documents. The diagnostic itself requires targeted sessions with the legal lead, CISO, and relevant functional and operational leads. Most participants are involved for one to three hours each across the five days, not full-day commitments.
A full programme runs for twelve to twenty-four months depending on the organisation's starting position, structure, and jurisdictional spread. The diagnostic, which comes first, takes five working days spread across two to three weeks.
The programme does not require operational leads to step away from their day roles. It requires a named executive sponsor with genuine decision authority, a programme manager with dedicated time, and part-time participation from functional leads who will own their workstreams in BAU after the programme closes. The most demanding phase for the internal team is the gap assessment and initial design work. The later delivery workstreams are largely run by the internal team, with external support focused on governance, challenge, and course correction.
