Compliance & Information Security | ITanic

NIS2 · CRA · ISO 27001

Demonstrably implement NIS2 and CRA requirements.

Gap analysis, action planning, documentation, and audit preparation. Our managing directors are certified NIS2 consultants. We bring your company into compliance and keep it there.

Start the NIS2 Quick Check Schedule an initial consultation

NIS2 Gap Analysis · Muster GmbH 4 GAPS

Requirements under Article 21

Risk management process documented OK

Incident Response Plan in place GAP

Backup & Restore Tested PARTIALLY

Proven supply chain security GAP

Reporting requirements defined (72 hours) OK

NIS2 Compliance Status 54%

Services Process Why ITanic FAQ

The problem

Compliance is no longer an option. But very few people know where they stand.

NIS2 has been law in Austria since October 2024. Many affected companies are not yet aware of this. Those who fail to meet the requirements risk fines of up to 10 million euros and personal liability for management.

In addition, the Cyber Resilience Act will take effect in 2027 for all manufacturers of products with digital components. The time available for implementation is running out.

€10 million

Maximum fine for NIS2 violations

72h

Mandatory reporting following the detection of a security incident

Many companies are unaware of their obligations

NIS2 does not only affect critical infrastructure. Small and medium-sized enterprises in the energy, healthcare, IT, transportation, and manufacturing sectors are also often directly affected.

Compliance without implementation protects no one

A compliance document is no guarantee of protection. If you simply check boxes without actually implementing the measures, you have a piece of paper, but no security.

Managing directors are personally liable

Under NIS2, management may be held directly liable for failure to comply. This is not merely a theoretical risk; it is enshrined in law.

01 Services

From the scope assessment to the completed audit.

We guide you through the entire compliance process: determining whether you are affected, identifying gaps, implementing measures, and providing evidence.

NIS2 Consulting

Impact · Gap Analysis · Implementation

Cyber Resilience Act

CRA · Product Safety · Manufacturers

ISO 27001

ISMS · Audit Preparation · Documentation

Guidelines & Documentation

Policies · Documentation · Notifications to Authorities

You will receive

Find out if and how you are affected

Complete Gap Report pursuant to Article 21

Prioritized action plan with a timeline

We'll take care of it

Technical and organizational implementation

Policies, processes, and training materials

Communication with government agencies upon request

In the end, you have

Documentation that meets regulatory and audit requirements

Verifiable NIS2 compliance status

Ongoing monitoring and updating

NIS2 Compliance Status · Typical SME Profile Based on a Gap Analysis

Already completed

Backup & Recovery

Cryptography

Access Control

In progress

Incident Response Plan

MFA Rollout

Vulnerability Management

Need for action

Risk analysis is missing

Supply Chain Security

Security Awareness

Not sure if your company is subject to NIS2?

Start the free quick check or book an initial consultation right away.

Start the NIS2 Quick Check or schedule an initial consultation →

02 Procedure

From the question "Am I affected?" to proof of compliance.

Compliance is not a one-time project. We structure the process so that each step is traceable and builds on the next.

Compliance Process

Impact Assessment

We determine whether and to what extent your company falls under NIS2 or the CRA. Your industry, company size, revenue, and type of business determine your classification. The result: clarity instead of guesswork.

1–2 hours

Gap Analysis

We assess your current situation against all relevant requirements. Every gap is documented, evaluated, and prioritized. The result: a comprehensive overview of your compliance status, complete with specific recommendations for action.

1–2 weeks

Action Plan and Prioritization

Based on the gap analysis, we develop a prioritized action plan with a realistic timeline, clear responsibilities, and a budget estimate.

1 week

Technical and organizational implementation

We support the implementation of both aspects: policies, processes, and training on the organizational side, and technical measures carried out by our security team on the other.

4–12 weeks

Documentation and Audit Preparation

All measures are documented in a verifiable manner. We prepare all documentation that authorities, auditors, or business partners might request, including an incident response plan and reporting procedures.

Ongoing

Both managing directors are certified NIS2 consultants.

Talk directly with a certified NIS2 consultant about your situation.

Schedule an initial consultation

Why ITanic

Compliance based on genuine expertise.

NIS2 is not a checklist project. The requirements are both technical and organizational. We deliver on both fronts.

Certified. More than just consulting.

Both managing directors hold the official NIS2 consultant certification. Philipp Trummer, BSc, MSc, MA, also works as a speaker and lecturer on cybersecurity. He is one of the few certified NIS2 consultants in Austria.

Compliance and technology, all under one roof.

NIS2 requires EDR, patch management, and incident response—not just documentation. We provide both: consulting and technical implementation, all handled by the same team.

You are personally liable. We've got you covered.

NIS2 legally establishes the personal liability of management. Our documentation is structured in such a way that it can withstand an inspection by regulatory authorities and a customer audit.

Austrian law. No translated EU checklist.

The implementation of NIS2 in Austria follows national regulations. We are familiar with the relevant authorities, local reporting deadlines, and procedures—not just the EU directive.

FAQ

Your questions about NIS2 and compliance.

NIS2 Impact

How can I tell if my company is subject to NIS2?

NIS2 applies to companies in certain sectors (energy, healthcare, water, IT, transportation, financial markets, and others) that meet certain size thresholds (50 or more employees or €10 million in revenue for "important facilities," and 250 or more employees or €50 million for "essential facilities"). Suppliers to critical infrastructure may also be affected. In a free initial consultation, we will determine exactly how you are affected.

What happens if I ignore NIS2?

Fines of up to 10 million euros or 2 percent of global annual revenue may be imposed. In addition, management may be held personally liable in cases of proven negligence. Regulatory authorities may also order temporary restrictions on operations.

Implementation and effort

How long does NIS2 implementation take?

That depends on your current situation. Companies that already have a strong security culture often need 3 to 6 months. Companies starting from scratch should plan for 6 to 12 months. After conducting a gap analysis, we will create a realistic timeline tailored to your specific situation.

Can I implement NIS2 with my existing IT team?

You don’t need technical specialists for the organizational aspects (policies, processes, training). However, technical expertise is required for the technical aspects (EDR, patch management, backup, segmentation). We support you with both and take the load off your internal team where appropriate.

Cyber Resilience Act

What is the Cyber Resilience Act, and who does it affect?

The CRA is an EU regulation that will apply to all manufacturers and distributors of products with digital elements—including software, network-connected hardware, and IoT devices—starting in 2027. The regulation affects companies that develop, distribute, or import such products. The requirements cover security by design, vulnerability management, and documentation throughout the entire product lifecycle.

How does the CRA differ from NIS2?

NIS2 applies to companies that provide critical services and requires organizational and technical security measures to be implemented in their operations. The CRA applies to manufacturers and distributors of products with digital components and requires security to be built into the product itself—by design—throughout its entire lifecycle. A company may be subject to both sets of regulations at the same time.

Next step

Compliance provides the framework. Consulting fills it with practical risk management.

View Consulting & Risk Management

Compliance isn't a question of "if," but of "when."

Talk to a certified NIS2 consultant today. We’ll assess your compliance status, identify any gaps, and guide you through the process until you’ve demonstrated compliance.

Schedule an initial consultation +43 664 252 0495

Free and with no obligation

Certified NIS2 Consultants

Austrian Law and Government Structure