Request a scoping call

NIS2 · Entering the EU market

Expanding into Europe? NIS2 is part of the price of entry.

The EU’s NIS2 directive raises the cybersecurity bar for essential and important entities across Europe — and pushes those requirements down the supply chain. If you plan to operate in the EU, or sell to companies that do, your customers will ask. We make sure you have the right answers.

ScopePrepareComply
ScopeDoes NIS2 apply to you — directly or via customers?
PrepareGap assessment and a prioritised plan
ComplyMeasures, training and evidence

The problem

Three questions EU customers will ask you.

NIS2 moves responsibility up to management — and outward to suppliers. US and international companies feel it first through their European customers.

Are you in scope?

Essential and important sectors, medium and large entities — plus suppliers to companies that are covered. Scoping is not obvious, especially from outside the EU.

Can you prove security?

EU customers under NIS2 must manage supply-chain risk — which means security questionnaires, contractual demands and audits for you.

Who is accountable?

Under NIS2, management bodies carry direct responsibility. “IT handles it” is no longer an acceptable answer — in Europe or in your deals.

How it works

From scoping to evidence — a bridge into the EU.

We operate in Portugal and the US: EU regulation experience, delivered in your language and your time zone.

1 · Scope

Scoping call (no cost)

We analyse your sector, size, EU footprint and customer base — and tell you, with reasoning, whether and how NIS2 touches your business.

  • A clear answer: in scope, out of scope, or in scope via customers
  • No commitment
2 · Prepare

Gap assessment and plan

We compare what you have against what the directive requires and deliver a prioritised, realistic plan for your size.

  • Technical and organisational measures mapped
  • Priorities by risk and effort
  • Fixed scope, in writing
3 · Comply

Implement, train and prove

We implement the measures, train teams and leadership, and leave the evidence organised — for regulators, customers and auditors.

  • Policies, incident response and continuity
  • Employee and leadership training
  • Documented, maintained evidence

Why now

Your first NIS2 question will come from a customer, not a regulator.

EU buyers are already pushing NIS2 requirements into contracts and vendor questionnaires. Getting ready early means winning those deals at your own pace — with a planned budget — instead of scrambling when a contract is on the line. The scoping call tells you exactly where you stand — free, no strings.

Frequently asked questions

Before you ask — answered.

We’re a US company with no EU offices. Can NIS2 still affect us?

Yes — through your customers. EU entities under NIS2 must manage supplier risk, so their requirements land in your contracts and questionnaires. And if you offer services into the EU, you may be in scope directly.

We have SOC 2 / ISO 27001. Are we covered?

You’re well positioned — there’s significant overlap — but NIS2 has its own requirements (registration, incident notification, management accountability) that need to be checked.

Why work with a Portuguese firm on this?

Because NIS2 is transposed country by country, and we live it from inside the EU — with a US presence, your language and your time zone. A practical bridge, not a law firm’s memo.

How long does readiness take?

It depends on your starting point. The gap assessment gives you a realistic timeline with priorities — most companies can meet customer demands far sooner than full formal readiness.

Scoping call

Tell us about your EU plans. We’ll tell you where NIS2 touches them.

Sector, size and target markets — that’s enough for a clear first answer, at no cost.

Thank you — your message has been sent. We’ll get back to you shortly.

The worst NIS2 strategy is finding out mid-deal that you were in scope.

Fifteen minutes and a clear answer: in scope or not, and what to do next.

Request a free scoping call