[ SOLUTIONS ] / [ NIS2 COMPLIANT SOFTWARE ]

Software built to live inside NIS2 from day one.

For organizations within the NIS2 Directive (critical manufacturing, energy, finance, healthcare, supply chain) that have to build software respecting the required technical controls. We develop applications with security-by-design built in, ready for audit.

Let's talk
[ THE PROBLEM ]

What happens today.

The NIS2 Directive (EU 2022/2555, transposed in Italy with Legislative Decree 138/2024) has significantly extended the scope of entities subject to cyber-security measures. Essential sectors (energy, healthcare, transport, banking, digital infrastructure) and important sectors (manufacturing, food, postal, research, digital providers) are covered, including SMEs in the supply chain.

NIS2 technical requirements (incident management, encryption, MFA, audit log, monitoring, business continuity, supply chain security) require software built with these controls integrated. Adding them at the end of a project to existing software is 5-10x more expensive than integrating them at design time.

Important: we build compliant software. Overall NIS2 compliance of your organization also requires organizational policies, governance, processes (vendor management, training, incident response plan), which remain your responsibility or your CISO/compliance consultant's.

NIS2 compliance lives in the code, not in the slides. The difference shows at the first serious audit.

[ HOW IT WORKS ]

The solution, broken into parts.

  • Mapping NIS2 requirements → technical controls

    We identify the NIS2 requirements applicable to your sector and map them onto concrete technical controls: vulnerability management, audit log, MFA, encryption, monitoring, incident management, business continuity.

  • Security-by-design architecture

    Threat modeling (STRIDE) before code. Architecture with least-privilege, network segregation, defense in depth. Modern stack with known vulnerabilities tracked and automatic patching.

  • Audit log + continuous monitoring

    Every critical action is logged immutably, structured, exportable. Continuous monitoring with anomaly alerts. Ready for the NIS2 mandatory incident notifications (24/72 hours).

  • Audit-ready documentation

    Architecture Decision Records, threat model, security-test evidence (SAST, DAST, penetration test), access policy. All documentation versioned, kept in sync with the code, PDF-exportable for inspections.

[ WHO IT'S FOR ]

The typical profiles who benefit.

  • Critical manufacturing (essential or important sector)

    Manufacturing companies within the NIS2 scope (chemicals, automotive, food, medical devices, critical suppliers to other supply chains). Must bring systems into compliance within national deadlines.

  • Energy & utilities (essential sector)

    Energy-sector companies (production, distribution, energy trading) and utilities. NIS2 has direct implications on OT, SCADA systems, industrial control.

  • Finance + digital infrastructure

    Financial institutions (NIS2 + DORA in parallel), digital service providers (cloud, DNS, marketplaces), data centers. Strict constraints on business continuity and incident handling.

[ WHAT WE NEED ]

Transparency on what the client does.

Before we start we need a few accesses and decisions. All reasonable, no surprise asks.

  • NIS2 scoping

    • Entity classification (essential, important, out of scope)
    • List of internal compliance roles (CISO, DPO, IT Manager)
    • Any audits already done, gap-analysis reports

  • System to build

    • Functional scope of the software to develop
    • Interoperability constraints (integrations with existing systems)
    • Availability target and RTO/RPO
[ TIME AND COST ]

Indicative numbers, not quotes.

TIME
Typically 4-9 months for medium software. The hardening and audit-ready documentation part adds 15-25% to the time of an equivalent non-regulated project.
COST
Range €60,000-300,000 depending on complexity. Compliance premium typically 15-25% over a non-regulated equivalent.
MODEL
Fixed milestones with go/no-go gates after threat modeling and after penetration testing.

Indicative numbers. For an accurate quote, let's talk.

[ FREQUENTLY ASKED ]

Answers to the most common questions.

Am I obligated by NIS2?

NIS2 scope covers many sectors: energy, transport, banking, healthcare, digital infrastructure (essential), and manufacturing, postal, food, research, digital providers (important). Typical threshold is ≥50 employees OR ≥€10M turnover. SMEs in the supply chain of covered entities can fall within scope even below the threshold. Verify with your DPO/compliance consultant.

Do you also handle NIS2 organizational compliance?

No, and no serious software house does. NIS2 organizational compliance (policy, governance, vendor management, training, incident response plan, regulator communications) requires specialist compliance consulting, in the hands of your DPO/CISO/consultant. We deliver compliant software, a fundamental but not sufficient piece on its own.

Do you also build OT/ICS software?

We work on the IT side (ERPs, integration, dashboards, custom software). For pure OT (PLC, SCADA, DCS) we collaborate with specialist system integrators. On IT-OT integration (e.g. production data collection, industrial monitoring) we have direct experience, always cautious about safety constraints.

Are NIS2 sanctions significant?

Yes. For essential entities up to €10M or 2% of global annual turnover (whichever is higher). For important entities up to €7M or 1.4%. Adding extra administrative sanctions and post-incident reputational damage, the compliance investment is typically well repaid.

[ LET'S TALK ]

Recognize your case?

Write a couple of lines about your context. We'll reply within 24-48 hours with an initial assessment and a first orientation on time and cost.

Let's talk
[ RELATED SOLUTIONS ]
[ WHERE IT WORKS BEST ]
[ PARENT PILLAR ]
Custom software for regulated industries Custom software for those who can't afford to get security wrong.