Two engagements. Both productized. Both honest about scope.
A one-off Supplier Exposure Assessment that hands you back an audit-ready picture in two to three weeks. A Qualified Manager retainer that puts a NIS2-qualified voice on your board papers month after month. Fixed scope, fixed price, no day rate either way.
The same practitioner. Two productized shapes.
We deliver one of two engagements. They share a practitioner and a discipline; they differ on shape, cadence, and where you are with NIS2.
NIS2 Supplier Exposure Assessment
A practitioner walks your supplier portfolio against Article 21(2)(d), risk-tiers each supplier, and hands back a written exposure report with a prioritised remediation plan. €3,500 fixed.
See the AssessmentNIS2 Qualified Manager retainer
A NIS2-qualified practitioner named on your board papers. Monthly board paper, quarterly risk-management review, annual audit-readiness sign-off. Fixed monthly fee, scope-driven, hard-capped at three to four simultaneous clients.
See the retainer| Dimension | Assessment | Qualified Manager retainer |
|---|---|---|
| Shape | One-off engagement | Ongoing monthly retainer |
| Duration | Two to three weeks | Rolling term |
| Pricing | €3,500 fixed | Fixed monthly fee, scope-driven |
| Output | Written exposure report + remediation plan | Monthly board paper, quarterly review, annual sign-off |
| Named role | Practitioner — engagement-bound | Practitioner — named on board papers |
| Best for | Buyers asking "where are we exposed?" | Buyers needing accountable oversight ongoing |
Three short scenarios.
Your board needs an answer to "where are we exposed under NIS2?" — and they need it on paper, fast.
Start with the Assessment.
You have already done an assessment (or you know your gaps) and now you need a NIS2-qualified voice on monthly board papers.
Engage the Qualified Manager.
You need both — a written exposure picture now, and a named accountable manager to close the gap going forward.
Start with the Assessment, continue with the retainer.
The discipline is the same either way.
- Productized — fixed scope, no quote cycle, no proposal pantomime
- Fixed price — set during the discovery call, held for the term
- No day rate — we sell deliverables and named roles, not consultancy hours
- Practitioner-delivered — CISSP, CISM, banking and pharma background
- NDA-first — supplier lists, contracts, and evidence stay with you
Naming the scope earns trust.
Neither engagement is the things below. Saying so up front saves a quote cycle on both sides.
- Managed security services or 24/7 SOC
- Unbounded consultancy with day rates and scope creep
- A subcontracted CISO badge for procurement to tick a box
- Anything we do not have the standing to deliver under NIS2
One discovery call covers either engagement.
We tell you which one fits.
30 minutes. NDA-first. Honest scoping — including the cases where neither engagement is the right answer for where you are today.