NIS2 compliance, without the panic.
NIS2 widens the net of who must meet EU cybersecurity rules — and makes senior management personally accountable. We'll tell you plainly whether it applies to you, and give you a clear path to meet it.
More businesses than you'd expect.
NIS2 covers medium and large organisations (broadly, 50+ staff or €10m+ turnover) across sectors like energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, manufacturing, food, postal services and more.
Even if you're below the threshold, NIS2 pushes obligations down the supply chain. If you sell to in-scope organisations, expect them to require evidence of your security — making compliance a commercial necessity, not just a legal one.
The exact scope depends on your sector, size and how each EU member state has transposed the directive into national law. A short scoping conversation settles it quickly — that's where we start.
From "are we in scope?" to "we're covered."
We confirm whether NIS2 applies to you, whether you're an "essential" or "important" entity, and exactly which parts of your business are in scope.
We measure you against NIS2's risk-management measures — governance, incident handling, business continuity, supply-chain security, encryption, access control and more — and report the gaps, prioritised.
We help you implement the technical and organisational measures, and put the management oversight in place — because under NIS2 the buck stops with senior leadership.
NIS2 sets tight reporting deadlines — an early warning within 24 hours and a fuller notification within 72. We help you build the process so you can actually hit them under pressure.
Compliance isn't a one-off. With Maul and periodic testing we keep your measures effective and evidenced — ready for a regulator, or an incident, on any given day.
The stakes are real — and personal.
NIS2 holds senior management responsible for overseeing and approving cybersecurity measures — non-compliance can reach the leadership directly.
The directive provides for substantial administrative fines for essential and important entities that fail to meet their obligations.
In-scope customers must manage supply-chain risk — so they'll increasingly require proof of your security before they'll buy.
This page is general information, not legal advice. Exact obligations depend on your sector and national transposition; we'll help you interpret them for your specific situation.