NIS2 Compliance Framework
Practical Guide for OT / ICS / IIoT Owners and Operators
Table of contents
Executive summary
Why NIS2 matters to OT/ICS organizations
Quick history & legal milestones (what changed vs NIS1), dates you should know.
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Core NIS2 obligations that directly affect OT/ICS teams (governance, risk management, supply chain, reporting)
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Incident reporting under NIS2, the practical timeline and what you must be ready to submit
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
OT/ICS technical priorities mapped to NIS2 (concrete controls & evidence you’ll be asked for)
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Supply chain, third parties and managed service providers, what regulators will look for
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
How regulators will enforce NIS2, governance, management liability and penalties
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Practical 12-month NIS2 roadmap for OT/ICS (prioritized actions)
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
How Shieldworkz helps, mapped services and outcomes (for Energy, Oil & Gas, Manufacturing, Pharma, Transport, Water, Large Process Industry)
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Real numbers & trends (investment and risk signals every CISO/OT manager should know)
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
Get a tailored NIS2 posture snapshot and demo
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
FAQ, short answers to common questions
Who’s in scope (essential vs important entities, the size-cap, cross-border reach)
NIS2 Compliance Framework
1. Executive summary
NIS2 raised the bar for cybersecurity across the EU, not just for IT but for operational technology (OT), industrial control systems (ICS) and IoT ecosystems that run critical services. For OT owners and operators, NIS2 means formal management accountability, measurable risk-management controls (including supply chain diligence and reporting obligations) and new enforcement expectations. This page explains what regulators will ask for, what evidence to prepare from day one, and how practical industrial controls (asset visibility, network segmentation, continuous monitoring and proven incident playbooks) close the gap between current operations and compliance.
OT Security, or operational technology security, is the practice of protecting critical infrastructure and industrial systems from cyber threats. These systems, which include everything from power grids and water treatment facilities to manufacturing plants and transportation networks, are the backbone of modern society. Unlike traditional IT systems, OT systems are designed to control physical processes and often operate in real-time, making them both unique and highly vulnerable to cyberattacks.
2. Why NIS2 matters to OT/ICS organizations (short, sharp)
OT environments are now a primary target for sophisticated attackers, attacks that aim to disrupt physical processes, not only steal data.
NIS2 treats disruption to availability, integrity or continuity of services as first-order regulatory risk, and OT outages meet that definition.
The Directive makes senior management explicitly accountable for cybersecurity decisions, so OT risk is now a board-level and legal exposure topic.
These changes push OT owners from informal “IT helps us” approaches to measurable, auditable risk programs.
(See Section 9 for governance and management liability.)
3. Quick history & legal milestones, what changed vs NIS1
NIS2 (Directive (EU) 2022/2555) replaces the original 2016 NIS Directive and came into EU law with broader scope and stricter obligations. Member States were required to transpose NIS2 into national law by 17 October 2024; the Directive itself entered into force earlier and NIS1 was repealed when NIS2 applied across the Union.
Two follow-up actions you must know:
In October 2024 the Commission published a detailed Implementing Regulation that sets technical and methodological requirements for certain digital infrastructure and ICT sectors, it clarifies when an incident is “significant” for categories such as cloud, data centres, DNS, MSPs and MSSPs.
ENISA has been publishing detailed technical implementation guidance and mappings to international standards (ongoing guidance that helps translate the Implementing Regulation into practical evidence).
4. Who’s in scope (essential vs important, and the size rule)
NIS2 expanded the list of sectors and introduced a size-cap rule: medium and large organisations in the listed critical sectors are automatically in scope, and Member States can designate smaller entities with high-risk profiles. Sectors explicitly relevant to OT/ICS include energy, electricity generation and transmission, oil & gas, water, transport, manufacturing, health, chemical processing and large process industries. The Directive divides covered entities into Essential Entities (EE) and Important Entities (IE); essential entities face more intensive supervision and stricter enforcement.
Practical takeaway: if your plant is medium or large and operates in energy, manufacturing, transport, water, pharma or similar, assume you are in scope and prepare accordingly.
5. Core NIS2 obligations that directly affect OT/ICS teams
NIS2 requires a set of “appropriate and proportionate” technical, operational and organisational measures. For OT teams this translates into the following categories of evidence and capability:
Governance & accountability
Management bodies must approve, oversee and be trained on cybersecurity risk-management measures. Senior managers can be held liable for breaches or non-compliance. (Plan: board-level briefings, signed cybersecurity policy, training records.)
Risk management & “all-hazards” approach
Risk assessments that consider cyber and physical threats (e.g., sabotage, natural hazards, supplier failures).
Documented risk tolerance, treatment plans and evidence that mitigations are tracked and tested.
Incident handling & reporting
Playbooks, CSIRT contact details and the ability to submit an early warning and follow-up reports per NIS2 timelines (see Section 6). Regulators expect timely evidence of detection and escalation.
Supply chain & third-party security
Due diligence on suppliers (security questionnaires, SLAs, contractual cybersecurity clauses), and monitoring of third-party performance.
Business continuity & crisis management
Backup strategies, restore-time objectives, disaster recovery tests and crisis communications plans that include OT contingencies.
Technical controls (minimum expected)
Asset inventory (including unmanaged OT/IIoT devices) and network flow visibility.
Network segmentation and enforcement of least privilege between IT and OT.
Multi-factor authentication and strong access controls (including for remote maintenance).
Vulnerability management & secure patching processes with documented risk acceptance for legacy devices.
Detection & response: an OT-aware NDR/IDS/EDR capability and an incident response team trained for OT containment and recovery.
These measures mirror Article 21’s requirements and are what auditors will map against during inspections.
6. Incident reporting under NIS2, the practical timeline and required contents
NIS2 tightened notification rules. Practically, regulators require:
Early warning, within 24 Hours of becoming aware of a significant incident: a short notification indicating potential cross-border impact or suspected malicious cause.
Incident notification, within 72 Hours of awareness: an initial assessment with severity, impact, and available indicators of compromise (IOCs).
Progress / intermediate reports, when requested or if the incident is ongoing, as regulators ask for status updates.
Final report, commonly requested within 1 month after the incident or after resolution, including root cause, remediation, and lessons learned.
What to prepare now
Templates for 24-hour and 72-hour reports (pre-filled fields where possible).
Logging & forensic capability so that you can produce IOCs within 72 hours (network flows, EDR/NDR logs, control system logs).
Pre-identified points of contact (CSIRT, competent authority) and communication lines for cross-border incidents.
3. Quick history & legal milestones, what changed vs NIS1
NIS2 (Directive (EU) 2022/2555) replaces the original 2016 NIS Directive and came into EU law with broader scope and stricter obligations. Member States were required to transpose NIS2 into national law by 17 October 2024; the Directive itself entered into force earlier and NIS1 was repealed when NIS2 applied across the Union.
Two follow-up actions you must know:
In October 2024 the Commission published a detailed Implementing Regulation that sets technical and methodological requirements for certain digital infrastructure and ICT sectors, it clarifies when an incident is “significant” for categories such as cloud, data centres, DNS, MSPs and MSSPs.
ENISA has been publishing detailed technical implementation guidance and mappings to international standards (ongoing guidance that helps translate the Implementing Regulation into practical evidence).
4. Who’s in scope (essential vs important, and the size rule)
NIS2 expanded the list of sectors and introduced a size-cap rule: medium and large organisations in the listed critical sectors are automatically in scope, and Member States can designate smaller entities with high-risk profiles. Sectors explicitly relevant to OT/ICS include energy, electricity generation and transmission, oil & gas, water, transport, manufacturing, health, chemical processing and large process industries. The Directive divides covered entities into Essential Entities (EE) and Important Entities (IE); essential entities face more intensive supervision and stricter enforcement.
Practical takeaway: if your plant is medium or large and operates in energy, manufacturing, transport, water, pharma or similar, assume you are in scope and prepare accordingly.
5. Core NIS2 obligations that directly affect OT/ICS teams
NIS2 requires a set of “appropriate and proportionate” technical, operational and organisational measures. For OT teams this translates into the following categories of evidence and capability:
Governance & accountability
Management bodies must approve, oversee and be trained on cybersecurity risk-management measures. Senior managers can be held liable for breaches or non-compliance. (Plan: board-level briefings, signed cybersecurity policy, training records.)
Risk management & “all-hazards” approach
Risk assessments that consider cyber and physical threats (e.g., sabotage, natural hazards, supplier failures).
Documented risk tolerance, treatment plans and evidence that mitigations are tracked and tested.
Incident handling & reporting
Playbooks, CSIRT contact details and the ability to submit an early warning and follow-up reports per NIS2 timelines (see Section 6). Regulators expect timely evidence of detection and escalation.
Supply chain & third-party security
Due diligence on suppliers (security questionnaires, SLAs, contractual cybersecurity clauses), and monitoring of third-party performance.
Business continuity & crisis management
Backup strategies, restore-time objectives, disaster recovery tests and crisis communications plans that include OT contingencies.
Technical controls (minimum expected)
Asset inventory (including unmanaged OT/IIoT devices) and network flow visibility.
Network segmentation and enforcement of least privilege between IT and OT.
Multi-factor authentication and strong access controls (including for remote maintenance).
Vulnerability management & secure patching processes with documented risk acceptance for legacy devices.
Detection & response: an OT-aware NDR/IDS/EDR capability and an incident response team trained for OT containment and recovery.
These measures mirror Article 21’s requirements and are what auditors will map against during inspections.
6. Incident reporting under NIS2, the practical timeline and required contents
NIS2 tightened notification rules. Practically, regulators require:
Early warning, within 24 Hours of becoming aware of a significant incident: a short notification indicating potential cross-border impact or suspected malicious cause.
Incident notification, within 72 Hours of awareness: an initial assessment with severity, impact, and available indicators of compromise (IOCs).
Progress / intermediate reports, when requested or if the incident is ongoing, as regulators ask for status updates.
Final report, commonly requested within 1 month after the incident or after resolution, including root cause, remediation, and lessons learned.
What to prepare now
Templates for 24-hour and 72-hour reports (pre-filled fields where possible).
Logging & forensic capability so that you can produce IOCs within 72 hours (network flows, EDR/NDR logs, control system logs).
Pre-identified points of contact (CSIRT, competent authority) and communication lines for cross-border incidents.
7. OT/ICS technical priorities mapped to NIS2, what inspectors will look for
Below are concrete OT controls and the kind of evidence you should have ready. Each is phraed as what auditosrs will ask for vs what you can show. Regulatory Compliance
Complete asset inventory (IT + OT + IIoT)
Ask: “Where is your definitive list?”
Show: Automated discovery reports, passive OT scanning outputs, SBOMs for edge devices, device classification and ownership fields.
Network topology and segmentation
Ask: “How do you prevent lateral movement?”
Show: Segmentation diagrams, firewall rules, microsegmentation policy, test results from segmentation tests.
Access control & remote access
Ask: “Who can log into controllers and how is that access controlled?”
Show: MFA logs, privileged account lists, remote vendor access jump-host records, session recordings.
Vulnerability management for legacy OT
Ask: “How do you patch systems that cannot be taken offline?”
Show: Risk acceptance forms, compensating controls (virtual patching, network controls), phased rollout plans.
Anomaly detection & continuous monitoring
Ask: “How do you detect process anomalies or unusual traffic?”
Show: NDR/IDS alerts, baseline behaviour models, playbooks correlating OT anomalies with cyber events.
Incident response & tabletop exercises
Ask: “Have you tested your playbooks?”
Show: After-action reports, evidence of simulated attacks, recovery time measurements.
Supply chain security
Ask: “What is the cybersecurity posture of your key suppliers?”
Show: Supplier risk scores, audit reports, contractual cybersecurity clauses, documented penetration testing results for vendor software.
8. Supply chain and third-party risk, why this is now a core focus
NIS2 explicitly requires entities to manage cyber risk across supplier relationships. Regulators expect:
Pre-contract cybersecurity assessments for key suppliers.
Continuous monitoring of critical supplier performance (not only the contract clause).
Evidence that supplier vulnerabilities that could affect service continuity are assessed and mitigated.
For OT owners, the highest risk suppliers are PLC/SCADA vendors, system integrators, cloud providers that host engineering workstations, remote maintenance providers and 3rd-party sensor manufacturers. Use contractual minimum-security clauses, continuous telemetry checks and supplier penetration testing results as evidence. The Commission’s Implementing Regulation clarifies expectations for categories like cloud providers and managed security service providers, meaning regulators would treat an MSP’s weaknesses as potentially causing your non-compliance if you relied on them.
9. Enforcement, management liability, and penalties
NIS2 raised enforcement stakes:
Member States must implement supervisory mechanisms and have powers to require audits, corrective measures and impose fines.
Management bodies must approve cybersecurity measures and are subject to training and potential liability if duties are neglected. The Directive explicitly ties corporate accountability to cybersecurity outcomes.
What this means for OT managers and executives
Prepare documented approvals from the board for cybersecurity budgets and risk decisions. Keep training records.
Treat cybersecurity as a corporate risk, not an engineering “nice-to-have”. Documentation showing management engagement is often the easiest path to show “reasonable steps were taken.”
10. Practical 12-month NIS2 roadmap for OT/ICS (prioritised, with outcomes)
A pragmatic roadmap you can start immediately, prioritize measurable outputs.
Months 0–2: emergency triage
Run passive discovery across OT segments and compile a prioritized inventory.
Create 24-hour / 72-hour incident reporting templates and map local CSIRT contacts.
Run a gap analysis versus Article 21 measures.
Months 2–6: remediation & quick wins
Implement network segmentation and vendor jump-host for remote access.
Deploy passive monitoring + NDR tuned for ICS protocols.
Introduce MFA for all privileged access and document exceptions.
Months 6–9: mature controls
Operationalise vulnerability management (with compensating controls for legacy systems).
Test backups and recovery for key OT systems; conduct at least one tabletop exercise.
Begin supplier audits for top 10 critical vendors.
Months 9–12: evidence & governance
Produce a compliance pack: board-approved policy, risk register, incident evidence, supplier due-diligence files, exercise after-action.
Run a simulated incident and ensure your 24-hour and 72-hour submissions can be produced from logs and SOC/NDR outputs.
Deliverables every quarter: inventory exports, segmentation verification, MFA logs, vulnerability reports, tabletop AAR.
11. How Shieldworkz helps, mapped services and outcomes
Shieldworkz provides OT-aware services designed to deliver the evidence and capabilities regulators want to see, while keeping industrial processes safe and available.
What we deliver (examples mapped to NIS2 obligations):
Full OT asset discovery & continuous inventory (evidence for “asset management”)
Outcome: a single authoritative inventory (including unmanaged IIoT) with ownership and criticality tags, ready for audits.
Industrial Network Detection and Response (NDR) + anomaly detection (evidence for “detection & incident handling”)
Outcome: timely detection of lateral movement and suspicious commands with playbook integration and IOC exports suitable for 72-hour reports.
Vulnerability assessment & compensating control design for legacy OT (evidence for “vulnerability handling and disclosure”)
Outcome: prioritized patching plans, virtual-patching options, and documented risk-acceptance for unsupported devices.
Supply chain security assessments & vendor assurance (evidence for “supply-chain security”)
Outcome: supplier scorecards, contractual control templates, and continuous supplier monitoring plans.
Incident response readiness and tabletop exercises (evidence for “incident handling” + “business continuity”)
Outcome: validated playbooks for OT recovery, test results, and after-action reports.
Supply chain security assessments & vendor assurance (evidence for “supply-chain security”)
Zero Trust design & enforcement across IT/OT boundaries (evidence for “access control and least privilege”)
Outcome: least privilege enforcement across remote vendor sessions and control system access, with audit trails.
Managed OT SOC / 24x7 support (evidence for “monitoring & crisis management”)
Outcome: continuous monitoring, triage and support for timely regulatory notifications.
Why this works for critical sectors
We design services so evidence generation is intrinsic: detection alerts, logs, segmentation proofs and board briefs are produced as part of operations, making compliance an operational outcome, not a separate paperwork task. Shieldworkz aligns controls with IEC 62443 and cross-maps these to NIS2 evidence requirements during pre-audit reviews.
12. Real numbers & trends (what the data tells us)
ENISA’s 2024 investment snapshot reported that information security represents approximately 9% of EU IT investments, a significant increase from prior years, showing organisations are prioritising cybersecurity budgets as regulatory pressure increases.
Supply chain attacks remain a high-probability vector: analysts project a large share of future incidents will leverage third-party software or vendor access to pivot into critical environments. (This is reflected in NIS2’s strong supply-chain focus and the Commission’s Implementing Regulation clarifying expectations for ICT providers.)
Implication: investment is increasing, but so are regulator expectations, the outcome is a shift from point solutions to integrated OT visibility + continuous monitoring approaches.
8. Supply chain and third-party risk, why this is now a core focus
NIS2 explicitly requires entities to manage cyber risk across supplier relationships. Regulators expect:
Pre-contract cybersecurity assessments for key suppliers.
Continuous monitoring of critical supplier performance (not only the contract clause).
Evidence that supplier vulnerabilities that could affect service continuity are assessed and mitigated.
For OT owners, the highest risk suppliers are PLC/SCADA vendors, system integrators, cloud providers that host engineering workstations, remote maintenance providers and 3rd-party sensor manufacturers. Use contractual minimum-security clauses, continuous telemetry checks and supplier penetration testing results as evidence. The Commission’s Implementing Regulation clarifies expectations for categories like cloud providers and managed security service providers, meaning regulators would treat an MSP’s weaknesses as potentially causing your non-compliance if you relied on them.
9. Enforcement, management liability, and penalties
NIS2 raised enforcement stakes:
Member States must implement supervisory mechanisms and have powers to require audits, corrective measures and impose fines.
Management bodies must approve cybersecurity measures and are subject to training and potential liability if duties are neglected. The Directive explicitly ties corporate accountability to cybersecurity outcomes.
What this means for OT managers and executives
Prepare documented approvals from the board for cybersecurity budgets and risk decisions. Keep training records.
Treat cybersecurity as a corporate risk, not an engineering “nice-to-have”. Documentation showing management engagement is often the easiest path to show “reasonable steps were taken.”
10. Practical 12-month NIS2 roadmap for OT/ICS (prioritised, with outcomes)
A pragmatic roadmap you can start immediately, prioritize measurable outputs.
Months 0–2: emergency triage
Run passive discovery across OT segments and compile a prioritized inventory.
Create 24-hour / 72-hour incident reporting templates and map local CSIRT contacts.
Run a gap analysis versus Article 21 measures.
Months 2–6: remediation & quick wins
Implement network segmentation and vendor jump-host for remote access.
Deploy passive monitoring + NDR tuned for ICS protocols.
Introduce MFA for all privileged access and document exceptions.
Months 6–9: mature controls
Operationalise vulnerability management (with compensating controls for legacy systems).
Test backups and recovery for key OT systems; conduct at least one tabletop exercise.
Begin supplier audits for top 10 critical vendors.
Months 9–12: evidence & governance
Produce a compliance pack: board-approved policy, risk register, incident evidence, supplier due-diligence files, exercise after-action.
Run a simulated incident and ensure your 24-hour and 72-hour submissions can be produced from logs and SOC/NDR outputs.
Deliverables every quarter: inventory exports, segmentation verification, MFA logs, vulnerability reports, tabletop AAR.
11. How Shieldworkz helps, mapped services and outcomes
Shieldworkz provides OT-aware services designed to deliver the evidence and capabilities regulators want to see, while keeping industrial processes safe and available.
What we deliver (examples mapped to NIS2 obligations):
Full OT asset discovery & continuous inventory (evidence for “asset management”)
Outcome: a single authoritative inventory (including unmanaged IIoT) with ownership and criticality tags, ready for audits.
Industrial Network Detection and Response (NDR) + anomaly detection (evidence for “detection & incident handling”)
Outcome: timely detection of lateral movement and suspicious commands with playbook integration and IOC exports suitable for 72-hour reports.
Vulnerability assessment & compensating control design for legacy OT (evidence for “vulnerability handling and disclosure”)
Outcome: prioritized patching plans, virtual-patching options, and documented risk-acceptance for unsupported devices.
Supply chain security assessments & vendor assurance (evidence for “supply-chain security”)
Outcome: supplier scorecards, contractual control templates, and continuous supplier monitoring plans.
Incident response readiness and tabletop exercises (evidence for “incident handling” + “business continuity”)
Outcome: validated playbooks for OT recovery, test results, and after-action reports.
Supply chain security assessments & vendor assurance (evidence for “supply-chain security”)
Zero Trust design & enforcement across IT/OT boundaries (evidence for “access control and least privilege”)
Outcome: least privilege enforcement across remote vendor sessions and control system access, with audit trails.
Managed OT SOC / 24x7 support (evidence for “monitoring & crisis management”)
Outcome: continuous monitoring, triage and support for timely regulatory notifications.
Why this works for critical sectors
We design services so evidence generation is intrinsic: detection alerts, logs, segmentation proofs and board briefs are produced as part of operations, making compliance an operational outcome, not a separate paperwork task. Shieldworkz aligns controls with IEC 62443 and cross-maps these to NIS2 evidence requirements during pre-audit reviews.
12. Real numbers & trends (what the data tells us)
ENISA’s 2024 investment snapshot reported that information security represents approximately 9% of EU IT investments, a significant increase from prior years, showing organisations are prioritising cybersecurity budgets as regulatory pressure increases.
Supply chain attacks remain a high-probability vector: analysts project a large share of future incidents will leverage third-party software or vendor access to pivot into critical environments. (This is reflected in NIS2’s strong supply-chain focus and the Commission’s Implementing Regulation clarifying expectations for ICT providers.)
Implication: investment is increasing, but so are regulator expectations, the outcome is a shift from point solutions to integrated OT visibility + continuous monitoring approaches.
13. Get a tailored NIS2 posture snapshot
Regulators don’t want theory, they want evidence. Shieldworkz will deliver a no-obligation NIS2 compliance posture snapshot focused on your OT/ICS environment:
What you get in the snapshot:
Asset inventory health check (OT/IIoT discovery)
Quick segmentation & exposure report (3 critical findings)
24-/72-hour reporting readiness score and checklist
A mapped one-page roadmap (prioritised fixes you can deliver in 90 days)
If you’re in Energy & Utilities, Oil & Gas, Manufacturing, Pharma & Life Sciences, Transport & Logistics, Water or other critical sectors where NIS2 applies, request a demo and a free posture snapshot tailored to your site.
Request a demo
NIS2 isn’t a one-off project but an ongoing programme that requires clear governance, continuous monitoring and active supplier management. Start with asset discovery and reporting readiness, these two steps deliver immediate risk reduction and a credible compliance posture. You don’t have to do everything at once: prioritise measures that reduce outage risk, demonstrate management oversight, and produce verifiable evidence.
Request a Consultation
13. Get a tailored NIS2 posture snapshot
Regulators don’t want theory, they want evidence. Shieldworkz will deliver a no-obligation NIS2 compliance posture snapshot focused on your OT/ICS environment:
What you get in the snapshot:
Asset inventory health check (OT/IIoT discovery)
Quick segmentation & exposure report (3 critical findings)
24-/72-hour reporting readiness score and checklist
A mapped one-page roadmap (prioritised fixes you can deliver in 90 days)
If you’re in Energy & Utilities, Oil & Gas, Manufacturing, Pharma & Life Sciences, Transport & Logistics, Water or other critical sectors where NIS2 applies, request a demo and a free posture snapshot tailored to your site.
Request a demo
NIS2 isn’t a one-off project but an ongoing programme that requires clear governance, continuous monitoring and active supplier management. Start with asset discovery and reporting readiness, these two steps deliver immediate risk reduction and a credible compliance posture. You don’t have to do everything at once: prioritise measures that reduce outage risk, demonstrate management oversight, and produce verifiable evidence.
Request a Consultation
13. Get a tailored NIS2 posture snapshot
Regulators don’t want theory, they want evidence. Shieldworkz will deliver a no-obligation NIS2 compliance posture snapshot focused on your OT/ICS environment:
What you get in the snapshot:
Asset inventory health check (OT/IIoT discovery)
Quick segmentation & exposure report (3 critical findings)
24-/72-hour reporting readiness score and checklist
A mapped one-page roadmap (prioritised fixes you can deliver in 90 days)
If you’re in Energy & Utilities, Oil & Gas, Manufacturing, Pharma & Life Sciences, Transport & Logistics, Water or other critical sectors where NIS2 applies, request a demo and a free posture snapshot tailored to your site.
Request a demo
NIS2 isn’t a one-off project but an ongoing programme that requires clear governance, continuous monitoring and active supplier management. Start with asset discovery and reporting readiness, these two steps deliver immediate risk reduction and a credible compliance posture. You don’t have to do everything at once: prioritise measures that reduce outage risk, demonstrate management oversight, and produce verifiable evidence.
Request a Consultation
Frequently Asked Questions
Q: Do I need to report every cyber incident?
No, NIS2 requires reporting significant incidents (those that cause or can cause severe operational disruption, large financial loss or material/non-material damage). However, you must be ready to submit an early warning within 24 hours for any incident that meets those criteria.
Q: What if my supplier is not in the EU?
Q: Is NIS2 the same as DORA or the AI Act?
Frequently Asked Questions
Q: Do I need to report every cyber incident?
No, NIS2 requires reporting significant incidents (those that cause or can cause severe operational disruption, large financial loss or material/non-material damage). However, you must be ready to submit an early warning within 24 hours for any incident that meets those criteria.
Q: What if my supplier is not in the EU?
Q: Is NIS2 the same as DORA or the AI Act?
Frequently Asked Questions
Q: Do I need to report every cyber incident?
No, NIS2 requires reporting significant incidents (those that cause or can cause severe operational disruption, large financial loss or material/non-material damage). However, you must be ready to submit an early warning within 24 hours for any incident that meets those criteria.