The cybersecurity measures NIS 2 expects — operating, and evidenced.
Readiness for the NIS 2 directive as your member state transposes it — risk-management measures, incident-reporting timelines, and management accountability your board can stand behind.
- Senior-led delivery.
- Vendor-independent.
- Evidence-driven reporting.
NIS 2 (Directive (EU) 2022/2555) widened the EU’s cybersecurity baseline to far more sectors and made senior management personally accountable for it. But a directive binds through national law — your obligations come from your member state’s transposition, on its timeline, supervised by its authority.
We get you ready against that national transposition and keep the evidence current — without standing in for your lawyer. We map each measure to a control your team can operate, framed so the management body can demonstrate the oversight NIS 2 now requires of it. Interpretation of how the law applies stays with your counsel.
What NIS 2 requires
Cybersecurity risk-management measures
- The Article 21 baseline — risk analysis, incident handling, business continuity, supply-chain security, vulnerability handling, cryptography, access control, and more — implemented proportionately and evidenced as operating.
Incident reporting on the clock
- The Article 23 workflow to your CSIRT or competent authority: an early warning within 24 hours, an incident notification within 72, and a final report within a month — built so it holds under pressure.
Management accountability & governance
- NIS 2 makes management bodies approve and oversee the measures, and trains them on cyber risk. We turn that into board-level governance, reporting, and an evidence trail of the oversight.
Supply-chain security
- Assessing and managing the security of your suppliers and service providers — the area NIS 2 pushed hardest, and where our third-party-risk and due-diligence work plugs straight in.
Scope. We provide compliance evidence and readiness, not legal advice — whether NIS 2 applies to you, and under which national transposition, is your counsel’s call. We hold no supervisory authority and claim none.
When teams call us
The most common moments organisations bring us in for NIS 2:
- Your member state’s NIS 2 transposition has landed (or is about to) and you need to know what actually applies.
- A customer or partner in an essential or important sector is asking for evidence of your cybersecurity measures.
- The board needs to demonstrate the oversight and accountability NIS 2 now requires of management.
- Supply-chain security obligations are flowing down to you from a larger in-scope entity.
What you receive
The HackingByte Engagement Brief
Every service ends in the same three connected artifacts — so exploit, control gap, and business impact tell one story.
-
Technical Report
Reproducible findings with evidence and per-finding remediation, written for your engineers.
-
Executive Risk Brief
The same findings as business risk for leadership and the board — no jargon, no CVSS tables.
-
Action Plan
Prioritised, owner-assigned, and scoped to what your team can actually deliver.
Timeline
What a typical readiness engagement looks like.
NIS 2 readiness runs to a defined gate. A representative engagement opens with a gap diagnostic against the Article 21 measures — usually a couple of weeks — then mapped controls, an evidence model, and a prioritised remediation plan over the following weeks to a few months. An ongoing programme then maintains the evidence, the incident-reporting readiness, and the supply-chain oversight as a continuing arrangement.
We set the schedule around your real pressure — your national authority’s expectation, a customer’s questionnaire, or a contract — and confirm it during scoping before you commit.
How it’s different
-
Grounded in the national transposition — NIS 2 binds through member-state law; we work to the transposition that actually applies to you, not the directive in the abstract.
-
Offensive-informed — the same senior team that tests your defences advises on the measures, so “risk-management” reflects how attacks actually succeed.
-
Built for the management body — the evidence is shaped so your board can demonstrate the oversight and accountability NIS 2 now demands, not just tick a control list.
Who’s in scope
Essential and important entities — across far more sectors.
NIS 2 sorts in-scope organisations into essential and important entities — a split that drives how strictly you are supervised (proactive supervision for essential, reactive for important) and the penalty ceilings. Scope now reaches energy, transport, banking and financial-market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration, space, postal and waste management, chemicals, food, manufacturing, digital providers, and research — generally for medium and large organisations, with some entities in scope regardless of size.
Whether you are essential, important, or out of scope — and under which member state — is a legal determination. We help you scope the obligations and build the evidence once that is settled.
Supply-chain security
The supply chain NIS 2 made everyone’s problem.
NIS 2 pushed supply-chain security from good practice to obligation: you must assess and manage the cybersecurity risk of your suppliers and service providers, and the quality of their products and practices. For most organisations that means a real third-party-risk process — not a questionnaire that gets filed. We build the assessment, the contractual expectations, and the ongoing oversight, and where a supplier warrants it, the technical assessment to back the paperwork.
Frequently asked questions
Is NIS 2 a law we comply with directly?
- Not quite. NIS 2 is an EU directive; you comply with your member state’s transposition of it, on that country’s timeline and under its authority. We work to the transposition that applies to you.
Is this legal advice?
- No. We provide compliance evidence and readiness; whether and how NIS 2 applies to you is left to your counsel. We support that work rather than replace it.
We already do ISO 27001 / DORA — does that cover NIS 2?
- Largely, on controls — the measures overlap heavily, so we map one control set across NIS 2, ISO 27001, and DORA, and each obligation becomes an evidence exercise rather than a separate programme. NIS 2’s distinct asks are the reporting timelines, management accountability, and supply-chain scope.
Does NIS 2 apply to our UK operations?
- No — NIS 2 is an EU directive. The UK has its own NIS Regulations 2018 (under reform). If you operate in both, we scope each regime separately; we never pitch NIS 2 as a UK obligation.
Tell us which member state you operate in and the pressure you’re under — we’ll scope NIS 2 readiness against the transposition that actually applies.
Every engagement ends in the same three connected artifacts, and the continuous platforms keep watch between engagements. Continuous monitoring platforms.