NIS2 readiness
From NIS2 scoping to a board that can defend the programme, in one focused engagement.
NIS2 is the regulation Norwegian buyers ask about most, partly because the transposition timeline keeps moving. The work itself does not move. Here is what an essential or important entity has to deliver, and how I run a programme that lets the board stand behind it.
What we deliver
-
ScopingDetermines whether the entity is essential or important, and which obligations apply.
- Gap analysis against the core controls
We assess your existing controls against NIS2's core requirements and produce a prioritised list of what needs to close before the next supervisory visit.
-
Risk management and governanceWe build the risk register, write the policies your security team can actually use, and name a control owner for every requirement.
- Incident reporting
We build the decision tree for early warning, the 24 and 72 hour notifications, and the final report.
- Supply chain
Maps and governs security risk from critical suppliers and managed service providers.
- Board accountability
We design the board's reporting cadence, run the required training, and document oversight so the management body can stand behind the programme.
How we deliver this service
- In a project
Readiness assessment and roadmap with clear owners and dates.
- In a role at the customer
Programme owner inside the organisation through the Norwegian transposition.
- As part of a service
Included in the Secured by FM CyberSecurity bundle as an ongoing compliance programme.
Recent insights on NIS2 readiness
- What the EU Cyber Resilience Act is, and who it covers
The CRA is an EU law that ties cybersecurity rules to CE marking, so a product with digital elements cannot enter the EU market without it.
- What ISO 27001 Lead Implementer certification means for your project
An ISO 27001 Lead Implementer builds your ISMS; a Lead Auditor checks it. Hire the wrong role and your certification project stalls.
- From compliance burden to competitive advantage
How leadership teams move from compliance uncertainty to documented control, evidence that holds up under investor, customer, or regulatory due diligence.