TomatoBlue
Back to Services
Service Offering

Voluntary Regulatory Compliance with NIS 2 Directive for SMEs

Target Audience

SMEs and startups that do not fall under essential or important entities pursuant to Directive (EU) 2022/2555 (NIS 2), but wish to voluntarily align their organization with the principles of the regulation in order to:

  • improve cybersecurity and operational resilience;
  • obtain bonuses and additional scores in public tenders and funding procedures;
  • demonstrate maturity and reliability towards partners, clients and Public Administration.
Funding Opportunity

FESR Sardegna Program 2021-2027

Within the Regional Program FESR Sardegna 2021-2027, the call for aid to Sardinian SMEs for digital transition has been published, aimed at developing and strengthening the competitiveness of Micro, Small and Medium-sized Enterprises (MSMEs) in Sardinia through the introduction of advanced, sustainable and highly innovative technological solutions and consulting services to support the digitalization of business processes, within the areas of specialization of the regional S3.

Key Program Elements

  • Financial allocation: € 22,002,856.00 (Action 2.2.1 RSO.1.2 PR FESR Sardegna 2021-2027)
  • Beneficiaries: MSMEs
  • Project selection method: Window evaluation procedure
  • Investment proposal size: from € 50,000.00 to € 200,000.00
  • Project location: Sardegna

Discover the full details of the call on Sardegna Ricerche website.

Contact Us for More Information

Nature of the Service

The service consists of voluntary regulatory compliance, inspired by the requirements of the NIS 2 Directive.

It does not constitute mandatory compliance or certification, but a structured path of documentary and organizational alignment.

Package Content

NIS 2 Compliance – SME (voluntary)

Phase 1

Regulatory framing and scoping

  • Organization analysis and reasoned verification of non-applicability of NIS 2 obligations.
  • Identification of NIS 2 requirements applicable on a voluntary basis.
  • Definition of the organizational scope involved.

Deliverable: Regulatory framing note usable for declaratory purposes.

Phase 2

Compliance Analysis (Gap Analysis)

  • Assessment of current status against a selected set of NIS 2 requirements relevant to SMEs.
  • Identification of main areas for improvement in view of voluntary compliance.

Deliverable: Concise gap analysis report oriented towards maturity.

Phase 3

Implementation of essential operational measures

  • Drafting of a corporate Cybersecurity and Incident Management Policy compliant with NIS 2 principles.
  • Preparation of incident management and notification procedure.

Definition of minimum rules on:

  • access and credential management;
  • internal responsibilities and roles;
  • coordination in case of incidents.

Deliverable: Operational documentation ready for internal approval.

Phase 4

Compliance documentation and bonus eligibility

Executive summary describing:

  • voluntary compliance with NIS 2 Directive;
  • measures adopted;
  • 12-month improvement roadmap.

Texts usable for "cybersecurity", "resilience" and "governance" sections in tenders.

Deliverable: Evidence pack for tenders and grants.

Exclusions

  • No NIS 2 attestation or certification.
  • No assistance in case of ACN inspection.
  • No supplier audits or advanced technical testing.
  • No continuous maintenance service.

Timeline

3–4 weeks

Investment

Contact us to receive a personalized quote.

Request a quote