Our expertise
Our services
Who we serve
Insights
About us
Digital Threat Digest Insights Careers Let's talk

NIS2 support

Strategic support to implement and maintain NIS2 compliance

Speak to an expert
Forward Green
Strengthening national cyber security and resilience with NIS2

The Network and Information Security Directive 2 (NIS2) is the EU’s latest directive aimed at strengthening cyber security and resilience across key sectors. It replaces the original NIS Directive with a broader scope and stricter obligations designed to protect critical services from today’s rapidly evolving cyber threat landscape, ensuring the overall resilience and security of EU Member States at a national level.

NIS2 introduces significant improvements in risk management and incident response obligations:
  • Stronger governance: Boards and senior leadership now have explicit accountability for cyber risk management
  • Enhanced risk management including supply chain security, encryption and vulnerability disclosure, business continuity and recovery, and faster incident reporting timeframes
  • Expanded scope: Includes new sectors (e.g.,public administration, manufacturing and IT service management)
  • Clearer entity classification: Essential Entities (e.g., energy, transport, finance, health) and Important Entities (e.g., manufacturing, IT management, food
  • Size-based inclusion criteria: Small and micro entities can now be included based on criticality
  • Mandatory group-level compliance: Subsidiaries of large groups cannot be exempted if the parent organisation is in scope 
People

NIS2 risk management & incident response

NIS2 mandates that in scope entities must implement robust risk management and incident response measures, broken down into the following areas (with 4 and 5 most relevant for governments and nationally significant organisations):

Get in touch
The five areas of the NIS2 framework:
1. Cyber security risk management

Entities must implement robust policies and procedures across key areas including:

  • Business continuity
  • Information security
  • Risk analysis
  • Incident handling
  • Supply chain security
2. Notification obligations

Entities must notify a designated national competent authority of cyber security incidents within the following timeframes:

  • 24 hours initial notification
  • 72 hours full report
  • Monthly recovery updates
  • Submission of post incident report
3. Cyber security information sharing 

Entities must share cyber threat intelligence via trusted networks to strengthen collective cyber defences.

  • Who: Government agencies, national CSIRTs, private sector, cybersecurity firms, critical infrastructure operators

  • What: Information on new cyber threats, ongoing attack warnings, and best practices

  • Why: To prevent threat spread, speed up response times, and reduce financial and operational impact 

4. National cyber crisis management frameworks 


EU Member States need cyber crisis management frameworks to ensure a coordinated and effective response to nationally significant cyber incidents, including:

  • National incident readiness
  • Detection & categorisation
  • Criminal investigation
  • Strategic Response
  • Incident management 
5. National cyber security strategy

Each Member State must develop a comprehensive national strategy including:

  • Objectives & priorities
  • Governance & responsibilities
  • Risk management
  • Incident response 
  • Supply chain security
  • Education & workforce development
Talk to us
Office

Our services

We deliver end-to-end cyber security solutions tailored to NIS2 compliance, combining strategic consultancy, incident response, and information security with robust training and capacity building programmes. 

Our proven expertise in building national and organisational cyber resilience ensures our clients are prepared to manage risks, maintain strong defences, and respond effectively to cyber threats across all relevant sectors.

Cyber security consultancy

Developing a comprehensive cyber security strategy aligned with NIS2 requirements.

Business continuity planning

We help clients plan, prepare for and respond effectively to cyber incidents, ensuring uninterrupted operations in a crisis.

This includes implementing Business Continuity Management Systems (BCMS) aligned with ISO 22301 and NIS2 requirements for effective resilience and recovery.

Incident preparedness and response

We help organisations prepare for and respond to cyber incidents with speed and confidence. 

We design and test incident response plans and playbooks, defining incident categories, and ensuring coordination across teams, to minimise operational disruption.

Information security management

Auditing and implementing controls to protect sensitive data and critical systems.

Supply chain security
Assessing and securing third-party vendor relationships.

National Incident Management Framework implementation

We work with governments, regulatory bodies and critical infrastructure operators to design and implement national-level frameworks that define clear roles, responsibilities, and coordinated processes for managing cyber incidents across sectors and stakeholders.

Training and capacity building programmes

 We deliver tailored training programmes designed to upskill personnel, enhance cybersecurity awareness, and build capability to run effective cyber exercises aligned with international best practices.

Why choose PGI?

PGI offers in-depth, established expertise in building and enhancing national and organisational cyber resilience. 

We provide comprehensive, strategic services including incident response, business continuity, risk management, and information security, making us a trusted partner for all areas of NIS2 compliance.

Global trusted partner

We’ve successfully supported over fifty governments with incident response and resilience building across five continents

Collaborative approach

We work closely with stakeholders across key sectors and governments to ensure incident response frameworks are practical, widely adopted, and support cross-sector coordination.

Leaders in incident response

Our team have an established international reputation as a provider of incident preparedness and response expertise to governments, international agencies and corporate entities.

Get started
The 2025 UK Cyber Resilience Bill

The UK's upcoming Cyber Resilience Bill will establish a national framework to strengthen cyber defences, aligned with NIS2 and international cyber security standards. It is expected to impact UK organisations providing critical services, MSPs, supply chain partners and public sector firms and bodies.

The recently published Cyber Governance Code of Practice closely aligns with both NIS2 and the upcoming 2025 UK Cyber Resilience Bill, and early implementation will be critical to minimise disruption ahead of future regulations.

Start preparing for the changes now

New cybersecurity laws can be daunting, but we’re here to ease the process. We can help ensure that your organisation not only meets current cyber security regulations but is also prepared for these future changes. 

If your organisation is already certified to ISO 27001 (Information security) or ISO 22301 (Business continuity), you should already be well positioned for the upcoming bill. However, it's essential to review your incident reporting, governance responsibilities, and supply chain security to ensure full compliance before the bill is implemented.

We're here to help! Get in touch with us today to find out how we can support you.

UK organisations that operate in the EU should also consider that they may already fall into scope of the NIS 2 directive and the cyber resilience bill.

Speak to an expert
Inside bus