NIS2 · enforcement live

NIS2 readiness — before the fine arrives.

Q: What if we're classified as a "small entity" but our customers ask for NIS2 proof?

Small entities (< 50 emp / < €10M turnover) are formally out of NIS2 scope unless explicitly in-scope by sector. But customers in regulated sectors will increasingly require NIS2-style proof in procurement. We document your security posture in NIS2 vocabulary so you can answer the questionnaire credibly.

Q: How does this work with multiple member-state authorities?

NIS2 transposition is per-member-state. Germany, France, Italy, Poland and Spain each have their own implementing legislation with slightly different reporting templates. We tailor the documentation pack to your primary authority's template and provide adapter notes for additional jurisdictions if you operate across borders.

Security baseline, incident-reporting workflow, supply-chain audit, and the technical-measure documentation that NIS2 Art. 21 requires. Fixed €3,990. 21 days. National regulators are calling on companies that look unprepared.

If you're reading this, this is what you're facing

Your company falls under NIS2 (essential or important entity) and the transposition deadline (Oct 17 2024) is behind you. National authorities now have enforcement rights, including up to €10M or 2% global turnover.
Your IT vendor said "we're ISO 27001" and called it a day. NIS2 Art. 21 lists 10 specific technical measures — not all of them are in ISO 27001, and reverse-mapping is brittle without help.
You have an incident-reporting obligation: 24h early-warning, 72h notification, 1-month report. Your team has nothing rehearsed. The first time you trigger this in real life shouldn't be the first time you do it.

How we fix it

Synelo delivers a NIS2 readiness pack scoped to a small-team reality. We map your current security posture against Art. 21's 10 measure categories, run a supply-chain dependency audit (NIS2 Art. 21(2)(d)), build the incident-reporting workflow into your tools (Slack/PagerDuty/Email), and prepare the documentation pack for the relevant national authority. Output: you can credibly answer "are we NIS2-ready?" with evidence.

What's in the package

Art. 21 measure audit

Each of the 10 NIS2 measure categories assessed against your current setup with written gap report.

Security baseline implementation

Critical gaps closed: MFA on admin access, encrypted backups verified, vulnerability scanning automated.

Incident-reporting workflow

24h / 72h / 1-month notification path wired through your Slack or PagerDuty with auto-templated content.

Supply-chain dependency audit

Your critical vendors mapped, contract clauses checked, third-party risk register populated.

Risk-management plan

Documented risk-assessment methodology, treatment plan, business-continuity protocol.

National-authority documentation pack

The submission file the authority in your member state can request — pre-formatted.

How it works

Days 1–3. Posture assessment. Current-state audit against Art. 21 measures, supply-chain inventory, written gap report.
Days 4–14. Implementation. Critical security gaps closed in code/config, incident-reporting workflow built and tested with a tabletop drill.
Days 15–18. Documentation. Risk-management plan, incident-response playbook, technical-measure log, supply-chain register.
Days 19–21. Handover + drill. Final pack delivered, full incident-reporting drill run with your team to verify the 24h timeline.

Who this is for

Companies > 50 emp or > €10M turnover in critical sectors
SaaS providers serving essential or important entities
B2B platforms in finance, energy, transport, healthcare
Cloud / managed-service providers under NIS2 explicit scope
Companies whose customers ask for NIS2 proof in procurement
Anyone facing an "are you NIS2-ready?" question they can't answer

Frequently asked

Are we even in scope?

NIS2 covers two categories: essential entities (energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration) and important entities (postal services, waste management, manufacturing of medical devices, food production, chemicals, digital service providers including online marketplaces, search engines, social platforms). Plus everyone > 50 emp / €10M turnover in those sectors. We confirm scope in Day 1.

Is this a substitute for ISO 27001?

No, but it overlaps significantly. NIS2 Art. 21 measures map ~70% to ISO 27001:2022 controls. If you already have ISO 27001 we use it as the base and document the NIS2-specific deltas (mostly around supply-chain risk and incident reporting). If you don't, this pack gets you compliant without forcing the full ISO certification path.

What if we're classified as a "small entity" but our customers ask for NIS2 proof?

Small entities (< 50 emp / < €10M turnover) are formally out of NIS2 scope unless explicitly in-scope by sector. But customers in regulated sectors will increasingly require NIS2-style proof in procurement. We document your security posture in NIS2 vocabulary so you can answer the questionnaire credibly.

How does this work with multiple member-state authorities?

NIS2 transposition is per-member-state. Germany, France, Italy, Poland and Spain each have their own implementing legislation with slightly different reporting templates. We tailor the documentation pack to your primary authority's template and provide adapter notes for additional jurisdictions if you operate across borders.

Recommended path

NIS2 readiness · €9,990 · 21 days

Talk to the Architect →