Are we in scope or being pulled in?
Separate likely NIS2 exposure from audit, authority, sector, customer, insurer, or supply-chain pressure.
Loading
NIS2 readiness support for your business
NIS2 Advisory helps businesses understand what is being asked, what evidence already exists, what is missing, and what to do next.
Before you answer
Whether the pressure comes from NIS2 becoming mandatory, a regulator, an audit, your sector, or a commercial request, the first job is to understand your position.
Separate likely NIS2 exposure from audit, authority, sector, customer, insurer, or supply-chain pressure.
Identify useful evidence across policies, backups, access routines, incidents, suppliers, MSPs, and management reviews.
Spot missing evidence, weak controls, unsafe claims, unclear ownership, and decisions that need review.
Choose the right next step: answer a live request, check readiness, organise evidence, or fix foundations.
Choose the right route
Move from clarity to foundations to evidence before heavier scrutiny arrives. If there is already a live request or you need ongoing upkeep, use the situational routes below.
The Maturity Path
Phase 1 to 3: know where you stand, fix the basics, then organise proof.Find your NIS2 gaps and get a practical readiness roadmap.
See package detailsPut ownership, policies, routines, and basic evidence in place before deeper evidence work.
See package detailsTurn existing controls and evidence into an organised register, gap map, owner list, and audit-ready notes.
See package detailsAdditional routes
Use these when there is a live request now, or when evidence needs to stay current over time.Prepare evidence-based answers for customers, tenders, insurers, and supply-chain reviews without overclaiming.
See package detailsKeep registers, evidence notes, actions, and assurance answers current as things change.
See package detailsHow we work
We keep the work focused: understand the NIS2 pressure, gather approved evidence, separate missing proof from missing controls, and package the next step.
See how we work safelyConfirm whether the driver is NIS2 applicability, competent authority expectations, sector rules, audit preparation, customer pressure, MSP follow-up, or management concern.
Work from approved documents, exports, screenshots, policies, reports, provider contacts, and guided reviews. Sensitive material is not requested before handling rules are agreed.
Separate missing evidence from missing controls, then assign owners, source notes, decisions, and next actions.
Deliver a readable evidence position, management summary, audit-ready evidence notes, customer-safe answers where relevant, and a practical readiness plan.
FAQ
Straight answers about NIS2 readiness, evidence, scope, and the safest first step.
Start with your sector, size, EU activity, services, and whether customers or regulators treat you as part of an important supply chain. We cannot give a legal determination, but we can help you organise the facts and evidence you need for a better legal, board, customer, or regulator conversation.
Do not guess or overclaim. First identify what the customer is really asking for, what evidence supports your answer, what should not be shared, and what needs legal, management, MSP, or technical review. The safe answer is usually an evidence-based position, not a blanket compliance claim.
Use the time to prepare. Clarify likely exposure, map critical systems and suppliers, confirm who owns cyber decisions, gather existing evidence, and identify the gaps that would be hardest to explain later.
Useful evidence usually includes ownership and management decisions, risk notes, policies, asset and supplier lists, MFA and access review proof, backup and restore evidence, incident response steps, MSP reports, staff awareness records, and review dates.
Not by itself. An MSP may hold important proof, but management still needs to understand responsibilities, approve decisions, track evidence, and know what sits with the provider versus the business. We help turn MSP activity into clear evidence and ownership.
Not by default. The first useful step is usually a focused readiness check or evidence pack, not a full transformation. If the basics are weak, we separate missing evidence from missing controls and give you a practical route for what to fix first.
You should leave with a clear evidence position: what appears ready, what is missing, who owns the next actions, which points need specialist review, and whether the next route is a readiness check, evidence pack, foundations plan, or no project yet.
Free initial call
Discuss your current setup, evidence position, MSP or internal IT dependency, and the most useful next step.