Back to Blog
Compliance

NIS2 Is Here. The Compliance Industry Doesn't Want You to Know It's a €99/mo Problem.

EldadCo-Founder & Lead ArchitectApril 4, 202610 min read

If you're running a tech company in the EU and haven't heard of the NIS2 Directive yet, you're about to get an unpleasant surprise. If you have heard of it but assumed it doesn't apply to you — it probably does. And if you've already received a quote from a compliance consultant, you've probably seen a number north of €50,000.

Here's what the compliance industry doesn't want you to know: the technical requirements of NIS2 are not mysterious. They're not ambiguous. And for most companies, meeting them doesn't require a six-figure consulting engagement. It requires the right tooling and a clear understanding of what the directive actually asks for.

What Is NIS2 and Why Should You Care?

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated framework for cybersecurity across essential and important entities. It replaced the original NIS Directive, dramatically expanding its scope and teeth.

The original NIS Directive applied to a narrow set of "essential services" — think energy grids, water utilities, banks. Most tech companies could ignore it.

NIS2 is different. It applies to any medium or large company (50+ employees or €10M+ turnover) operating in sectors including digital infrastructure, ICT service management, cloud computing, data centers, managed services, and SaaS platforms. If you're a B2B SaaS company in the EU with more than 50 employees, you're almost certainly in scope.

The penalties are real. We're talking fines up to €10 million or 2% of global annual turnover — whichever is higher. And unlike GDPR where enforcement has been slow, NIS2 explicitly holds management personally liable. Your board can be held accountable for non-compliance.

The deadline has passed. EU member states were required to transpose NIS2 into national law by October 17, 2024. This isn't a future problem — it's a now problem.

What NIS2 Actually Requires

Strip away the legal language and NIS2 boils down to Article 21, which lists the cybersecurity risk-management measures that in-scope entities must implement. Here's what it covers:

1. Risk Analysis and Information System Security Policies

You need documented security policies and a systematic approach to identifying and assessing risk. This isn't about writing a 200-page security manual that nobody reads. It's about having a clear, current picture of your security posture and knowing where your vulnerabilities are.

2. Incident Handling

NIS2 introduces strict incident reporting timelines. You must provide an early warning within 24 hours of becoming aware of a significant incident, a detailed notification within 72 hours, and a final report within one month. You can't report what you can't detect.

3. Business Continuity and Crisis Management

Backups, disaster recovery, redundancy. Standard operational resilience that most well-run engineering teams already have in place.

4. Supply Chain Security

This is where it gets interesting. NIS2 requires you to assess and manage cybersecurity risks in your supply chain — including your software dependencies, container images, and third-party services. You need to know what's in your stack and whether it's vulnerable.

5. Security in Network and Information Systems

Vulnerability handling, disclosure, and basic cyber hygiene. This covers everything from patching known CVEs to securing your cloud configuration to managing access controls.

6. Cryptography and Encryption

Policies for the use of cryptography and, where appropriate, encryption. Not rocket science, but you need to demonstrate you're doing it.

7. Human Resources Security and Access Control

Who has access to what, and how do you manage it? Multi-factor authentication, role-based access, the principle of least privilege.

8. Multi-Factor Authentication and Continuous Authentication

NIS2 explicitly calls out MFA and secure authentication. If you're still running on passwords alone, this is your wake-up call.

The €50,000 Question

Here's where the compliance industry has built a very profitable business. The typical NIS2 compliance path looks like this:

  1. Hire a compliance consultant — €15,000 to €50,000 for a gap assessment
  2. Buy a GRC platform (Vanta, Drata, etc.) — €10,000 to €30,000/year
  3. Hire or contract a security team to remediate findings — €100,000+/year
  4. Repeat annually for ongoing compliance

For a 50-person startup that just crossed the NIS2 threshold, this is a devastating cost. It's the kind of expense that kills growth, delays hiring, and forces painful trade-offs.

And here's the dirty secret: most of what consultants charge €50K to assess can be automated.

The gap assessment? It's checking your cloud configuration against known security controls. Automated.

The vulnerability scanning? Every major framework — CIS, PCI DSS, ISO 27001 — maps to specific technical checks. Automated.

The supply chain analysis? SBOM generation and dependency scanning. Automated.

The compliance reporting? Mapping scan results to framework controls and generating evidence. Automated.

What you're paying €50K for is not expertise — it's someone else running tools that you could run yourself.

How NIS2 Maps to Technical Controls

The genius (or cynicism, depending on your perspective) of the compliance industry is making NIS2 seem impossibly abstract. "Risk analysis and information system security policies" sounds like it needs a team of consultants. In reality, it maps to concrete technical checks:

NIS2 RequirementWhat It Actually MeansTechnical Control
Risk analysisKnow your vulnerabilitiesCloud security posture scanning (CSPM)
Supply chain securityKnow your dependenciesSBOM generation, container scanning, dependency analysis
Vulnerability handlingFind and fix CVEsCode scanning, container CVE detection, IaC analysis
Network securitySecure your infrastructureCloud misconfiguration detection, Kubernetes hardening
Access controlLeast privilege, MFAIAM analysis, secrets detection
Incident detectionKnow when things breakContinuous monitoring, drift detection
Cryptography policiesEncryption in transit/at restCloud posture checks for encryption settings
Business continuityBackup and recoveryInfrastructure scanning for redundancy configuration

Every single item in this table is a technical check that can run automatically, on a schedule, without a human in the loop. The question isn't whether automation can cover NIS2 — it's why anyone is still paying consultants to do it manually.

What Nuvm Does for NIS2

Nuvm runs 9 security scanners from a single dashboard. Here's how they map directly to NIS2 requirements:

Cloud Security Posture Management (CSPM) — scans your GCP, AWS, or Azure configuration against CIS Benchmarks and NIS2-aligned controls. Catches misconfigurations like public storage buckets, overly permissive IAM roles, unencrypted databases, and missing audit logging. This single scanner covers a massive portion of NIS2's risk analysis and network security requirements.

Container Scanning — analyzes your Docker images for known CVEs before they reach production. NIS2's supply chain security requirement isn't just about your vendors — it's about the base images you build on.

Dependency Scanning — checks your application dependencies for known vulnerabilities. If you're running a Node.js app with 800 transitive dependencies, you need to know which ones have published CVEs.

SBOM Generation — produces a Software Bill of Materials for your entire stack. NIS2's supply chain provisions require you to know exactly what's in your software. An SBOM gives you that answer, automatically.

Infrastructure as Code (IaC) Scanning — catches security issues in your Terraform, CloudFormation, or Kubernetes manifests before they're deployed. Shift-left security that prevents misconfigurations from ever reaching production.

Code Security Scanning — static analysis for your source code. Catches hardcoded credentials, SQL injection vectors, XSS vulnerabilities, and other OWASP Top 10 issues.

Secrets Detection — finds exposed API keys, passwords, and credentials across your codebase. Nuvm doesn't just find them — it verifies whether they're still active. A leaked AWS key that's been rotated is noise. An active one is a breach waiting to happen.

Kubernetes Security — if you're running K8s, Nuvm scans your cluster configuration for security best practices. Network policies, pod security, RBAC configuration.

Web Application Scanning — DAST scanning of your public-facing endpoints for common vulnerabilities.

The Unified Compliance Engine

Here's where it comes together. Each of those 9 scanners doesn't just produce a list of findings — every finding automatically maps to compliance framework controls.

When Nuvm runs a CSPM scan and finds that your Cloud SQL instance doesn't have SSL enforced, that's not just a "misconfiguration." It's a finding that maps to:

  • NIS2 Article 21(2)(e) — security in network and information systems
  • ISO 27001 A.8.24 — use of cryptography
  • PCI DSS 4.0 Req 4 — protect cardholder data with strong cryptography
  • SOC 2 CC6.1 — logical and physical access controls

One finding. Four frameworks. Zero manual mapping.

This is what compliance consultants spend weeks doing in spreadsheets. Nuvm does it in the time it takes to run a scan.

When your auditor asks for evidence that you're meeting NIS2's cryptography requirements, you don't scramble to compile screenshots. You click "Export" and hand them a PDF with every relevant finding, its current status, remediation history, and the specific NIS2 article it maps to.

What This Actually Costs

Let's be blunt about pricing, because the compliance industry thrives on opacity.

The traditional path:

  • Gap assessment: €15,000 – €50,000
  • GRC platform: €10,000 – €30,000/year
  • Security tooling (multiple vendors): €20,000 – €100,000/year
  • Annual re-assessment: €10,000 – €25,000

Total first year: €55,000 – €205,000

With Nuvm:

  • All 9 scanners, unified compliance mapping, PDF reports: from €79/mo
  • No gap assessment needed — Nuvm IS the assessment
  • No separate GRC platform — compliance evidence is built in
  • No multi-vendor security stack — everything in one dashboard

Total first year: €948 – €1,188

That's not a typo. The difference is two orders of magnitude.

"But Surely You Need a Consultant for the Legal Parts?"

Fair question. NIS2 has legal and organizational requirements that go beyond technical controls — governance structures, board accountability, incident reporting procedures, staff training programs.

Here's the thing: those organizational requirements are straightforward. The governance structure? Document who's responsible for security. The incident reporting? Set up a process to notify your national authority within 24 hours. Staff training? Run a quarterly security awareness session.

None of this requires a €50K consulting engagement. A competent CTO can set up the organizational controls in a week. What takes real effort — and where companies actually fail compliance — is the technical evidence. Proving that your systems are configured securely. Proving that your dependencies are patched. Proving that your infrastructure meets the security baseline.

That's the hard part. And that's exactly what Nuvm automates.

Getting Started — The 30-Minute NIS2 Plan

  1. Sign up for Nuvm (5 minutes) — connect your cloud account with read-only access. No agents to install, no infrastructure changes.

  2. Run your first scan (5 minutes to start, results within 15 minutes) — all 9 scanners run in parallel. You'll see your security posture across cloud config, containers, code, dependencies, secrets, IaC, Kubernetes, and web apps.

  3. Check your NIS2 compliance score (2 minutes) — open the compliance dashboard. See which NIS2 articles you're meeting and which have gaps.

  4. Export your first report (1 minute) — generate a PDF that maps every finding to the relevant NIS2 article. This is the document your auditor wants to see.

  5. Start remediating (ongoing) — Nuvm ranks findings by risk and gives you plain-English remediation steps. Fix the critical ones first. Your compliance score updates in real time.

That's it. No consultants. No six-month projects. No €50K invoices.

The Bottom Line

NIS2 is real. The penalties are real. The deadline is already past. But the compliance industry's pricing isn't a reflection of the problem's complexity — it's a reflection of how much fear they can generate.

The technical requirements of NIS2 are concrete, measurable, and automatable. You don't need a consultant to tell you that your S3 bucket is public, your container base image has 47 critical CVEs, or your Terraform files are deploying unencrypted databases.

You need a scanner that checks, a dashboard that shows, and a report that proves.

That's what Nuvm does. From €79/mo. No sales calls, no contracts, cancel anytime.

The compliance industry is selling you a €50,000 solution to a €99 problem. Stop overpaying.

Stay ahead of cloud threats

Start scanning your cloud, code, and containers in 5 minutes.

Get Started