Compliance Program (NIS2 / EU AI Act)
From assessment results to audit readiness: we build your ISMS, close all gaps, and guide you to compliance in a structured manner – in 3 phases with defined quality gates.
The gaps are identified – now the real work begins
Your NIS2 or EU AI Act assessment has revealed the action areas. The compliance program picks up exactly where it left off and systematically closes all gaps.
Fines up to EUR 10 million
NIS2: up to EUR 10 million or 2% of annual revenue. EU AI Act: up to EUR 35 million or 7% of annual revenue.
Personal liability
Executive management is personally liable for implementation – an assessment alone is not sufficient.
Compliance obligations
BSI and regulatory authorities require audit-ready processes and comprehensive documentation.
Reporting obligations
24h early warning, 72h incident report, 1 month final report – impossible without established processes.
3 phases with defined quality gates
Each phase concludes with a formal management sign-off. Total duration: 3–12 months, depending on organization size and maturity level.
Framework & Design
3–4 weeks · Fixed price EUR 18,000–25,000ISMS framework setup, risk management methodology, security policies (10–15 policies), incident response design, business continuity framework, and governance structures.
Implementation
8–24 weeks · Daily rate EUR 1,400–1,600Implementation of all technical measures, process rollout, documentation, awareness program, supplier management, and KPI framework. Bi-weekly progress reviews.
Audit Readiness & Handover
2–4 weeks · Daily rate EUR 1,400–1,600Internal pre-audit, documentation review, management review preparation, and structured handover to your line organization. Optional audit accompaniment.
Clear responsibilities
Nexus manages the program and creates all deliverables. Your organization retains decision-making authority.
| Activity | Nexus | ISM/CISO | IT | Mgmt |
|---|---|---|---|---|
| Build ISMS framework | R/A | C | I | A |
| Create policies | R | A | C | I |
| Conduct risk assessment | R | A | C | I |
| Implement technical measures | C | I | R/A | I |
| Conduct training | R | A | C | I |
| Conduct pre-audit | R/A | C | C | I |
R = Responsible, A = Accountable, C = Consulted, I = Informed
Prerequisite
Completed NIS2 Readiness Assessment or EU AI Act Assessment. The assessment provides the gap analysis on which the program is built.
Follow-up
After program completion, we recommend the Virtual CISO retainer for ongoing compliance monitoring, audit support, and strategic security advisory.
Why Nexus
Critical infrastructure experience
Cloud security framework, tenant separation, software lifecycle in critical infrastructure environments (healthcare, statutory health insurance).
Speed
Principal model: you work directly with an experienced consultant. No junior team, no overhead.
Certified
AWS Architect, Azure Architect, TOGAF, PRINCE2, ITIL – technical depth meets governance expertise.
End-to-end
From assessment through the program to Virtual CISO – one point of contact across the entire compliance lifecycle.
Ready for implementation?
Let's review your assessment results and define the right program in an introductory call – confidential and no strings attached.
30 min · Video call · No obligation