NIS2 and DORA advisory

NIS2 (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554) are the two regulatory developments most material to our clients' planning over the next two years. Both have substantial obligations, both have transposition complexity, both have penalty regimes that make non-compliance a board-level risk.

Most published advisory material on NIS2 and DORA focuses on what the regulations say. Our practice focuses on what your organisation has to do about it. The translation from regulatory text to workplan is where most readiness projects underdeliver.

We approach NIS2 and DORA the same way we approach ISO 27001: gap analysis against the actual articles, prioritised workplan with effort estimates, accompaniment through implementation. The regulations are interpreted strictly — we are explicit about which obligations are firm and which leave reasonable interpretation latitude.

Our published reading of the directives is on the insights page. We are happy to share more under NDA in a scoping conversation.

Typical deliverables

• Gap analysis against the relevant articles of NIS2 / DORA
• Workplan with prioritised obligations, effort estimates, and dependencies
• Implementation support across the obligation set
• Documentation set (policies, registers, incident-notification procedures)
• Tabletop exercise for the incident-notification clock

Engagement model

NIS2 / DORA engagements vary widely in scope depending on existing maturity. A small client with a working ISMS may need a three-month gap analysis and remediation engagement; a larger client starting from scratch may need a twelve-to-eighteen-month programme. We scope honestly.

Get in touch

To discuss whether this service is a fit for your organisation, contact us at office@ellipseproject.com or use the contact form.