NIS2 Directive

We are a specialized cybersecurity consultancy focused on helping organizations navigate complex security, compliance, and risk challenges with clarity, precision, and trust.

NIS2 compliance and cybersecurity resilience service

The cybersecurity regulatory landscape in the EU and Croatia is evolving rapidly. The NIS2 Directive, the Cyber Resilience Act (CRA), the Croatian Cybersecurity Act (NN 14/2024), and the Cybersecurity Regulation (NN 135/2024) introduce significant new obligations for organisations and their governing bodies.

At Cyber Security d.o.o. we provide expert advisory and analytical services designed to raise your level of information and cybersecurity — ensuring full organisational, technical, and process alignment with applicable regulatory frameworks.

What changes with NIS2?

Implementation approach

Phase 1 — Current-state analysis & gap assessment

Detailed review of organisational structures, security policies, internal acts, technical controls and operational procedures. We establish the AS-IS baseline, define the TO-BE target state in line with regulatory requirements, and conduct a formal self-assessment using the official ZSIS cybersecurity self-assessment calculator.

Deliverables:

Gap analysis report — current vs. target cybersecurity posture

Compliance matrix: NIS2, Croatian Cybersecurity Act & Cybersecurity Regulation

Completed ZSIS self-assessment calculator

Self-assessment report with maturity level determination

Cyber risk register with management recommendations

Phase 2 — Implementation of measures & risk governance improvement

Based on gap analysis findings, we define and implement prioritised organisational and technical controls, establish clear roles and responsibilities, and create the conditions for ongoing monitoring and future certification. Standard Operating Procedures (SOPs) are developed to cover incident detection, escalation, analysis, response, and mandatory regulatory reporting.

Deliverables:

Implementation plan with prioritised activities, timelines, and responsibilities

Updated internal acts: incident management & reporting, vulnerability management, supplier management, cybersecurity risk management

Standard Operating Procedures (SOPs) for security event and incident management

Phase 3 — Internal compliance audit

An independent internal audit assessing the effectiveness of all implemented controls. Scope covers risk management, infrastructure and information system protection, sensitive data handling, incident response processes, and overall effectiveness of security measures.

Deliverables:

Internal compliance audit report — overview of findings, identified gaps, and prioritised recommendations for further improvement

Phase 4 — Knowledge transfer & operational handover

Workshops and hands-on sessions for teams responsible for IT systems and security processes — covering the regulatory framework, implemented controls, new procedures and methodologies, and day-to-day application of the new security measures.

Deliverables:

Training and reference materials enabling independent operational use of defined procedures and security controls

Regulatory framework covered

NIS2 Directive (EU)

Cyber Resilience Act — CRA (EU)

Croatian Cybersecurity Act — NN 14/2024

Cybersecurity Regulation — NN 135/2024

ZSIS self-assessment guidelines

ISO/IEC 27001 (where applicable)