Pospíšil Petr | CyberPOPE Independent Consultant | Cybersecurity Architect & vCISO
For NIS2-Impacted Organisations

NIS2 scope and readiness

NIS2 reaches medium and large entities in defined critical sectors, split into essential and important entities. This path meets its requirements while keeping security proportionate to how your business actually runs.

I help you clarify technical and organisational readiness. Legal applicability should be confirmed with qualified counsel where needed.

Where This Fits

Who this is for

This is you

Your company

  • Operating in a regulated critical sector
  • Or exposed through a larger supply chain
  • Typically a medium or large entity

What is pushing you

  • NIS2 raised in management discussions
  • A customer asking how you will meet it
  • Sector guidance landing on someone's desk

How we do it

  • Instead of assuming NIS2 simply does not apply to you, we check applicability before anything else.

  • Instead of treating it as a pure IT checklist, we place accountability at management level.

  • Instead of leaving management out of the loop, we keep controls proportionate to the business.

The Roadmap

Five phases

1

Applicability and exposure check

Sector, size, role in the supply chain, customer obligations, and relevance of national transposition. We discuss essential versus important entity status and hand off to legal counsel where a formal determination is needed.

2

Management accountability

Security governance, risk ownership, reporting lines, decision records, a board and management briefing, and a clear point of residual risk acceptance.

3

Risk management controls

Incident handling, business continuity, supply chain security, access control, vulnerability management, encryption where relevant, security awareness, and asset and supplier visibility.

4

Incident readiness

A reporting process, escalation criteria, a contact matrix, a tabletop exercise, and an evidence trail you can rely on under pressure.

5

Retainer operation

Quarterly risk review, supplier assurance, incident-readiness maintenance, control maturity tracking, and management reporting.

What You Get

First 90 days

30 days / Step 1
Clarify

Applicability and exposure are clear. You know whether and how NIS2 reaches your organisation.

60 days / Step 2
Govern

Accountability and governance are in place, with risk ownership named at management level.

90 days / Step 3
Strengthen

Core risk-management controls and incident readiness are underway and tracked.

How this becomes a retainer

NIS2 expects continuous risk management and incident readiness. A retained partnership maintains it: quarterly risk review, supplier assurance, and incident-readiness upkeep.

What is not included

I do not provide a legal determination of whether NIS2 applies to you; that is confirmed with qualified counsel. Management holds accountability for cybersecurity risk under NIS2.

NIS2 is not just an IT checklist. It creates management-level accountability for cybersecurity risk.

Get a roadmap

Start with a focused assessment. We check applicability and exposure, then turn the requirements into a roadmap proportionate to your business.

Encrypted Call