With NIS2, the circle of regulated companies widens considerably: alongside classic KRITIS operators, many „essential“ and „important“ entities will face stricter obligations on risk management, reporting and evidence. I help you determine whether and how you are affected — and how to set up your measures so they stand up to scrutiny.
Clarifying applicability and scope
The first step is always the question: are you a KRITIS operator, an essential or important entity — or not affected at all? Very different obligations follow from that classification. We delimit the scope cleanly and create clarity on risk-management, reporting and evidence obligations.
Making measures audit-proof
The required risk-management measures build well on an ISMS to ISO 27001. I check whether your technical and organisational measures meet the requirements and point out concrete gaps — so you can demonstrate compliance robustly to the authorities.
Areas we focus on
- Classification: KRITIS, essential or important entity
- Delineation from DORA and sector-specific rules
- Risk-management measures and security architecture
- Reporting and registration obligations
- Evidence and audit obligations towards the authorities
- Building on an existing ISMS to ISO 27001