Cyber-Physical Regulatory Readiness

For critical entities, regulation is densifying noticeably. Germany's NIS2 implementation act has been in force since December 2025, and the KRITIS umbrella act has transposed the EU CER Directive nationally since March 2026 - with risk analyses, resilience plans and cross-cutting minimum requirements that explicitly address physical and digital risks. Those in scope need no further policies, but actionable, demonstrable resilience. That is precisely what we help deliver.

We start with precise scoping: which regimes apply to your entity, sites and business models - NIS2, CER/KRITIS, DORA, EASA Part-IS, the Cyber Resilience Act or sectoral regimes? From this we produce a gap analysis that mirrors regulatory duties against your actual maturity, rather than abstractly listing standards.

The core of our work is control mapping: we translate the differing obligations into a common, operationally close control and evidence model. This avoids parallel worlds - one control, implemented once, serves several regimes at the same time. That reduces effort and keeps evidence consistent across different supervisors.

From this we derive a prioritized action program and the evidence trail. Especially where cyber and physical security converge - for KRITIS operators, data centers, energy, water or airports - we govern both dimensions as one risk, as CISA and ENISA recommend for greater resilience.

We deliver each of these services in three stages: as an assessment (baseline and gap analysis), as program build and implementation (structures, measures, evidence) and as ongoing steering - optionally as an interim mandate, fractional lead, evidence office or exercise and audit office. You decide how much responsibility to outsource and where to build your own capacity.