Skip to content
B.3 · Core Product

Compliance Program (NIS2 / EU AI Act)

From assessment results to audit readiness: we build your ISMS, close all gaps, and guide you to compliance in a structured manner – in 3 phases with defined quality gates.

The gaps are identified – now the real work begins

Your NIS2 or EU AI Act assessment has revealed the action areas. The compliance program picks up exactly where it left off and systematically closes all gaps.

Fines up to EUR 10 million

NIS2: up to EUR 10 million or 2% of annual revenue. EU AI Act: up to EUR 35 million or 7% of annual revenue.

Personal liability

Executive management is personally liable for implementation – an assessment alone is not sufficient.

Compliance obligations

BSI and regulatory authorities require audit-ready processes and comprehensive documentation.

Reporting obligations

24h early warning, 72h incident report, 1 month final report – impossible without established processes.

3 phases with defined quality gates

Each phase concludes with a formal management sign-off. Total duration: 3–12 months, depending on organization size and maturity level.

1

Framework & Design

3–4 weeks · Fixed price EUR 18,000–25,000

ISMS framework setup, risk management methodology, security policies (10–15 policies), incident response design, business continuity framework, and governance structures.

ISMS scope & policy
Risk management policy
Complete policy set
Incident response plan
BC/DR concept
Governance org chart
Quality Gate: Management sign-off on all Phase 1 deliverables and approval for Phase 2
2

Implementation

8–24 weeks · Daily rate EUR 1,400–1,600

Implementation of all technical measures, process rollout, documentation, awareness program, supplier management, and KPI framework. Bi-weekly progress reviews.

Technical controls (network, identity, cryptography)
Process documentation & evidence management
Training program (awareness + specialist training)
KPI framework & monitoring dashboard
Supplier security assessment
Statement of Applicability (SoA)
3

Audit Readiness & Handover

2–4 weeks · Daily rate EUR 1,400–1,600

Internal pre-audit, documentation review, management review preparation, and structured handover to your line organization. Optional audit accompaniment.

Pre-audit report with recommendations
Documentation map
Management review presentation
Operations manual for ongoing compliance
Quality Gate: Audit readiness confirmed, formal handover to line organization

Clear responsibilities

Nexus manages the program and creates all deliverables. Your organization retains decision-making authority.

Activity Nexus ISM/CISO IT Mgmt
Build ISMS framework R/A C I A
Create policies R A C I
Conduct risk assessment R A C I
Implement technical measures C I R/A I
Conduct training R A C I
Conduct pre-audit R/A C C I

R = Responsible, A = Accountable, C = Consulted, I = Informed

3
Phases
3–12
Months total duration
from 18K EUR
Phase 1 fixed price
50–150K EUR
Typical total volume

Prerequisite

Completed NIS2 Readiness Assessment or EU AI Act Assessment. The assessment provides the gap analysis on which the program is built.

Follow-up

After program completion, we recommend the Virtual CISO retainer for ongoing compliance monitoring, audit support, and strategic security advisory.

Why Nexus

Critical infrastructure experience

Cloud security framework, tenant separation, software lifecycle in critical infrastructure environments (healthcare, statutory health insurance).

Speed

Principal model: you work directly with an experienced consultant. No junior team, no overhead.

Certified

AWS Architect, Azure Architect, TOGAF, PRINCE2, ITIL – technical depth meets governance expertise.

End-to-end

From assessment through the program to Virtual CISO – one point of contact across the entire compliance lifecycle.

Ready for implementation?

Let's review your assessment results and define the right program in an introductory call – confidential and no strings attached.

Schedule a Call

30 min · Video call · No obligation