Compliance & Regulations

GDPR, NIS2, ISO 27001, DORA — we navigate the regulatory maze for you.

Free Consultation

The European regulatory landscape has changed dramatically. NIS2 is now in effect, GDPR fines have reached €1.3 billion, and DORA is transforming the financial sector. Non-compliance risks not just fines, but loss of clients and business partners.

Compliance documentation and regulations

NIS2 — The New Cybersecurity Reality in the EU

The NIS2 (Network and Information Security Directive 2) is the most significant change in European cybersecurity in a decade. As of October 18, 2024, it is mandatory across all EU member states, including Bulgaria.

Who is Affected?

NIS2 dramatically expands scope — from a few hundred to thousands of organizations:

Essential Entities

Energy, transport, banking, healthcare, water supply, digital infrastructure, ICT services (B2B), public administration, space. Fines up to €10 million or 2% of turnover.

Important Entities

Postal services, waste management, chemicals, food, manufacturing (medical devices, computers, electronics, machinery, automotive), digital services (online marketplaces, search engines, social networks), research. Fines up to €7 million or 1.4% of turnover.

Criteria: Companies with over 50 employees or turnover above €10 million in affected sectors automatically fall under NIS2. Even smaller companies may be included if they are critical to the supply chain.

What Does NIS2 Require?

24hEarly incident notification
72hFull incident report
30 daysFinal report and analysis
Continuous monitoring & audits

Key requirements include:

  • Risk Management — risk analysis, cybersecurity policies and procedures
  • Incident Handling — response plan, incident team, notification within 24/72 hours
  • Business Continuity — backup, DR plans, testing
  • Supply Chain Security — vendor assessment, contractual clauses
  • Vulnerability Management — regular testing, patch management
  • Cryptography & Encryption — policies for use of cryptography
  • Access Management — MFA, principle of least privilege
  • Training — regular security awareness for all employees
  • Management Accountability — C-level management bears personal responsibility

⚠️ Personal Liability: NIS2 introduces personal liability for C-level management. CEOs, CTOs and Board members can be personally fined or temporarily removed from management positions for systematic non-compliance.

GDPR — Still the Strictest

GDPR audit and compliance check

GDPR (General Data Protection Regulation) remains the foundation of data protection in the EU. Key aspects businesses often miss:

  • DPIA (Data Protection Impact Assessment) — mandatory when processing sensitive data at scale
  • DPO (Data Protection Officer) — mandatory for public bodies and large-scale data processors
  • Right to Erasure — you must be able to delete customer data on request within 30 days
  • Data Breach Notification — 72 hours to the supervisory authority
  • Privacy by Design — data protection must be built into every new product or process
  • Transfer Outside EU — Standard Contractual Clauses or Adequacy Decision for third countries
€1.3BTotal GDPR fines to date
€1.2BLargest single fine (Meta)
72hBreach notification deadline
4%Max fine of annual turnover

DORA — For the Financial Sector

DORA (Digital Operational Resilience Act) came into effect on January 17, 2025 and affects:

  • Banks and credit institutions
  • Insurance companies
  • Investment firms
  • Payment institutions
  • Crypto-asset service providers
  • ICT providers to financial institutions (including cloud, SaaS)

DORA requires:

  • ICT Risk Management Framework — documented framework for ICT risk management
  • Incident Reporting — classification and reporting of ICT incidents
  • Digital Operational Resilience Testing — penetration testing, threat-led testing (TLPT)
  • Third-party Risk Management — register and assessment of all ICT providers
  • Information Sharing — sharing threat intelligence between institutions

ISO 27001 — The Gold Standard

ISO 27001 is not a regulation but an international standard for information security management (ISMS). However, more clients and partners require it as a prerequisite for doing business.

Our approach to ISO 27001 certification:

  1. Gap Analysis (2-4 weeks) — assess your current state against ISO 27001:2022
  2. ISMS Design (4-8 weeks) — design the management system
  3. Documentation (4-6 weeks) — prepare all required policies and procedures
  4. Implementation (8-12 weeks) — implement the controls
  5. Internal Audit (2 weeks) — internal audit before certification
  6. Certification Audit — accompany you through Stage 1 and Stage 2 audits

Free NIS2 Assessment

Not sure if NIS2 applies to you? Use our free NIS2 Quick Assessment below to find out:

NIS2 Quick Assessment

Answer 5 questions and find out if your organization falls under NIS2.

How We Work

1Gap Analysis — assess current state
2Roadmap — plan with priorities & timelines
3Implementation — policies, procedures, controls
4Certification — accompany you to successful audit

Don't know where to start?

Free Consultation — we'll assess your situation and give you a concrete action plan.

Related Services

Employee Training

Turn your team into the first line of defense with realistic simulations.

Learn More

Zero Trust Architecture

We design and implement Zero Trust — never trust, always verify.

Learn More

AI Security Automation

We leverage artificial intelligence for automated threat detection and response.

Learn More

Ready to Protect Your Business?

Contact us for a free consultation and personalized assessment of your needs.

Free Consultation Call Us
Secured Site

Free Consultation

Choose a topic and tell us about your needs. We'll get back within 24 hours.

Your data is protected and will not be shared with third parties.