NIS2 Directive Compliance Consulting
Understand whether NIS2 applies to you and build the governance, risk management and reporting capabilities the directive demands.
The problems this solves
Understand whether NIS2 applies to you and build the governance, risk management and reporting the directive demands — without duplicating existing work.
Are we even in scope?
NIS2 expanded to 18 sectors. Many organizations are unsure whether they qualify as essential or important entities.
Personal liability
Management can be held personally accountable, raising NIS2 from a technical task to a board-level concern.
24-hour reporting
The directive demands fast, structured incident reporting that most teams are not set up to deliver.
Supply-chain exposure
Obligations extend into your suppliers, and proving supply-chain security is a common stumbling block.
One connected ecosystem, end to end
I bring clarity first — scoping your obligations — then build proportionate measures, leveraging your existing ISO 27001 work wherever possible.
CyberHealth360
An automated assessment platform that benchmarks your current security posture and surfaces the gaps that matter most.
Sandy Smajic Consulting
Senior advisory that turns findings into a prioritized, board-ready roadmap and implements the controls that protect the business.
ComplianceHub360
A GRC platform that keeps policies, evidence and audits in one place so your program stays continuously audit-ready.
Understanding the NIS2 Directive
NIS2 (Directive EU 2022/2555) is the European Union's strengthened cybersecurity framework. It dramatically expands the scope of the original NIS Directive, covering far more sectors and imposing stricter obligations on essential and important entities.
Across the EU, NIS2 brings tens of thousands of additional organizations into scope. Many businesses are unsure whether they qualify — and the compliance obligations are significant, with regulators empowered to enforce them. A structured, risk-based program is the reliable way to meet them.
The directive demands board-level accountability. Management can be held personally responsible for cybersecurity governance, making NIS2 a strategic issue rather than a purely technical one.
How I help you achieve NIS2 compliance
My first job is clarity: determining whether and how NIS2 applies to your organization. From there I translate the directive's obligations into concrete, proportionate measures your business can actually implement.
- NIS2 applicability and scoping assessment
- Gap analysis against directive requirements
- Risk management framework aligned to NIS2
- Incident detection and 24-hour reporting processes
- Supply-chain security measures
- Board-level governance and accountability structures
NIS2 and ISO 27001 together
NIS2 and ISO 27001 are highly complementary. An ISO 27001-based ISMS provides much of the risk management foundation NIS2 expects, which means a single, well-designed security program can serve both goals efficiently.
I design compliance programs that avoid duplication, so you meet regulatory obligations and recognized standards without running parallel projects.
Standards and regulations we cover
Engagements map to the frameworks that matter for your sector — assessed objectively and tracked continuously.
What you walk away with
Tangible, audit-ready outputs — not slideware. Everything is built to fit how your organization actually works.
Applicability & scoping report
A definitive view of whether and how NIS2 applies to your organization.
Risk management framework
Governance, policies and controls aligned to the directive's requirements.
Incident reporting process
A 24-hour detection-to-notification workflow your team can actually run.
Supply-chain security measures
Vendor assessment and controls that satisfy NIS2 third-party obligations.
A clear path from gap to audit-ready
A proven four-phase engagement that moves you from uncertainty to a sustainable, defensible program.
Scope & assess
Determine applicability and benchmark against NIS2 obligations with CyberHealth360.
Govern
Stand up board-level accountability and a risk management framework aligned to the directive.
Operationalize
Implement incident detection, 24-hour reporting and supply-chain security measures.
Monitor
Maintain evidence and ongoing compliance in ComplianceHub360, ready for supervisory scrutiny.
How this plays out in practice
An anonymized example of the ecosystem in action. Outcomes are described qualitatively to respect client confidentiality.
Newly in scope for NIS2 with board-level pressure and no formal incident reporting capability.
Scoped obligations, reused existing ISO 27001 controls, and built a 24-hour reporting workflow tracked in ComplianceHub360.
Established defensible governance and reporting ahead of the national deadline, with management confident in their accountability.
Compliance managed, not just achieved
Once your program is in place, ComplianceHub360 keeps policies, evidence and audits in one place — so the next audit is never a fire drill.
Sectors I work with
Engagements are tailored to the regulatory and operational realities of your industry.
Expertise you can verify
Advisory grounded in academic rigor, real audit experience, and the platforms built to support it.
External Lecturer — HDBW
Teaches IT Security, risk management and compliance at the University of Applied Sciences, keeping practice grounded in current academic rigor.
Cybersecurity Consultant
Hands-on senior consultant who has guided organizations through real ISO 27001, NIS2, TISAX and DORA audits across multiple sectors.
Founder — Security Ecosystem
Built CyberHealth360 and ComplianceHub360 to connect assessment, strategy and compliance management into one continuous program.
Frequently asked questions
The platforms behind the service
Every engagement is powered by the same two platforms that keep your program objective and audit-ready.
Explore related expertise
Step inside the ecosystem
Book a free 30-minute consultation and get a clear, practical path forward — or run a free assessment to see exactly where you stand today.