Applicability
We determine whether your company falls under NIS2 or DORA. The directive significantly expanded the scope.
We coordinate the regulatory and procedural side of NIS2 and DORA; the technical part is covered by Summum Sistemas’ own SOC.
NIS2 extends the scope of the original NIS directive to medium-sized companies and sectors previously exempt: postal services, waste management, manufacture of critical products, and digital service providers. DORA does the equivalent for the financial sector.
What both directives require goes well beyond installing antivirus software: an incident management policy, regulatory notification within deadlines, contracts with critical ICT suppliers containing specific clauses, an operational continuity plan, and training.
We handle the legal and procedural side; the in-house SOC at Summum Sistemas covers the technical layer (EDR, SIEM, incident response). One implementation, two coordinated disciplines.
We determine whether your company falls under NIS2 or DORA. The directive significantly expanded the scope.
Requirements mapped against what you already have. Most organisations unknowingly meet 30–40% already.
Incident management, ICT supplier contracts, continuity plan, training.
Procedures: 24h first alert, 72h initial report, 1 month final report.
The operational detail: what we deliver as part of the engagement and what we keep active afterwards.
Applicability assessment
NIS2/DORA tables by sector and size, with documented justification.
Incident management plan
Detection, classification, containment, recovery. Aligned with your ISO 27001.
Notification procedures
Templates for regulatory deadlines and client communication.
ICT supplier contracts
Specific clauses required by the regulation in current and new contracts.
Operational continuity plan
Aligned with ISO 22301. Annual drill.
Senior management training
Explicit board responsibility under NIS2.
NIS2 covers essential services. DORA covers the financial sector. Same skeleton.
NIS2 and DORA have a procedural layer (here) and a technical layer (in-house SOC).
Medium-sized companies (>50 employees or >€10M) in extended sectors. Initial assessment within 48 hours.
DORA applies to financial entities and their critical ICT providers.
~60%. If you already hold ISO 27001, NIS2 represents an additional 40%, not 100%.