NIS2 compliance for SMEs
We turn a complex legal obligation into a documented, defensible programme. Fixed price, clear milestones.
What problem this solves
NIS2 compliance sits in a difficult space for most firms: it is not a pure technology project, and it is not purely a legal one either. The directive requires management to approve security measures, document your risk management approach, and prove you have the procedures in place to detect and respond to incidents.
Most SMEs do not have a dedicated security team. That is exactly who NIS2 is aimed at. The directive covers businesses above 50 employees or €10 million turnover in sectors including digital services, financial services, and managed service providers.
Without a structured programme, you face two risks: regulatory — fines up to €10 million or 2% of global turnover, plus personal liability for directors — and operational, where an incident shuts your business down for days or weeks.
What you get
- Scope determination: written confirmation of whether your organisation is in scope and under which classification
- Risk assessment documented to NIS2 Article 21 requirements
- Incident response procedure tailored to your organisation
- Supplier and third-party security review
- Board-ready compliance summary you can show auditors, clients, or regulators
- Fixed-price project with clear milestones — no hourly billing
What changes after this
- You have a defensible record of due diligence that protects directors personally
- You can answer "are you NIS2 compliant?" in writing, to clients or regulators
- You know exactly what your remaining gaps are and in what order to close them
- Incident response is no longer improvised
What it costs
This is a fixed-price engagement — no hourly billing, no scope creep surprises. Pricing depends on organisation size and existing security maturity. We scope this in a free 30-minute call before any commitment.
[TBD by user — insert pricing structure here]
No hidden fees. No ongoing retainer required unless you want one.
How NIS2 compliance works
Scope & gap
We confirm your NIS2 status and map your current position against the 10 Article 21 requirements. Takes 1–2 weeks.
Remediation
We document what's missing, draft the policies and procedures, and work with your team to close the gaps. Typically 4–8 weeks.
Handover
You receive a complete compliance package: risk assessment, policies, incident procedure, and a board-ready summary.
Frequently asked questions
NIS2 covers essential and important entities in critical sectors including digital infrastructure, financial services, legal services, and managed service providers. In Luxembourg, the threshold for most sectors is 50 or more employees or €10 million or more in annual turnover. If you operate a fiduciary, law firm, or IT services company above these thresholds, you are very likely in scope. We confirm your status at the start of every engagement.
At minimum: a documented information security risk assessment, incident response procedures, basic technical controls (access control, patch management, encryption), and the ability to notify authorities within 24 hours of a significant incident. NIS2 is not prescriptive about technology — it is prescriptive about process, documentation, and governance.
For a firm with no existing security programme, expect 3–6 months to reach a defensible baseline. If you already have ISO 27001 or similar, the gap is smaller. We scope this at the start — projects are fixed-price, not hourly.
Yes. NIS2 Article 20 requires management bodies to approve security measures and makes them personally liable for failures. Fines for essential entities can reach €10 million or 2% of global turnover, whichever is higher.
NIS2 does not mandate a specific certification. What it requires is evidence that you have a systematic approach to risk management. ISO 27001 is a credible way to demonstrate this, but it is not compulsory. Our programme produces documentation that satisfies NIS2 requirements directly.
Ready to start your NIS2 compliance project?
We scope every engagement in a free 30-minute call. No commitment, no sales pitch — just a clear picture of where you stand.
Get in touch about NIS2 compliance →