Cyber Governance and Strategy

NIS2 Compliance Assessment

Understand your gaps and prioritize key requirements for NIS2 compliance with guidance from Kroll experts.
Contact Us

Explore Cyber and Data Resilience

Get a Quote24X7 Hotline
Cyber Insights
Cyber Case Studies
Cyber Awards

NIS2 replaces the original NIS Directive from 2016, which sought to set a high level of cybersecurity across critical infrastructure across the EU. NIS2 is an important update, with the original NIS directive considered to have limited scope and lack of consistency in its application by member states. NIS2 therefore includes an expanded scope of EU impacted entities and a wider supervisory and coordinated regime from member states which entities will need to register with.

How has NIS2 changed from NIS Directive ?

Requirements

NIS Directive

NIS2 Directive

Risk Management Requirements

Required entities to implement "appropriate and proportionate" security measures

Imposes stricter requirements, focusing on:

  • Supply chain security and third-party risks
  • Incident response planning
  • Encryption
  • Business continuity
Sectors in Scope
  • Banking
  • Healthcare
  • Energy
  • Transport
  • Digital Service Providers
  • Water Supply
  • Digital Infrastructure

Expanded scope adding the following new sectors:

  • Space
  • Public Administration
  • Waste and Wastewater Management
  • ICT Service Management
  • Providers of Public Electronic Communications Networks or Services
  • Chemicals
  • Food
  • Research
  • Postal and Courier Services
Reporting Requirements

Reports cyber incidents to national authorities within a reasonable timeframe

  • Incidents reported within 24 hours
  • Follow-up reports required after 72 hours
  • Final detailed report within a month

Penalties

Allowed member states to set penalties for noncompliance

  • Essential Entities - up to €10 million euros or 2% of global annual turnover
  • Important Entities - up to €7 million or 1.4% of their global annual turnover

How Kroll Can Help You Achieve NIS2 Compliance

Kroll has a long track record of working with organizations across critical infrastructure sectors, enabling them to achieve their security and regulatory goals across multiple jurisdictions. We leverage agile methodologies and accelerators and frontline intelligence from thousands of incident response cases a year, to provide support and prepare your organization to meet NIS2 requirements.

Key Outcomes

NIS2 Compliance Assessment

Understand Your Maturity in Relation to NIS2 Requirements.

NIS2 Compliance Assessment

Have a Clear Roadmap to NIS2 Compliance While Reducing Longer Term Risk

NIS2 Compliance Assessment

Implement Remedial Measures to Maintain Cyber Resiliency

How It Works

Our three-phased approach helps organizations of all sizes address any stage of NIS2 compliance:

Gap Assessment

As part of our gap assessment, we provide a clear risk rating against NIS2 requirements, whilst giving a quantitative measure of compliance status covering:

Governance

  • Allocation of responsibilities (board, committees and individuals)
  • Training of management and all employees

Cyber Risk Management

  • Designing, developing, availability and consideration of risk in systems
  • Supply chain security
  • Basic cyber hygiene, encryption, access and HR security
  • Existence of comprehensive policies and procedures for risk management

 

Reporting and Registering Articles

  • Reporting incidents
  • Reporting vulnerabilities
  • Collaboration
  • Registration
  • Breach notification

Roadmap

Off the back of the assessment, we provide you with a roadmap report along with an action tracker for effective project management including:

  • Target levels of compliance and maturity in each assessment area
  • Actionable tasks with effort ratings
  • Reasonable timeframes for completion of individual tasks
  • Recommend task owners

Implementation and Remediation 

Having identified NIS2 compliance key gaps, Kroll can assist with senior advisory support with regards to compliance adherence of remediation initiatives such as:

Kroll can also support with the review and development of policies, procedures, reports, mappings and risk assessments, leveraging specially-tailored templates.

NIS2 Compliance Assessment in Your Cyber Risk Retainer

Our NIS2 Compliance Assessment, along with many other cybersecurity and compliance services, can be delivered as part of Kroll’s ultra-flexible Cyber Risk Retainer. In addition to prioritized access to Kroll’s elite digital forensics and incident response team ahead of and in the event of an incident, the Retainer can also be used for services like penetration testing, risk assessments and tabletop exercises, to name just a few.

Why Kroll?

  • Experience in Building Multi-jurisdictional Governance Programs

Our team consists of experts  who have designed and led numerous compliance audits at large multi-jurisdictional organizations, assessing and evaluating domains across cyber strategy, governance and procedural controls in the context of regulatory requirements and industry standards including ISO27001, COBIT and NIST, DORA, NIS2, SAMA CSF and more.

  • Experienced, Accredited Cybersecurity Professionals

700+ skilled and certified cybersecurity experts across the globe, experienced in not only helping clients comply with multiple regulations but staying resilient ahead of the changing landscape.

  • Solutions across the NIS2 Maturity Lifecycle

Our solutions can address all aspects of NIS2 compliance and maturity; from assessing all possible gaps/weaknesses and advising on remediation with our consultancy expertise to implementing the right controls and services.

  • Unrivalled Frontline Intelligence

With unrivalled exposure to thousands of incident response cases each year, we know what’s needed to stay resilient to cyber threats.

  • Fast Implementation, Built on Previous Engagements

We leverage our NIS2-tailored policies and procedures templates to provide immediate value as we roll out your tailored program.

Talk to a Kroll Expert

Kroll is ready to help, 24x7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber hotlines or our contact page. 
Cyber Hotlines

Connect With Us

Stay Ahead With Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Compliance and Regulation

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.

Financial Services Compliance and Regulation

Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Cyber Governance and Strategy

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.

Threat Exposure and Validation

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response
Explore Insights
Fortinet Discloses Active Exploitation of Critical Zero-Day Vulnerability: CVE-2024-55591
Threat Intelligence

Fortinet Discloses Active Exploitation of Critical Zero-Day Vulnerability: CVE-2024-55591

January 17, 2025

by George Glass

FortiNet Discloses Active Exploitation of Critical Zero-Day Vulnerability
Ivanti Discloses Active Exploitation of Zero-Day Vulnerability
Cyber and Data Resilience

Ivanti Discloses Active Exploitation of Zero-Day Vulnerability

January 10, 2025

by George Glass

Ivanti Discloses Active Exploitation of Zero-Day Critical Vulnerability
A Guide to Domain Monitoring for Businesses
Cyber

A Guide to Domain Monitoring for Businesses

January 13, 2025
A Guide to Domain Monitoring for Businesses
DevSecOps Best Practices: A Practical Guide
Cyber

DevSecOps Best Practices: A Practical Guide

January 3, 2025
DevSecOps Best Practices A Practical Guide
AI Risk and Governance: Foundations of a Documented, Defensible Program
Cyber

AI Risk and Governance: Foundations of a Documented, Defensible Program

November 28, 2024

by Dan Rice

AI Risk and Governance: Foundations of a Documented, Defensible Program
Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning
Threat Landscape

Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning

November 21, 2024

by Laurie Iacono, George Glass, Keith Wojcieszek

Q3 2024 Threat Landscape Report: Rising Attacks on Tech/Telecoms Reinforce Need for Business Continuity Planning
Securing Microsoft 365: Avoiding Multi-factor Authentication Bypass Vulnerabilities
Digital Forensics and Incident Response

Securing Microsoft 365: Avoiding Multi-factor Authentication Bypass Vulnerabilities

November 21, 2024

by Krystina Lacey

Three Tactics to Bypass Multi Factor Authentication Microsoft 365
CARBANAK (aka ANUNAK) Distributed via IDATLOADER (aka HIJACKLOADER)
Cyber

CARBANAK (aka ANUNAK) Distributed via IDATLOADER (aka HIJACKLOADER)

November 18, 2024

by George Glass, Dave Truman

CARBANAK (aka ANUNAK) Distributed via IDATLOADER (aka HIJACKLOADER)
LLM Risks: Chaining Prompt Injection with Excessive Agency
Cyber

LLM Risks: Chaining Prompt Injection with Excessive Agency

November 13, 2024

by Alex Cowperthwaite, Pratik Amin, Kassidy Marsh

LLM Risks Chaining Prompt Injection with Excessive Agency
LUMMASTEALER Delivered Via PowerShell Social Engineering
Cyber

LUMMASTEALER Delivered Via PowerShell Social Engineering

November 12, 2024

by George Glass, Ryan Hicks

Lummastealer Delivered Via PowerShell Social Engineering
News
Kroll Appoints Katherine Keefe to Lead Global Cyber Insurance Industry Capabilities
Press Release

Kroll Appoints Katherine Keefe to Lead Global Cyber Insurance Industry Capabilities

October 18, 2024
Kroll Announces Appointment of Katherine Keefe to Lead Global Cyber Insurance Capabilities
Kroll Becomes Relativity Gold Provider Partner
Press Release

Kroll Becomes Relativity Gold Provider Partner

September 19, 2024
Kroll Becomes Relativity Gold Provider Partner
Kroll Recognized in 2024 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services for the Fifth Consecutive Year
Kroll in News

Kroll Recognized in 2024 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services for the Fifth Consecutive Year

September 12, 2024
Kroll Recognized 2024 Gartner Market Guide DFIR Services
Kroll Expands AI Risk Consulting Services
Press Release

Kroll Expands AI Risk Consulting Services

August 27, 2024
Dan Rice
Events
Webinar: Q4 2024 Cyber Threat Landscape Virtual Briefing
Threat Intelligence

Webinar: Q4 2024 Cyber Threat Landscape Virtual Briefing

February 26, 2025|Online
Webinar: Q4 2024 Cyber Threat Landscape Virtual Briefing

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2025 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top