Productized advisory · Ongoing retainer

NIS2 Qualified Manager. A named accountable voice on retainer.

Article 20 of NIS2 makes management bodies personally accountable for cybersecurity oversight. For a mid-market entity without a dedicated CISO, that accountability sits awkwardly on the board. The Qualified Manager retainer puts a NIS2-qualified practitioner on your board papers — fixed monthly fee, fixed scope, named role.

Fixed monthly retainerHard cap of 3–4 simultaneous clientsCISSP · CISM practitioner

Book the discovery call What you get

1.0 / What it is

A productized fractional NIS2 manager — not a generalist vCISO with a day rate.

The market calls this kind of role "fractional CISO" or "vCISO." We narrow it on purpose. The retainer covers NIS2 governance, supplier-assurance oversight, and the documents your board, auditor, and supervisory authority actually ask for. Not the full breadth of a generalist security leader.

Two non-negotiable productization rules: the fee is fixed monthly per engagement, not hourly. And the engagement floor is one day a month, the ceiling is one day a week per client. Beyond a day a week and it stops being fractional — we say so and route you to a full-time hire instead.

We hold a hard cap of three simultaneous engagements (occasionally four during transitions) so the role on your board paper is one a practitioner can actually fulfil.

2.0 / What you get

Three named deliverables. Signed. Defensible.

The retainer produces a small, predictable set of documents on a known cadence — the same documents your board, auditor, and supervisory authority will reach for first.

Monthly

Board-ready cybersecurity paper

Three to five pages. Posture, supplier-portfolio movement, open exposures, mitigation status. Written so a non-technical board can act on it. Signed.

Quarterly

NIS2 risk-management review

Article 21 control review against the live state of your environment. Gaps named, remediation owners proposed, decision-trace updated.

Annual

Audit-readiness sign-off

A practitioner-signed statement of NIS2 audit readiness — what is in place, what is open, what is still being remediated. The document an auditor or regulator opens first.

3.0 / How the engagement is sized

One day a month, up to one day a week. The day-band sets the price.

We size the retainer to the accountability scope, not the hour. You pick a band during scoping; we hold to it for the term. Step-changes happen at a renewal, not mid-month.

Floor

1 day / month

For a mid-market buyer with a small supplier base, an existing IT lead, and a board that just needs a credible NIS2 voice on its monthly papers.

Common middle

½ day / week

For an entity with 30–80 critical suppliers, ongoing assurance demands from customers, and quarterly board reporting cycles to support.

Ceiling

1 day / week

For an entity in heavier NIS2 scope — sector-specific guidance, an active audit programme, supplier-incident tempo. Beyond this, the engagement is no longer fractional and we say so.

4.0 / Pricing

Fixed monthly fee. Scope-driven. No day rate.

The price is set per engagement during the discovery call, against the day-band you fall into and the accountability scope you need named. It is then held flat for the term — no hourly billing, no creeping consultancy invoices.

We do not publish a single retainer price because the day-band moves it materially. What we will commit to in writing: the price you hear on the discovery call is the price for the term. No quote cycle, no procurement pantomime.

How buyers usually arrive here

Most retainer engagements start with the NIS2 Supplier Exposure Assessment — a one-off, two- to three-week engagement that produces a written exposure report and a prioritised remediation plan. The Assessment tells you where you are exposed. The retainer holds accountability for closing the gap.

Going straight to the retainer is fine when the buyer already knows the shape of their NIS2 obligations and just needs a named accountable voice on board papers.

5.0 / Who it's for

Mid-market entities in NIS2 scope without a dedicated CISO.

Mid-market entities (50–500 staff) in NIS2 scope without a dedicated CISO
Entities whose board has woken up to Article 20 personal-accountability exposure
Companies whose customers now demand a named manager on the supplier-assurance side
Buyers who completed the Exposure Assessment and need ongoing accountability for the remediation plan

If you already have a full-time CISO with NIS2 fluency, you do not need this. If you do not — and your management body has just realised what Article 20 personally obliges them to oversee — this is the gap-filler.

6.0 / What this is not

Naming the scope earns trust.

We do not do the things below. Saying so up front saves a quote cycle on both sides.

24/7 SOC or managed-detection coverage
Endpoint management or operational IT
Unbounded consultancy with day rates and quote cycles
A subcontracted CISO badge for procurement to tick a box without engagement

7.0 / Together with the Assessment

Two engagements, one continuous arc.

Step 1 · One-off

Supplier Exposure Assessment

Two to three weeks. €3,500. Written exposure report, prioritised remediation plan, supplier risk-tier matrix. Tells you where you are exposed today.

See the Assessment

Step 2 · Ongoing

Qualified Manager retainer

Fixed monthly fee. Three named deliverables. Holds accountability for closing the gap the Assessment surfaced and for the ongoing oversight Article 20 demands.

You are here

Many buyers do the Assessment first. Some go straight to the retainer. We are explicit about the right starting point during the discovery call.

8.0 / Common questions

FAQ

Is this a vCISO service?+

It overlaps with what the market calls vCISO, but with two productized constraints. (1) The scope is NIS2 governance and supplier assurance — not the full breadth of a generalist vCISO. (2) The fee is fixed monthly per engagement, not a day rate against an open ceiling. If you need a generalist fractional CISO, we are not the right answer.

Why the hard cap on simultaneous clients?+

A NIS2-qualified manager named on your board papers needs to actually know your environment. We cap simultaneous engagements at three, occasionally four during transitions, so each client gets the focus the role implies. When the cap is full, new engagements join a waitlist.

How is this priced?+

Fixed monthly fee per engagement, agreed during scoping and held for the term. Sized by the day-band you fall into (1 day/month to 1 day/week) and the accountability scope. No hourly billing, no day rate. We send you a price during the discovery call, not after a proposal cycle.

How does this fit with the Supplier Exposure Assessment?+

The Assessment is one-off — it produces a written exposure report and remediation plan in two to three weeks. The Qualified Manager retainer is what you engage afterwards if the gap is bigger than a one-off engagement can close. Many buyers do the Assessment first, then take the retainer to hold accountability for the remediation.

Will you be named in our regulator filings?+

Where the regulator requires a named cybersecurity manager and your structure permits an external party to fill the role, yes. We write the named role into the engagement agreement so it is unambiguous to your supervisory authority and your board.

What happens at the end of a term?+

Engagements run on a rolling basis with a defined exit cadence. We hand over the decision-trace, the open-issues register, and the audit-readiness statement so the role can move in-house or to another provider without information loss.

9.0 / Get started

Need a NIS2-qualified manager on your board paper next month?
Let us see if we are the right fit.

30 minutes. NDA-first. We tell you up front whether the retainer makes sense for your stage, or whether the Assessment is the better starting point.

Book the discovery call Or start with the Assessment