ADG is Datapowered©️
We outcompute. Others guess.
☑️ We deploy data.
☑️ We compute intelligence.
 
NIS2 is the updated EU cybersecurity directive (Directive (EU) 2022/2555) that expands and tightens requirements for the security of networks and IT systems across 18 sectors (energy, transport, healthcare, financial markets, digital infrastructure, public administration, ICT outsourcing, etc.).
It applies at the EU level and is transposed into Member States’ national laws. Key dates: entered into force on 16 Jan 2023; transposition deadline - 17 Oct 2024.

Current status (as of 5 Nov 2025): NIS2 is operational via national laws across the EU. The European Commission has initiated measures against lagging transpositions, but the requirements and the incident-reporting model (early warning within 24 hours, notification within 72 hours, and a final report within 1 month) are already embedded and used by regulators and CSIRTs.

Who is in scope: all large and medium-sized organisations in the affected sectors, classified as essential and important entities. The list and categorisation are defined in the directive’s annexes.

What’s required in practice:
  • Risk management and a baseline of technical measures (vulnerability management, network segmentation, backup/DR, logging, least-privilege access, supplier and supply-chain security).
  • Incident reporting: early warning within 24 hours, notification within 72 hours, and a final report within 1 month (or an interim report if the investigation is ongoing).

Penalties: for essential entities — up to €10 million or 2% of global turnover; for important entities — up to €7 million or 1.4% (whichever is higher). Specific amounts are set in national implementations.
We support NIS2 programs in English/German/French upon request
  • 🔴 Do you ship code without SBOM and vulnerability workflow?
    We add SBOM, scanning and remediation gates in CI.
  • 🔴 Are backups and BCP untested or undocumented?
    We design, test and document restore paths with owners.
  • 🔴 Do K8s clusters still rely on outdated policies?
    We harden with PSA profiles and baseline controls.
🔴 Are you treating NIS2 as paperwork while systems stay the same?
We implement technical controls that auditors can verify.
🔴 Will your next incident meet reporting and evidence demands?
We wire logging, alerting and incident records end-to-end.


Start NIS2 sprint
💯 Practice Areas
ADG NIS2 Fast-Track adds SBOM and vuln management, backups and BCP with tested restores, centralized logging and alerting, incident reporting workflows and K8s hardening.

In 4-8 weeks you move from intent to enforceable controls.

🔸 Enforceable NIS2 controls in prod.
🔸 Faster, provable restores.
🔸 Fewer repeat vulns via CI gates.
🔸 Visible incidents with clear owners.
🔸 Hardened clusters and reduced blast radius.
🔸 Documentation auditors can trust.
Run an NIS2 gap check
How It Works
Gap check
SBOM, vuln flow, logging, backups and incident path. Pick controls that reduce real risk first.
☑️ Run an NIS2 gap check
CI gates
Generate SBOMs, scan, enforce fix SLAs. Fail builds that re-introduce known issues.
Backups that restore
Define retention, rehearse restores, measure RTO/RPO and script them so juniors can run under stress.
Logs & alerts
Normalize logs, route to owners, tune alert thresholds linked to SLOs.
K8s hardening
PSA profiles, least privilege, network policies. Keep dev velocity with sane defaults and exceptions.
Incident reporting
Automate data capture to meet deadlines with minimal manual work.
Managed controls (optional)
Policy tuning, baseline updates and short, periodic compliance summaries.
Documentation & Reporting (optional)
We produce lean, engineer-first artifacts that can scale to audit grade if needed - diagrams, IaC refs, runbooks, SLO dashboards, and change logs. Evidence packs are versioned and reproducible: links point to live systems or CI exports, not slides. Scope is tailored per client - from a 1-page ops sheet to a full compliance bundle with test replays and data lineage. If you prefer, we keep it minimal and focus on code and metrics only.
Run an NIS2 gap check
What you pay for
  • 🟢 Gap audit
    SBOM and vuln posture, logging, BCP and IR mapping.
  • 🟢 Rollout
    CI gates, restore tests, centralized logging/alerts, K8s hardening.
  • 🟢 MDR/SIEM and care plan
    Optional monitoring, tuning, and report upkeep.

General transparency note

Pricing reflects two components where applicable:
✅ Expert work
Architecture, implementation, monitoring, reporting.
✅ Resources
Compute, storage, network and third-party tooling used to meet your SLAs
We keep these components itemized so you see exactly what delivers the outcome.
Custom pricing
Pricing depends on workload and requirements
Calculate my cost