EU Directive

NIS2 / NISG 2026

The NIS2 Directive (Network and Information Security Directive 2) is the EU-wide framework for cybersecurity obligations, replacing the original NIS Directive. In Austria it is implemented as NISG 2026 (Netz- und Informationssystemsicherheitsgesetz 2026).

NIS2 significantly expands the scope of affected organisations to include essential and important entities across sectors such as energy, transport, health, digital infrastructure, manufacturing, food production and public administration. Companies meeting the size thresholds (50+ employees or €10M+ turnover) in these sectors must comply.

Key requirements include risk management measures, incident reporting within 24-72 hours, supply chain security, business continuity planning and regular security testing. Executive management is personally liable for non-compliance.

As offensive security specialists, we help you meet the technical requirements of NIS2 through penetration testing, red team engagements and strategic security advisory. Our tests identify real vulnerabilities before they can be exploited, and our reports provide the evidence needed for compliance documentation.

Contact Us
Security assessment icon

Risk Management & Security Testing

NIS2 requires proportionate technical and organisational measures. Our penetration tests and security assessments identify real-world risks and provide actionable recommendations to reduce your attack surface.

Penetration testing icon

Incident Response Readiness

NIS2 mandates incident reporting within 24 hours. Our red team engagements and purple team exercises test and improve your detection and response capabilities so you can meet these deadlines.

Compliance documentation icon

Compliance Documentation

Our detailed reports document findings, attack paths and remediation steps, providing verifiable evidence that your organisation takes a proactive approach to security testing as required by NIS2.

EU Regulation

DORA

The Digital Operational Resilience Act (DORA) is an EU regulation specifically targeting the financial sector. It establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities.

DORA applies to banks, insurance companies, investment firms, payment service providers and their critical ICT third-party providers. It has been applicable since January 2025.

The regulation mandates ICT risk management, incident reporting, digital operational resilience testing (including threat-led penetration testing under TIBER-EU for significant entities), ICT third-party risk management and information sharing.

Our red team engagements are aligned with the TIBER-EU framework required by DORA for threat-led penetration testing. We simulate realistic attack scenarios against your critical systems and create reports that meet the stringent documentation requirements of the regulation.

Contact Us
Digital resilience icon

ICT Risk Management

DORA requires financial entities to maintain a comprehensive ICT risk management framework. Our penetration tests provide the technical foundation to identify and prioritise risks.

Threat-led testing icon

TIBER-EU Aligned Red Teaming

For significant financial entities, DORA requires threat-led penetration testing based on the TIBER-EU framework. Our red team engagements simulate real adversary tactics to test your critical functions end-to-end.

Incident response icon

Resilience Testing & Reporting

DORA mandates regular resilience testing with documented results. All of our engagements include detailed attack narratives and time-stamped logs that fulfil the evidence requirements for regulatory reporting.

Automotive Industry

TISAX

TISAX (Trusted Information Security Assessment Exchange) is the information security assessment standard for the automotive industry. Managed by the ENX Association, it is based on the VDA ISA catalogue (Verband der Automobilindustrie Information Security Assessment) which is built on ISO 27001 with automotive-specific requirements.

TISAX is mandatory for companies in the automotive supply chain that handle confidential information from OEMs such as VW, BMW, Mercedes-Benz, Audi, Porsche or their tier-1 suppliers. Assessment levels range from AL1 to AL3, with AL2 and AL3 requiring external audits.

Key areas include information security management, prototype protection, data protection, and third-party/supplier security. Companies must demonstrate effective security controls including access management, vulnerability management and incident response.

We support your TISAX readiness through targeted penetration testing of your infrastructure and applications, helping you identify and remediate vulnerabilities before the official assessment. Our reports also serve as evidence of the implementation of regular security checks. With advisory services, we help prioritise hardening measures that matter.

Contact Us
Assessment readiness icon

Assessment Readiness

We conduct penetration tests and security reviews that mirror the technical controls checked during a TISAX assessment, helping you identify gaps and fix them before the audit.

Supply chain security icon

Supply Chain Security

TISAX requires demonstrating security across the supply chain. Our external and internal penetration tests verify your security controls and provide evidence of due diligence.

Partnership icon

Practical Hardening

Based on our testing results and attacker perspective, we provide independent recommendations for hardening measures that effectively address the VDA ISA control requirements.

International Standard

ISO 27001

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information through risk assessment, security controls and continuous improvement.

An ISO 27001 certification is increasingly expected by clients, partners and regulators. It serves as the foundation for many industry-specific frameworks including TISAX and is referenced by NIS2 and DORA as an accepted approach to demonstrating security maturity.

The standard requires organisations to identify information security risks, implement appropriate controls from Annex A (including vulnerability management, access control and incident management) and regularly test their effectiveness.

Our penetration tests and red team engagements directly support ISO 27001 compliance by providing independent verification of your security controls. We test whether implemented measures are effective against real-world attack techniques, supporting a sustainable improvement cycle that is central to the standard.

Contact Us
Risk management icon

Risk Assessment Support

ISO 27001 requires regular risk assessments. Our penetration tests provide concrete, technical evidence of vulnerabilities and attack paths that feed directly into your risk register.

Vulnerability testing icon

Annex A Control Verification

Our testing validates the effectiveness of ISO 27001 Annex A controls, particularly A.8 (Technology) and parts of A.5 (Organization) through practical exploitation attempts.

Continuous improvement icon

Continuous Improvement

Through regular penetration tests and advisory, we support the recertification cycle required by ISO 27001, helping you continuously adapt your security measures to the evolving threat landscape.