Regulatory compliance

EU compliance that produces
documentation people actually accept.

NIS2 and GDPR are not checkbox exercises. We help you understand what applies to your organisation and produce evidence that works in front of regulators, insurers, and enterprise buyers.

NIS2 Directive

What NIS2 requires

The NIS2 Directive (EU 2022/2555) came into force across member states from October 2024. It applies to medium and large organisations in sectors considered essential or important — and it covers your supply chain, not just your own organisation.

Key obligations include risk management measures, incident reporting to national authorities (within 24 and 72 hours), supply chain security, and management body accountability. Penalties for non-compliance reach 2% of global turnover for essential entities.

Risk analysis and information system security policies
Incident handling and reporting to CSIRT or competent authority
Business continuity and crisis management measures
Supply chain security and supplier risk assessments
Cybersecurity training and basic cyber hygiene practices
Management body accountability and oversight

How we approach NIS2 readiness

We start by determining whether NIS2 applies to your organisation and in which member state(s). This is less straightforward than it sounds — sector classification, size thresholds, and national transposition vary.

Once scope is established, we run a gap analysis against the ten minimum measures in Article 21, produce a risk register and treatment plan, and help you build the documentation you need to demonstrate compliance to BSI (Germany) or the relevant authority in your jurisdiction.

GDPR Article 32

What Article 32 actually requires

Article 32 of the GDPR requires "appropriate technical and organisational measures" to protect personal data. The standard is proportionate to risk — not prescriptive. This means what is appropriate for a healthcare provider differs from what is appropriate for a B2B SaaS company.

In practice, regulators and enterprise clients expect to see: access controls, encryption at rest and in transit, a tested incident response procedure, regular security reviews, and documented evidence that you know what data you hold and who has access to it.

Pseudonymisation and encryption of personal data
Ongoing confidentiality, integrity, availability, and resilience
Process for restoring availability after incidents
Regular testing and evaluation of security measures

How we approach GDPR security

Most GDPR security work we see has a documentation problem, not a technical problem. Companies have reasonable controls but cannot demonstrate them clearly — which means they fail client questionnaires and create regulator exposure unnecessarily.

We map your current security controls against what Article 32 requires, identify genuine gaps versus documentation gaps, and produce a record of processing activities and security measures that works for the uses you actually need it for.

Common questions

Questions we hear most often.

NIS2 covers both "essential" and "important" entities. Important entities include postal services, waste management, chemicals, food production, digital providers, and several other sectors. Additionally, if you are a supplier to an essential entity, your client's NIS2 obligations create indirect requirements for your own security posture — even if you are not directly covered. A scoping call will clarify your position quickly.

That depends on the scope and how mature your existing security documentation is. For a company with some existing controls but no structured documentation, a focused GDPR Article 32 evidence package typically takes two to three weeks. We can discuss what timeline is realistic for your situation on a scoping call.

Your IT provider manages your systems. A security assessment evaluates whether those systems and the way they are configured expose you to risk — which is a different question. Most IT providers are not security specialists, and the overlap in their work does not cover what NIS2 or GDPR require you to demonstrate. The two are complementary, not substitutes for each other.

ISO 27001 is a voluntary international standard you certify against to demonstrate information security management to clients and partners. NIS2 is an EU legal obligation with regulatory enforcement. They overlap substantially in substance — a company implementing ISO 27001 will address most NIS2 requirements — but they serve different purposes and have different consequence structures. Many companies pursue both in parallel, which is efficient if sequenced correctly.

Check your compliance position.

A 30-minute call to understand whether NIS2 applies to you and what GDPR Article 32 requires for your specific situation.

Book a scoping call