Skip to main content
NIS2 & THE CYBERSECURITY ACT

The supervisor tests whether it works, not whether the list is ticked.

The Cybersecurity Act places final accountability with the board. Article 21 requires appropriate and proportionate measures, article 24 requires the board to actively oversee them. A ticked checklist and an ISO certificate prove something existed, not that it works. That difference is exactly what a supervisor looks at.

FramesNIS2 (EU 2022/2555), Cybersecurity Act art. 21 & 24, DORA
For whomBoard, CISO, security manager
Lead timeBaseline 2-3 weeks, programme 3-6 months

The problem

Compliant on paper is not a record that holds up.

The Act takes effect in 2026. Three patterns that get organisations into trouble, not because they do nothing, but because they prove the wrong thing.

Compliance as an end point

A gap analysis, a plan, policy written, certificate obtained. But compliance is a snapshot. The law asks for measures that demonstrably keep working, not a status you reach once.

ISO 27001 as the full answer

An ISO certificate helps, but ENISA and the supervisor state it plainly: certification helps with NIS2, it does not suffice. The duty of care asks for more than an audit on a reference date.

A board that signs and trusts

Article 24 asks for active oversight, not a signature. A director who signs off their CISO or an adviser and then trusts the rest does not meet the standard, and cannot defend it when an incident happens.

How we do it

First test what works, then make what matters demonstrable.

Not ticking a checklist. We measure the real state against what the law requires, and build the record that holds up under supervisory scrutiny.

01

Baseline

Which Cbw obligations are covered, which are not, and which measures exist but demonstrably do not work. Not a paper gap analysis, but a test of operating effectiveness.

02

The board in position

Article 24 requires the board to oversee and to meet the training obligation. We deliver the board-language reporting it needs to fulfil that role, and to make and defend the trade-off.

03

Measures that work

We close the gaps between policy and practice, and set up the measures so they produce evidence. Not designed and present, but working under pressure.

04

A cadence that holds

Testing, evidence and reporting as one running cycle, so the record holds on any date. After that it runs itself, including when the supervisor calls.

What you keep

A record that holds up, not a certificate that expires.

  • Demonstrably working measures, not just documented policy
  • A board that can exercise its oversight duty and meet the training obligation
  • Reporting in board language, not in incident counts
  • An answer to "are we doing enough" that holds up under supervisory scrutiny
  • NIS2, DORA and your existing ISO system connected, not run as separate projects

The distinction

Diagnosis before compliance

The market delivers a gap analysis and a plan. We start with a test of the real state: what is covered, what is not, and which measures exist but do not work.

Demonstrable effectiveness over formal compliance. The Cbw supervisor tests whether measures work under pressure, not whether they exist on paper. And NIS2 does not stand alone: the obligations touch vulnerability management, detection, third-party risk and governance at once. We connect them as one system.

Independent, no tool or platform

We pick no compliance tool and sell no GRC platform. Capabilities and outcomes, the instrument is a means. So the advice is yours, not a vendor’s.

Operating effectiveness, not a reference date

The audit principle applied directly: a measure counts only when it holds under pressure, not when it existed on the audit date. That is exactly what the law asks.

The board can defend it

Not a report that disappears into a drawer, but material the board can use to make the trade-off, defend it, and show it acted with due care.

Get started

Ready for the Act, or compliant on paper?

No months-long implementation to begin. One conversation in which we decide where you stand against the law, and what it takes to build a record that holds up.

Plan a conversation

30 minutes with a senior, no pitch.

Request a conversationCall directly088 - 163 23 25