Skip to main content
Intarmour
Regulatory Compliance

NIS2 Implementation

EU Directive 2022/2555 compliance implementation for essential and important entities. From entity classification through governance design, incident response, and supply chain security — delivered within fixed timelines for PE portfolios andFamily Offices holdings.

Overview

The Network and Information Security Directive 2 (NIS2), formally EU Directive 2022/2555, is the most consequential expansion of European cybersecurity regulation to date. It dramatically broadens the scope of mandatory obligations, introduces direct personal liability for management bodies, and establishes penalty frameworks rivalling GDPR in severity. The directive spans 18 sectors including energy, transport, banking, health, digital infrastructure, ICT service management, and manufacturing.

Essential entities face the most stringent requirements including proactive supervisory oversight. Important entities are supervised reactively, typically following an incident. For Private Equity portfolio companies and Family Office-controlled enterprises, entity classification is rarely straightforward: portfolio composition, group structures, and cross-sector operations create complexities requiring careful legal and technical analysis.

The October 2024 transposition deadline has passed, and member states are enforcing national legislation. Italy's D.Lgs. 138/2024 designates the ACN as national competent authority with sector-specific timelines and additional notification obligations. Organisations that have not commenced implementation face escalating enforcement risk as supervisory authorities begin systematic audits.

Intarmour delivers NIS2 implementation designed for PE-backed and Family Office-controlled enterprises, addressing their particular challenges: distributed management, board members serving multiple entities, rapid portfolio changes, and varying security maturity levels. We convert regulatory obligation into structured programmes with fixed timelines and defined deliverables — no open-ended advisory or compliance theater.

Implementation Scope

Entity Classification & Scoping

Determination of entity status under NIS2 and Italian transposition (D.Lgs. 138/2024). Size-cap analysis, sector classification across all 18 NIS2 sectors, and essential vs. important entity distinction. Includes group-level implications for Private Equity portfolio structures and multi-entity holdings.

Governance Framework Design

Board-level accountability structures satisfying Article 20 management body obligations. CISO designation, risk committee mandates, director training programs, and documented governance procedures. Designed to integrate with PE governance and fund reporting structures.

Risk Management Implementation

Risk analysis and information system security policies addressing all ten Article 21 minimum measures. Risk assessment methodology, control selection, vulnerability handling, and cryptographic policy. Controls mapped to both NIS2 and recognized standards (ISO 27001, NIST CSF).

Incident Reporting Procedures

Incident response detection, classification, and reporting meeting NIS2 notification timelines: 24-hour early warning, 72-hour notification, and one-month final report with root cause analysis. Automated escalation, communication templates, and CSIRT coordination procedures.

Supply Chain Security Program

Third-party risk management addressing Article 21(2)(d) supply chain requirements. Vendor assessment with security scoring, contractual clauses and audit rights, continuous monitoring, and remediation protocols. Focus on ICT service providers and cloud dependencies.

Audit & Compliance Monitoring

Ongoing compliance verification through internal audit programs, control effectiveness testing, and regulatory change tracking. Inspection preparation, continuous monitoring dashboards, and real-time compliance visibility for management bodies and fund-level reporting.

Implementation Timeline

Phase 1Weeks 1–3

Assessment & Gap Analysis

  • Entity classification and scoping under NIS2 and D.Lgs. 138/2024
  • Current security posture assessment against Article 21 requirements
  • Gap analysis quantifying delta between current state and compliance target
  • Risk prioritization and remediation cost estimation
  • Project plan and resource allocation for implementation phases
Phase 2Weeks 4–8

Design & Framework Development

  • Governance framework design with management body accountability structures
  • Risk management policy development and control architecture design
  • Incident response plan and CSIRT notification procedures
  • Supply chain security framework and vendor assessment methodology
  • Business continuity and crisis management planning
Phase 3Weeks 9–12

Implementation & Validation

  • Technical control deployment and configuration
  • Management body training and awareness programs
  • Incident reporting system activation and testing
  • Internal audit and compliance verification
  • Documentation finalization and regulatory readiness assessment

Enforcement & Penalties

Essential entities face maximum fines of €10,000,000 or 2% of worldwide annual turnover, whichever is greater. Important entities: €7,000,000 or 1.4%. These thresholds place NIS2 on a scale comparable to GDPR.

Beyond financial penalties, Article 20 establishes that management bodies must approve cybersecurity measures, oversee implementation, and can be held personally liable. Member states may impose temporary bans on managerial functions. For PE fund managers and Family Office principals on portfolio boards, this creates personal fiduciary liability extending beyond entity level to individual directors and officers.

Italy's ACN holds supervisory powers including on-site inspections, security audits, and evidence requests. Essential entities face proactive supervision — inspections may be initiated without prior incident. Compliance is not optional, and enforcement is operational.

Essential Entities

€10M or 2%

Maximum fine of €10,000,000 or 2% of worldwide turnover. Proactive supervisory oversight with on-site inspection authority.

Important Entities

€7M or 1.4%

Maximum fine of €7,000,000 or 1.4% of worldwide turnover. Reactive supervision triggered by incidents or non-compliance evidence.

Case Study — Critical Infrastructure Compliance

Italian Infrastructure Operator — Multi-Site Industrial Operations

Challenge

Critical infrastructure operator in northern Italy with multi-site industrial operations and legacy OT environments. Classified as an essential entity under NIS2. Fragmented security controls, no centralised governance, no formal incident response procedures, OT systems not updated in over a decade, minimal management body awareness, and no supply chain security program despite reliance on dozens of third-party providers.

Solution

Three-phase implementation: gap analysis across all sites including OT environments (3 weeks); governance framework with board-level accountability, risk management policies for IT and OT, incident reporting, and supply chain security program; then technical control deployment, management training, incident system activation with ACN coordination, and compliance verification. OT controls implemented via network segmentation without production disruption.

Outcome

Full compliance within 10 weeks, ahead of the 12-week target. Governance framework with documented Article 20 oversight procedures. Incident reporting tested via tabletop exercise with successful 24-hour notification simulation. Supply chain program across 34 critical vendors. Legacy OT under centralised monitoring without operational disruption. Passed first regulatory readiness assessment with no material findings.

Engagement Model

Fixed-scope over 6 to 12 weeks depending on entity complexity, sites, and existing security maturity. Single-entity implementations with established foundations: 6 to 8 weeks. Multi-site or low-maturity organisations: 10 to 12 weeks. Portfolio-wide implementations forPrivate Equity funds benefit from shared frameworks and economies of scale.

Every engagement begins with scoping that confirms classification, quantifies the gap, and produces a detailed project plan. Fixed pricing at commencement — no time-and-materials escalation. Deliverables include all governance documentation, policies, technical specifications, incident procedures, and compliance evidence packages. Post-implementation retainers available for ongoing monitoring and reassessment.

Timeline

6–12 Weeks

Fixed schedule calibrated to entity scope and complexity

Pricing

Fixed Scope

Defined deliverables and milestones agreed at commencement

Delivery

End-to-End

From entity classification through validation and audit readiness

Ready for institutional-gradecybersecurity?

Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.

Schedule Assessment →View Services