Power utility (essential entity), ~3,500 employees

Four-year NIS2 framework for a regional power utility

Multi-year framework covering NIS2 readiness, annual tabletop exercises, awareness programme oversight, and quarterly executive reporting.

The client is a regional power utility falling within the NIS2 essential-entity tier. Their internal security function was capable but small (twelve people across a multi-thousand-employee organisation). The regulatory obligations clearly exceeded internal capacity for the readiness phase.

We scoped a four-year framework engagement covering the readiness phase (year one), the bedding-in phase (year two), and the steady-state phase (years three and four with the option to reduce scope after year two). The framework structure allowed the client to plan workload and budget without having to renegotiate annually.

Year-one workstreams covered NIS2 gap analysis, ICT risk management framework alignment, incident-notification procedure design, supplier-risk programme establishment, and an annual coordinated tabletop covering the IT/OT boundary.

The annual tabletop exercise has emerged as the most valuable single component of the engagement from the client's perspective. The first one (year one, month nine) identified seven decision-flow ambiguities and three communications-playbook gaps. All ten findings were resolved within six months. The second tabletop (year two, in scope for our next engagement quarter) will explicitly retest those resolutions.

Outcome

Full NIS2 readiness achieved within year one; ten decision-flow and communications gaps closed in the first year; ongoing multi-year framework.