EU Directive (EU) 2022/2555 – NIS2

Cybersecurity legislation within the European Union, as with the GDPR, applies on a broad basis — extending obligations to any organisation that operates within or provides essential or important services to the E.U. market.

The EU NIS2 Directive significantly expands the scope and stringency of cybersecurity and resilience requirements across sectors.

To further understand the compliance complexities of NIS2 compliance, check our blog post: https://quantar.tech/nis2-a-tangled-web-for-eu-regulatory-compliance/

We provide expert consultancy to help your organisation meet the compliance and operational resilience requirements of the EU NIS2 Directive, using best practices aligned with NIST, ISO27001, ENISA guidance, and national implementation standards.

Our services include full NIS2 gap analysis, risk assessment, and compliance auditing, ensuring your cybersecurity governance and controls align with EU-wide expectations.

NIS2 Summary

The EU NIS2 Directive (Directive (EU) 2022/2555) came into force in 2023, replacing the original NIS Directive to strengthen Europe’s cybersecurity posture.

It expands coverage to more sectors, including energy, transport, banking, finance, health, digital infrastructure, ICT service management, and manufacturing, among others.

NIS2 requires organisations to:

  • Implement comprehensive cybersecurity risk management and governance measures.
  • Report significant incidents within strict timeframes (initial notice within 24 hours, final report within one month).
  • Ensure supply chain security and third-party risk management.
  • Appoint responsible management personnel for cybersecurity oversight.
  • Maintain incident response, business continuity, and crisis management plans.
  • Undergo regular audits and assessments by national competent authorities.

Non-compliance can result in substantial administrative fines (up to €10 million or 2% of global turnover), personal liability for executives, and reputational damage.

Our NIS2 Compliance Approach

Cybersecurity Risk & Resilience Assessment

  • Identify and assess risks to network and information systems.
  • Conduct Business Impact Analysis (BIA) aligned with NIS2 Articles 21–23.
  • Map systems, assets, and dependencies critical to essential or important services.
  • Develop and implement risk-based controls to meet NIS2 standards.

Governance & Compliance Framework Development

  • Define roles and responsibilities for cybersecurity governance.
  • Create governance structures ensuring accountability at management level.
  • Develop policies and procedures covering:
    • Access control and identity management
    • Incident detection and response
    • Data backup and recovery
    • Network and system monitoring
    • Supply chain and third-party management
    • Business continuity and crisis response
  • Implement an internal reporting and escalation framework for security incidents.
  • Support board-level awareness and training for NIS2 obligations.

Legal & Regulatory Compliance

  • Interpret national transpositions of the NIS2 Directive.
  • Align with related frameworks such as GDPR, DORA, and the Cyber Resilience Act.
  • Prepare compliance documentation and evidence for audits.
  • Support you in preparing reports and communications for national authorities (CSIRTs, competent authorities).

How We Work

Step 1 – Initial Consultation
We begin with a scoping discussion to define your NIS2 exposure, sector classification (essential or important entity), and current cybersecurity maturity level.

Step 2 – Gap Analysis & Statement of Works

We produce a detailed gap analysis and Statement of Works, integrating both Agile (DSDM) and Prince2 methods for flexible project delivery.

Step 3 – NIS2 Compliance Audit

Our experts conduct a risk-based audit aligned with ISO27001, NIST CSF, and ENISA recommendations, identifying control gaps and priorities.

Step 4 – Implementation & Governance Support

We assist in the implementation of required controls, governance frameworks, policies, and training programs.

Step 5 – Continuous Improvement & Monitoring

We provide ongoing support to sustain compliance, including regular review, internal audit preparation, and reporting alignment with evolving national and EU cybersecurity requirements.

Our Expertise

Our NIS2 consultancy combines over 25 years of experience in cybersecurity, IT auditing, and compliance frameworks, across both commercial and governmental sectors.
We bring:

  • Deep expertise in network and information security
  • Proven risk management and cyber governance experience
  • Regulatory knowledge of EU cybersecurity law
  • Strong background in controls design, auditing, and implementation
  • Project management proficiency (Agile, Prince2)

Frameworks & Standards We Use

We integrate globally recognised standards to ensure your compliance aligns with best practice, including:

  • ISO27001 / ISO27005 (Information Security Management & Risk)
  • NIST Cybersecurity Framework (CSF)
  • ENISA Guidance
  • CIS Controls
  • SCF (Secure Controls Framework)

Our Objective

To help your organisation achieve and sustain NIS2 compliance by building resilient, well-governed, and secure systems — protecting your services, data, and reputation while meeting all EU cybersecurity regulatory obligations.

For assistance in managing your European Regulatory operating environment; whether NIS2, DORA, EU AI Act, contact our team.

info@quantar.tech

Main: +44 0203 286 7624

UK:     +44 (0) 745 9264240

EU:     +32 ()) 477 30.66.38