NIS2 Gap-Scan Express · Art. 21 compliance assessment with defensive AI
NIS2 art. 21 assessment (10 technical and organisational measures) with our own defensive AI stack and personal signature of the responsible party. Diagnosis, prioritised plan and board memo in four weeks.
NIS2 Gap-Scan Express
NIS2 art. 21 compliance diagnosis in four weeks, with multi-model defensive AI and human sign-off
The NIS2 Directive (EU Directive 2022/2555) covers approximately twelve thousand entities in Spain as essential or important and requires the implementation of ten specific technical and organisational measures (art. 21). The Spanish transposition is advancing on two parallel tracks: Royal Decree-Law 7/2025 already in force with partial obligations and the Draft Law on Cybersecurity Coordination and Governance in progress. Potential sanctions reach ten million euros or two percent of global turnover, with personal liability for directors.
OCIRIA NIS2 Gap-Scan Express delivers in four weeks a technical diagnosis of art. 21 compliance, a prioritised findings map and an executive memo drafted for the board. All analysis is carried out with an in-house multi-model defensive AI stack (Claude Haiku, Sonnet and Opus in triangulation) under the personal supervision and signature of the person responsible at Ibida Black Level S.L.
What it covers exactly
The gap analysis assesses the ten measures established in art. 21 of the directive:
1. Risk analysis and management policy.
2. Incident management (detection, communication and response).
3. Business continuity: backups, disaster recovery and crisis management.
4. Supply chain security.
5. Security in the acquisition, development and maintenance of systems.
6. Policies and procedures for evaluating the effectiveness of measures.
7. Basic hygiene: practices, training and awareness.
8. Cryptography and encryption, where applicable.
9. Human resources security, access control policy, asset management.
10. Multi-factor authentication and secure communications.
For each measure, we identify the current state, the distance to compliance, the indicative effort required to close it and the relative priority based on your organisation.
Why this service exists
Traditional consultancies approach NIS2 with two-month templates, teams of four to six people and hundred-slide deliverables that the board never quite finishes reading. The Big4 do it even more expensively and more slowly. The reality is that most entities first need to know where they stand, not receive a twelve-month plan before having seen the first finding.
OCIRIA leverages defensive AI to perform the technical analysis that a human team would need forty to sixty hours for, in a fraction of the time. What the AI does not decide is any material deliverable: the findings map, the prioritisation and the executive memo are personally signed by the human supervisor. AI accelerates; it does not replace.
How we work · four weeks, three deliverables
Week 1 · Scope and intake. Initial meeting (forty-five minutes) to understand sector, size, criticality, dependencies and prior exposure. Collection of minimum necessary information without access to live systems: domains, email infrastructure, known public exposure, existing security policy if any, relevant organisational chart.
Week 2 · Multi-model AI analysis + human validation. Triangulation between three Claude models (Haiku for classification, Sonnet for correlation, Opus for critical analysis). Detection of discrepancies between models as a risk signal to investigate manually. Verification of public surface (defensive OSINT: subdomains, indexed leaks, DNS/SPF/DMARC configuration, HTTP headers, certification, Shodan/Censys exposure). Regulatory gap analysis measure by measure.
Week 3 · Cross-check with operational reality. Technical session (sixty to ninety minutes) with internal responsible party (if any) or with the board to validate findings, fill gaps that models cannot see (internal procedures, supplier contracts, training carried out) and prioritise.
Week 4 · Signed deliverables. Three documents: detailed technical report with findings and reproducible evidence, prioritised measures map with indicative effort and timeline, and three-page executive memo drafted so the board can take it to the board or audit committee. All personally signed by the person responsible at Ibida Black Level S.L.
Pricing
OCIRIA NIS2 Gap-Scan has three levels, according to depth and subsequent support:
| Level | Product | Price | Timeline |
|---|---|---|---|
| Express | Art. 21 gap analysis + prioritised map + board memo | 3,500 € | 4 weeks |
| Standard | Express + twelve-month roadmap + incident tabletop | 6,500 € | 5-6 weeks |
| Premium | Standard + monthly accompaniment for six months | 12,900 € | 4 weeks + 6 months |
Prices are indicative for SMEs (up to two hundred and fifty employees) and standard mid-market. For consolidated groups, multi-site infrastructure or sectors with additional regulation (health, energy, water, finance) we adjust scope and budget at the initial meeting.
Payment terms. Fifty percent at the start, fifty percent upon delivery of the executive memo. No penalty if after the initial meeting we decide the service does not fit your situation.
Who it is for
- Essential entities under NIS2: transport, energy, health, water, digital infrastructure, public administration, space.
- Important entities under NIS2: postal services, waste management, chemicals, food, manufacturing, digital platforms, research.
- Mid-market companies providing services to NIS2 entities that receive mandatory compliance questionnaires from regulated clients.
- Consolidated groups that need to unify NIS2 posture across several subsidiaries before the board.
If you have doubts about whether NIS2 applies to you, the initial meeting is free and we will clear that up within thirty minutes.
Who it is NOT for
- Companies that already have an in-house CISO with full dedication and a security team of three or more people. In that case, what you probably need is an AI Red Team assessment of your internal stack, not an external gap analysis.
- Companies looking for a quick stamp to pass a sales process and do not want a real analysis. OCIRIA does not sign reports in which there are no verifiable findings.
- Sectors where the applicable regulation is clearly something else (DORA financial sector with specific dedication, pure GDPR without a NIS2 component).
Typical cases
Case 1 · The mid-market private hospital. Medical centre with two hundred and forty employees, in-person and telemedicine care, two sites and an outsourced electronic health record. Gap-Scan reveals absence of a formal incident management procedure, two-factor authentication only on the administrative account, backup policy without periodic verification and four ICT providers without NIS2 clauses in their contracts. Executive memo: estimated compliance at sixty-five percent; six-month plan to reach eighty-five percent with an indicative additional budget of twelve thousand euros.
Case 2 · The water treatment company. Regional operator under OUG 155/2024 (Romanian NIS2 transposition). Gap-Scan identifies DMARC at p=none, cPanel panels exposed in shared hosting with third-party domains, client portal without two-factor authentication or HSTS. Board memo: three critical measures that can be closed within seventy-two hours, seven measures with a three-month plan, clear conclusion on whether the entity would pass a first inspection.
Case 3 · The industrial provider of essential services. Manufacturing company that sells to an essential NIS2 entity and receives a mandatory compliance questionnaire. Gap-Scan is oriented towards answering that questionnaire with evidence: questions that can be answered with current compliance, those that require action and those that need a contractual clause with the regulated client.
How to start
The first step is a free initial meeting of forty-five minutes. We explain how the methodology works, what typical findings we make with a company of your profile and we tell you honestly whether the Gap-Scan adds value for you or whether your situation requires something else.
If we move forward, the contract is one page and the schedule is four weeks from signing.
Write to us at [email protected]