Compliance/NIS2
EU directive · cyber risk management

NIS2

NIS2 (Directive 2022/2555) raises the security bar for organizations across 18 sectors and is transposed into national law in each member state, including Croatia's Act on Cybersecurity.
Book a scoping call All frameworks
Who it applies to
Medium and large entities in 18 sectors (energy, transport, banking, health, digital infrastructure, public administration, and more)
Many smaller entities pulled in as critical suppliers
Enforced per member state, with management held accountable
What it requires
The obligations, in plain terms.
01
Risk management measures
Technical and organizational measures proportionate to the risk, covering the basics through to supply chain.
02
Incident reporting
Early warning within 24 hours and a fuller notification within 72 hours of a significant incident.
03
Supply-chain security
Security requirements pushed down to suppliers and service providers.
04
Governance and accountability
Management bodies approve and oversee the measures, and can be held liable.
How Raptoric helps
We do the engineering work, not just the paperwork.
Gap assessment
We measure your posture against the NIS2 measures and your national transposition.
Program build
We stand up the risk management, policies, and controls the directive expects.
Incident readiness
We build the detection and response that makes the reporting deadlines achievable.
Supply-chain review
We assess the third-party exposure regulators now ask about.
We get you ready and produce the evidence. Enforcement and oversight sit with your national authority.
Services that deliver it
Security Program & RiskThreat Detection & ResponseOffensive Security
FAQ
Questions, answered
Does NIS2 apply to my company?
If you are a medium or large entity in one of 18 covered sectors, likely yes. Many smaller firms are pulled in as critical suppliers. It is enforced through each member state's national law, including Croatia's Act on Cybersecurity.
What are the incident reporting deadlines?
An early warning within 24 hours and a fuller notification within 72 hours of a significant incident. We build the detection and response that makes those deadlines achievable.
Can management be held liable under NIS2?
Yes. Management bodies approve and oversee the security measures and can be held accountable, which is why governance is part of the work.
How do you help us get ready?
We assess your posture against the NIS2 measures and your national transposition, stand up the controls, and produce the evidence. Oversight stays with your national authority.
Need to be ready for NIS2?
A senior engineer will scope the work with you on a 30-minute call.
Book a scoping call or email contact@raptoric.com