Solutions · NIS2
NIS2 compliance, owned end to end
NIS2 raises the bar on cybersecurity risk management for essential and important entities across the EU, and it puts management bodies on the hook for it. Acuna runs the programme in one place: the risk-management measures, supply chain security, and incident reporting, each tied to a named owner and the evidence that proves it.
In short
NIS2 (Directive (EU) 2022/2555) requires essential and important entities to put in place cybersecurity risk-management measures, address supply chain security, and report significant incidents, with accountability sitting at management level. Acuna is a multi-framework GRC platform that operationalises those measures: it maps the NIS2 requirements once, keeps supply chain security tied to your vendor inventory, and ties every control to an owner and to evidence.
Turn a directive into a programme management can stand behind
NIS2 makes management bodies responsible for approving and overseeing cybersecurity risk-management measures. That changes the question from "do we have a policy" to "can leadership show the measures are real and maintained." The entities that handle NIS2 well are the ones where the measures, their owners, and their evidence live in one running system that leadership can see, rather than a set of documents that only exist for the audit.
One system for the whole NIS2 programme
NIS2 maps once across the four core panes, then supply chain security is carried by the extension your programme needs.
What it unlocks, and what waiting costs
| What a running NIS2 programme unlocks | What waiting costs |
|---|---|
| Risk-management measures with named owners that leadership can actually oversee. | Measures that exist on paper but have no owner and no maintenance cadence. |
| Supply chain security tied to your live vendor inventory, not a static supplier list. | Supply chain security treated as a one-time questionnaire rather than an ongoing control. |
| NIS2 work that reuses your ISO 27001 and DORA controls rather than duplicating them. | Management-level accountability with no running system to back it up. |
| Incident records and evidence that exist before the authority asks. |
We are early, so we will not quote a customer count. The mechanism is the argument: when the measures, their owners, and their evidence live in one system, leadership oversight and a supervisory answer both become a view rather than a project.
The hesitations worth naming
GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.
Pipeline at risk
Enterprise deal value
typical affected deal, annualised
CHF 200K
Deals blocked or slowed
per year, your estimate
3 deals
Security questionnaires
your team fills out, per month
5 / month
Questionnaire overhead
Hours per questionnaire
across all people involved (SIG/CAIQ often run 6–12 hrs)
6 hrs
All-in hourly cost
fully-loaded: salary + overhead of the person filling it
CHF 125
Acuna starts from
CHF 5'388 / year, all frameworks included
120×
your est. cost
These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.
Built by people who ran the programmes
Acuna is built and operated by an established Swiss GRC group led by practitioners with decades of combined experience in cybersecurity, audit, and governance. The platform models how a mature risk-management programme actually runs.
Supply chain security ties to your live vendor inventory.
Controls reuse across NIS2, DORA, and ISO 27001 on one core.
Priced per organisation, so every owner and reviewer is included.
Data hosted in Switzerland and the EU.