Home  /  NIS2 & DORA Compliance  /  References

Track record

Cybersecurity & Compliance References

Five client cases, from single-site SMEs to multinational groups: NIS2 gap analysis, documented governance framework, integrated GRC path with TISAX and ISO 27001 certification. Cases presented in anonymised form.

The Competence Center

six areas, one approach

Valuemate operates in Cybersecurity & Compliance through a Cybersecurity Competence Center structured across six areas, Endpoint & Infrastructure Security, Vulnerability Management, IAM/PAM, Network Security/OT, Cloud Security and Cyber Risk Management, aligned with NIS2, DORA, CRA, GDPR, the Data Act, the AI Act, TISAX and ISO 27001, as well as sector-specific standards such as BRCGS Food Safety and IFS Food.

The five cases below, referring to clients of different sizes and sectors, summarise our methodology and the results achieved in cybersecurity. They are a representative, non-exhaustive selection: our overall portfolio includes further projects not covered on this page.

The cases

five projects, one methodology

01

NIS2 Gap Analysis for a manufacturing company

Manufacturing, single-site SME

Client profile

Italian manufacturing company with R&D, production and commercial divisions, subject to NIS2 registration obligations.

Objective

Carry out a Gap Analysis of the current state against NIS2 requirements, supporting registration and annual update activities on the ACN Portal.

Methodology

The project follows Valuemate's three-phase model for Cybersecurity & Compliance alignment: Gap Analysis (AS-IS state and approach definition), Design (organisation, policies, methodologies, processes and tools) and Implementation (operational rollout). This engagement covered Phase 1.

Activities carried out

  • Assessment of the organisational, documentary, procedural and technological situation
  • Definition of a two-tier model, minimum and optimal objectives, calibrated to the client's context
  • One-day on-site workshop presenting the impacts to the Board and top management
  • Operational support to complete the NIS2 registration ahead of the deadline

Deliverable

Gap Analysis document with reference context, AS-IS situation and minimum/optimal action plan.

Duration

5 weeks, between June and July.

Result

Client supported in meeting the annual NIS2 update deadline, with a defined roadmap for the subsequent Design and Implementation phases.

NIS2Gap AnalysisACN Registration
02

Governance, policies and procedures for an enterprise client

Enterprise group, medium/large size

Client profile

Medium/large corporate group needing to structure a cybersecurity governance model integrated into existing service contracts.

Service delivered

ValuemateSecurity360, P&P (Policies & Procedures), part of the broader ValuemateSecurity360 ecosystem.

Scope: 13 policy and procedure areas

The approach was tailored to the client's organisational, technological and regulatory context, avoiding standardised or purely documentary models, with shared involvement from IT, HR, Compliance and Business.

Synergy with the vCISO service

The vCISO defined risk assessment criteria and key performance indicators, while the P&P service formalised the related operational procedures, following the sequence P&P, Operations, Governance, External Reporting, in preparation for structured engagement with ACN.

Result

A formalised, shared and applicable security framework, supporting NIS2 compliance and future regulatory developments (e.g. CRA).

NIS2Policy & ProcedurevCISO
03

NIS2/CRA Gap Analysis and set-up for two end clients

Manufacturing and food

Client profile

Two end-client companies operating in manufacturing (industrial machinery) and food (milling industry), served in coordination with an external IT Management partner.

Objective

Gap Analysis and set-up of compliance activities, with primary focus on NIS2 and related areas (CRA, Data Act, AI Act, GDPR, food-sector standards such as BRCGS Food Safety and IFS Food).

Approach

Both companies were addressed with the same methodological approach and timeline, tailored to their specific context, with separate paths and fees per client. The assessment covered all business areas, R&D, production, administration, customer management and sales.

Activities carried out

  • Assessment of existing organisation, policies and procedures, IT and OT infrastructure, data management
  • Detailed analysis of NIS2 requirements, risk management, incident management, training and awareness
  • On-site kick-off workshop for alignment and information gathering
  • On-site feedback workshop, presenting impacts and possible next steps for Design
  • Top Management training and awareness session, as required by NIS2

Deliverable

Compliance context document, Gap Analysis with two compliance levels (Basic and Advanced) and priorities based on impact and opportunity, Top Management training session, work plan for the Design phase.

Timeline

Activities started in spring 2026 and completed by the end of summer, in line with the NIS2 deadline of October 2026 and the first CRA deadline.

NIS2CRAMulti-client
04

Policy & Procedure framework set-up for an enterprise group

Multinational group, consumer sector

Client profile

International enterprise group in the consumer sector, needing to structure a Cybersecurity & Compliance Policy and Procedure framework to support internal governance.

Objective

Gap Analysis and set-up of the P&P documentary framework, preparatory to the subsequent Design (planned for 2026) and Implementation (planned for 2027) phases.

Proposal content: 4 phases

A path structured in four sequential phases, from business and regulatory scope to the first documentary draft (details in the table below).

Operating model

Mostly remote sessions, complemented by on-site workshops at key stages of set-up, management validation and first documentary draft.

Expected result

A documentary framework shared and agreed with management, ready for the start of the Design phase.

Policy & ProcedureMultinationalGovernance
05

Integrated GRC path: NIS2 Risk Assessment, TISAX and ISO 27001

Manufacturing, industrial machinery

Client profile

Italian manufacturing company (industrial machinery), already engaged in an NIS2 Gap Analysis path (case 3), which activated a subsequent Governance, Risk & Compliance phase with Valuemate.

Service delivered

ValuemateSecurity360 GRC, a multi-standard compliance path structured across three sequential and integrated areas.

Areas of intervention

  • NIS2 directive alignment, Risk Assessment and Business Impact Analysis (BIA) under art. 24 of Legislative Decree 138/2024, the foundation of the whole compliance path
  • Support towards TISAX certification, the information security standard required by the automotive supply chain, achievable following the NIS2 Risk Assessment
  • Support towards ISO 27001 certification, for implementing an internationally recognised information security management system

Delivery model

The service is delivered mostly remotely, with a limited number of on-site days defined after kick-off based on emerging needs. Access to the security systems under monitoring is a prerequisite, needed to gather the telemetry and information required for the Risk Assessment.

Deliverable

NIS2 Risk Assessment and Business Impact Analysis document, TISAX certification support path and ISO 27001 certification support path, each detailed in its specific technical annex.

Result

A compliance path structured across multiple standards, regulatory, sector-specific and international, demonstrating Valuemate's ability to support a client from initial Gap Analysis through to multi-standard certification.

NIS2TISAXISO 27001GRC
The platform

ValuemateSecurity360, available modules

Over 20 technology modules, activatable individually or in combination depending on the client's scope and maturity level.

Security Management

Managed XDR, Managed Log

Endpoint, Identity, Mail & Edge

EDR, ITDR, Continuous Vulnerability Management, Mail Security, DNS Security

Network Security

NDR, NAC, ZTNA

Simulation

Continuous Threat Exposure Management (Breach Attack Simulation), Red Team, Penetration Test

Data Security

Cyber Threat Intelligence, Data Security Posture Management, Data Loss Protection

Application & Cloud Security

Cloud Security Posture Management

Security Compliance & Governance

Risk Evaluation, vCISO, CSIRT, 3rd Party Risk Management, ITSM, Application Portfolio Management, Policies & Procedures

In summary

the track record in numbers

Structured methodology

5 projects delivered in phases (Gap Analysis, Design, Implementation) or as an integrated GRC path (Risk Assessment, certification).

Broad regulatory scope

NIS2 (incl. Risk Assessment and BIA under art. 24 of Legislative Decree 138/2024), CRA, DORA, GDPR, Data Act, AI Act, TISAX, ISO 27001, plus sector standards such as BRCGS Food Safety and IFS Food.

Documentary governance

P&P services activated on an average scope of 13 thematic areas per client.

Technology platform

Over 20 modules available on ValuemateSecurity360, activatable individually or in combination.

Scalable model

From one-off support (fixed-fee Gap Analysis) to continuous service (24/7 SOC, vCISO, CSIRT), up to multi-standard certification support.

End-to-end path

Proven ability to guide a client from an initial Gap Analysis to a multi-standard GRC certification path (NIS2, TISAX, ISO 27001).

Sectors served: manufacturing, food, ICT and enterprise services, up to multinational groups, with an approach replicable across other sectors subject to NIS2, CRA and DORA. Proven ability to manage multiple end clients in parallel with the same methodological framework, including in coordination with external IT Management partners.

The cases described are presented in anonymised form for commercial confidentiality purposes and represent a non-exhaustive selection of projects carried out by Valuemate.

Want a similar path for your company?

Let's start with a gap analysis to understand where you stand against NIS2, DORA and the standards relevant to your sector.

Request an assessment →

or write to info@valuemate.it