NIS2 readiness for essential and important entities.
Article 21 controls, mapped to your actual stack.
We help essential and important entities — energy operators, banks, healthcare providers, MSPs, digital infrastructure — get from board-level awareness to defensible Article 21 evidence. The deliverable is a control map, a gap register, and a sequenced 90-day plan, not another deck.
NIS2 is not the old directive.
The 2023 transposition deadline passed in October 2024 and most Member State laws are now in force. The scope shifted: NIS2 covers roughly ten times as many entities as the original NIS Directive, the sectoral list grew to eighteen, and the line between essential and important now turns on size thresholds, not voluntary registration. If you operate critical infrastructure, run an MSP, sit anywhere in the financial supply chain, or process public-administration data inside the Union, the regulator's working assumption is that you are in scope until you prove otherwise.
The clauses that bite hardest in practice are Article 21 — the ten cybersecurity risk-management measures — and Article 23, which compels notification of significant incidents within twenty-four hours of awareness, a full report within seventy-two, and a final report within one month. We see most newly in-scope organisations underestimate Article 21(2)(d) on supply-chain security and Article 20 on management body accountability. Boards are now personally accountable. Training is a documented obligation, not a checkbox.
The pattern we recommend starts from the assumption that you already have most of the controls in fragments: an ISO 27001 footprint here, a SOC 2 audit there, fragmentary supply-chain risk reviews from a procurement team. The work is consolidation against the Article 21 frame, evidence collection that survives a competent-authority audit, and an incident playbook that hits the regulator's clock without leaking through PR or legal review.
From legal text to defensible posture.
- 01
Scope determination and entity classification.
We confirm whether you fall under Annex I (essential) or Annex II (important), apply the size-cap rules, and identify the lead competent authority in each Member State where you operate. Multi-country groups need this resolved before the gap analysis — the regulator you report to changes the controls you prioritise.
- 02
Article 21 control mapping.
We work through the ten control families clause by clause and map each to existing artefacts — your ISMS, your IR runbooks, your supply-chain assessments, your business continuity plan. Where you have evidence, we file it. Where you do not, the gap goes on the register with an owner and a date.
- 03
Incident reporting machinery.
The twenty-four-hour early-warning, seventy-two-hour notification, and one-month final report sequence is mechanical when wired correctly and chaotic when not. We instrument the SOC pipeline, draft templated submissions to the national CSIRT, and rehearse the clock with the leadership team.
- 04
Supply-chain risk assessment.
Article 21(2)(d) is where most organisations stall. We build the supplier inventory keyed to data sensitivity and operational dependency, classify each tier, contractually impose flow-down obligations, and define monitoring cadence. This is where the work feels less like compliance and more like procurement engineering.
- 05
Management body briefing and training evidence.
Article 20 makes board members personally liable for failure to oversee Article 21 controls. We deliver the briefing, draft the training programme, and produce attendance and competence evidence that survives the audit. Boards do not want to learn this clause from the regulator.
The clauses that drive the work.
NIS2 is dense but compressible. The substance lives in Articles 20 through 24. Article 20 establishes management accountability and the training obligation. Article 21 lists the ten cybersecurity risk-management measures — risk analysis, incident handling, business continuity, supply-chain security, secure development, vulnerability handling, effectiveness assessment, cyber hygiene and training, cryptography, access control and asset management. Article 23 fixes the incident reporting timeline. Article 24 enables certification schemes and Article 29 enables information sharing.
The implementing acts that landed in late 2024 added precision for digital infrastructure, MSPs, and managed security service providers. The control language tightens around vulnerability disclosure, network segmentation, and supplier monitoring. We work from the consolidated text plus the national transposition for each jurisdiction you operate in — the Swedish, German, Dutch, and Irish laws diverge in penalties, registration mechanics, and competent authority routing.
- Article 20 — management body approval, oversight, and training obligation
- Article 21(2)(a–j) — the ten cybersecurity risk-management measures
- Article 21(2)(d) — supply-chain security with flow-down requirements
- Article 23(4) — 24h early warning, 72h notification, one-month final report
- Article 24 — voluntary use of European cybersecurity certification schemes
The end state we drive toward.
A defensible Article 21 posture, evidence files indexed to clause, an incident reporting pipeline that hits the regulator's clock, and a board that can speak to the controls without scripted prompts.
- 100%
- Article 21 sub-clauses with evidence
- <24h
- Early-warning submission window
- <2h
- Incident detection-to-triage
- 4×/yr
- Board oversight cadence
Illustrative, drawn from published architectures and forthcoming engagements. Specific outcomes depend on entity size, sectoral classification, and the maturity of existing ISMS controls.
Where this work connects on the site.
- 01
- 02
- 03
Scoped NIS2 readiness assessment.
Send us your entity classification (or the question of whether you have one), the Member States you operate in, and your existing ISMS posture. We come back with a fixed-scope assessment proposal and a sample gap register inside ten working days.