The expanded EU network and information security directive, covering essential and important entities across 18 sectors.
Essential entities (large operators in critical sectors) and Important entities (medium operators) across 18 sectors.
Up to €10M or 2% global turnover (essential entities); €7M or 1.4% (important entities).
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Risk-based cybersecurity measures including incident handling, business continuity, supply chain security.
24-hour early warning to the national CSIRT; 72-hour formal incident notification; 1-month final report.
Management body accountability — leadership must approve and oversee cyber risk measures.
Vulnerability handling and coordinated disclosure policy.
Use of cryptography (incl. end-to-end where appropriate) and multi-factor authentication.
Supply chain risk management including direct supplier cyber posture assessment.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Incident timer that surfaces the 24/72/30 NIS2 milestones automatically.
Supply-chain risk module covering direct suppliers and transitive open-source dependencies.
Management-body briefing pack auto-generated quarterly.
Crosswalks to ENISA NIS Cooperation Group reference and per Member State transposition (DE, FR, IT, ES, NL, PL, IE).
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Incident timeline with regulator-aligned milestones.
Supply chain cyber posture report.
Management body briefing — board pack format.
Coordinated disclosure policy and vulnerability handling logs.
These frameworks share substantial control overlap with NIS2. Customers running one assessment typically satisfy the others with the same evidence base.
European Union
The EU Digital Operational Resilience Act — applies directly to financial entities and designates critical ICT third-party providers as supervised.
European Union
The EU directive on resilience of critical entities — physical and operational resilience baseline for 11 sectors including energy, transport, banking, and digital infrastructure.
European Union
The EU Cyber Resilience Act — product cybersecurity requirements with CE marking for all products with digital elements sold in the EU.
United Kingdom
The UK NCSC's national cyber baseline for operators of essential services and the public sector.
European Union
Alignment to the ENISA Threat Landscape and cybersecurity certification frameworks — the EU's threat baseline.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.