Start with NIS2. Stay compliant with ISO 27001, GDPR, DORA — and the security questionnaires your customers keep sending. One platform. EU-sovereign. At a fraction of the cost of hiring.
Penalties: Up to €10M or 2% of turnover. Board members face personal liability and potential ban from management roles.
These are legal requirements, not recommendations. Each one must be documented and provable.
Identify all cybersecurity risks. Document them. Assign owners. Review regularly. This is not a one-time exercise — it must be a living document.
If you detect a breach, you have 24 hours to report it to your national CSIRT. Then 72 hours for an update, and 30 days for a final report. Do you have a procedure for this?
Your management body must personally approve cybersecurity measures and receive regular reports. "I didn't know" is not a defence under NIS2 Article 20.
You must assess the cybersecurity of your suppliers and include security requirements in contracts. If your vendor is breached — you're accountable.
Regular cybersecurity training for all staff. Board members must be trained too. Password policies, phishing awareness, MFA — all documented.
Backup plans, crisis management, disaster recovery. Tested and documented. Not just "we have backups somewhere."
Plus 4 more categories: system security, effectiveness measurement, cryptography, and access management. Full Article 21 requirements →
NIS2 compliance requires expertise most SMEs don't have in-house.
Most SMEs can't justify a senior hire just for compliance.
External help works, but the cost is prohibitive for companies with €10-50M turnover.
NIS2 has 10 requirement categories, country-specific rules, and requires ongoing documentation. A spreadsheet won't survive an audit.
A platform that handles your NIS2 compliance — automatically, continuously, at a fraction of the cost.
Automatically evaluates your company against all 10 NIS2 categories. Shows you exactly what's missing and what to fix first.
Maintains a living risk register with owners, remediation plans, and full audit trail. Ready for regulators at any time.
Generates plain-language reports for your management body. Proves to regulators that your board governs cyber risk (Article 20).
Pre-built templates for 24h reporting to your national CSIRT. Country-specific — knows whether you report to BSI, CCB, NASK, or ACN.
Maps your controls to NIS2, ISO 27001, GDPR, and DORA simultaneously. One platform, all your compliance needs.
Hosted in EU (Germany/Ireland). Per-tenant encryption. Your data never leaves Europe, never touches US jurisdiction. EU Sovereign
A virtual CISO that works 24/7 — for a fraction of the cost
Automatically evaluates your organisation against all 10 categories of NIS2 Article 21. Identifies gaps, prioritises risks, and tells you exactly what to fix.
Maintains a living risk register with ownership, remediation plans, and audit trail. Proves to regulators that your management body governs risk (Art. 20).
Generates executive reports in plain language — not technical jargon. Your board sees compliance status, risk trends, and recommended actions.
Maps controls to NIS2, ISO 27001, GDPR, and DORA simultaneously. One platform, multiple compliance needs covered.
Our Verifiable Reasoning Architecture uses mathematical proof — not checklists — to demonstrate compliance. AI translates, logic solvers verify.
EU-only hosting (Germany/Ireland). Per-tenant encryption. Zero-access architecture. Your data never leaves Europe, never touches US jurisdiction.
The alternatives are expensive, slow, or not built for European SMEs
| Full-time CISO | MSP / Consultant | US Platforms | CloudSentinel | |
|---|---|---|---|---|
| Annual cost | €180-350K | €30-140K | €7-50K | Fraction of the cost |
| NIS2-native | Depends on person | Depends on firm | Bolt-on | From day 1 |
| Time to value | 3-6 months | Weeks-months | 2-6 weeks | 30 minutes |
| Board reports | Manual | Manual | Audit-style | Automated, plain language |
| Data residency | N/A | Varies | USA (CLOUD Act) | 100% EU |
| Verification | Expert opinion | Expert opinion | Checklists | Mathematical proof (VRA) |
| Buy directly | Yes (hire) | Yes (contract) | Yes (after demo) | Yes — no middleman |
Questions we hear from SME leaders
You can ask AI to generate a gap assessment document. Many companies do. But when the auditor arrives, they won't ask for a document — they'll ask for evidence.
Specifically:
AI generates documents. CloudSentinel manages compliance.
If you have 50+ employees or €10M+ turnover and operate in one of 18 NIS2 sectors — you're in scope. There is no "too small" exemption. And even if you're below the threshold, your larger customers may require proof of your security posture as part of their supply chain obligations (Art. 21).
Good — but NIS2 requires your management body to approve and oversee cybersecurity measures (Art. 20). Delegating to an IT provider doesn't remove board liability. CloudSentinel gives your board visibility into what your IT provider is doing — and proof that governance is happening.
Vanta and Drata are excellent for SOC2 audit preparation. But they're American companies (CLOUD Act applies), NIS2 was added as an afterthought, and pricing starts at €7,000-10,000/year. CloudSentinel is European, NIS2-native from day one, and built specifically for the budget and needs of EU SMEs.
We are selecting 5-10 European SMEs for our free pilot. You get full platform access, a personalised NIS2 gap report, and a seat at the table shaping the product.
No credit card. No commitment. Just 15 minutes to see if we can help.
CloudSentinel is a European company based in Brussels, built by a team with 20+ years of experience in EU institutional security, cloud architecture, and compliance systems.
EU Sovereign European company. European data. European AI. No US dependencies.
