Solutions · NIS2

NIS2 compliance, owned end to end

NIS2 raises the bar on cybersecurity risk management for essential and important entities across the EU, and it puts management bodies on the hook for it. Acuna runs the programme in one place: the risk-management measures, supply chain security, and incident reporting, each tied to a named owner and the evidence that proves it.

Risk measures and supply chain on one systemNIS2 mapped alongside DORA and ISO 2700150+ frameworks on one core

In short

NIS2 (Directive (EU) 2022/2555) requires essential and important entities to put in place cybersecurity risk-management measures, address supply chain security, and report significant incidents, with accountability sitting at management level. Acuna is a multi-framework GRC platform that operationalises those measures: it maps the NIS2 requirements once, keeps supply chain security tied to your vendor inventory, and ties every control to an owner and to evidence.

Turn a directive into a programme management can stand behind

NIS2 makes management bodies responsible for approving and overseeing cybersecurity risk-management measures. That changes the question from "do we have a policy" to "can leadership show the measures are real and maintained." The entities that handle NIS2 well are the ones where the measures, their owners, and their evidence live in one running system that leadership can see, rather than a set of documents that only exist for the audit.

One system for the whole NIS2 programme

NIS2 maps once across the four core panes, then supply chain security is carried by the extension your programme needs.

Map the NIS2 risk-management measures once and crosswalk them to what you already run, so NIS2 reuses the controls you built for ISO 27001 and DORA rather than duplicating them.

Turn the measures into controls with named owners, so the risk-management measures NIS2 requires have accountable people behind them, which is exactly what management-level responsibility depends on.

Keep the programme current with recurring tasks and checks, so the measures stay maintained between reviews rather than decaying after the initial project.

Produce the evidence and incident records a competent authority asks for, and the view leadership needs to sign off, as a live state rather than a scramble.

Framework-specific extension

NIS2 Article 21(2)(d) requires you to address supply chain security as part of your risk-management measures. Supplier Shield operationalises that: third-party assessment, monitoring, and the contractual controls that sit behind supply chain security. See third-party risk management for the full capability.

What it unlocks, and what waiting costs

What a running NIS2 programme unlocks vs What waiting costs
What a running NIS2 programme unlocksWhat waiting costs
Risk-management measures with named owners that leadership can actually oversee.Measures that exist on paper but have no owner and no maintenance cadence.
Supply chain security tied to your live vendor inventory, not a static supplier list.Supply chain security treated as a one-time questionnaire rather than an ongoing control.
NIS2 work that reuses your ISO 27001 and DORA controls rather than duplicating them.Management-level accountability with no running system to back it up.
Incident records and evidence that exist before the authority asks.

We are early, so we will not quote a customer count. The mechanism is the argument: when the measures, their owners, and their evidence live in one system, leadership oversight and a supervisory answer both become a view rather than a project.

The hesitations worth naming

GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.

Pipeline at risk

Enterprise deal value

typical affected deal, annualised

CHF 200K

CHF 10KCHF 1M

Deals blocked or slowed

per year, your estimate

3 deals

015

Security questionnaires

your team fills out, per month

5 / month

020 / month

Questionnaire overhead

Hours per questionnaire

across all people involved (SIG/CAIQ often run 6–12 hrs)

6 hrs

1 hr40 hrs

All-in hourly cost

fully-loaded: salary + overhead of the person filling it

CHF 125

CHF 25CHF 500
Pipeline at riskCHF 600'000
Questionnaire overhead / year (5×/mo × 6 hrs × CHF 125)CHF 45'000
Total identifiable costCHF 645'000

Acuna starts from

CHF 5'388 / year, all frameworks included

120×

your est. cost

These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.

Built by people who ran the programmes

Acuna is built and operated by an established Swiss GRC group led by practitioners with decades of combined experience in cybersecurity, audit, and governance. The platform models how a mature risk-management programme actually runs.

  1. Supply chain security ties to your live vendor inventory.

  2. Controls reuse across NIS2, DORA, and ISO 27001 on one core.

  3. Priced per organisation, so every owner and reviewer is included.

  4. Data hosted in Switzerland and the EU.

NIS2: common questions.

Get started

Run NIS2 as a programme, not a policy binder

See how the measures, supply chain security, and evidence run in one place.