Worth it
Legally sound handling of edge cases, sector-specific interpretation, building an ISMS from the ground up, and a person who shares liability when it counts.
NIS2 consulting
Do I need a NIS2 consultant?
What's worth a consultant — and what isn't.
You can do this yourself
Clarify your scope, capture measure status, structure your existing M365 controls as evidence, prioritise the gaps.
What NIS2 help roughly costs.
The cost of NIS2 help ranges from essentially just internal time, if you do the evidence work yourself, through occasional consulting days and one-off readiness assessments, up to full ISMS or certification projects in the five- to six-figure range. For most SMEs: do the repeatable parts yourself, buy consulting narrowly for edge cases.
Rule of thumb for SMEs.
Do the bulk of the ongoing evidence work yourself, and buy consulting narrowly for judgement calls. That way the fee goes into decisions, not into data collection.
Honest comparison.
| Consultant-led | Generic GRC software | Directive Zero | |
|---|---|---|---|
| Promise | Guidance, liability comfort | Compliance platform | Evidence — prove what already holds |
| Method | Months, person-dependent | Configuration, often oversized | Self-serve in days, open logic |
| Strength | Judgement on edge cases | Broad ISMS depth | M365-native evidence, supply-chain proof |
| Limit | Expensive, hard to scale | Little operational telemetry | Not a full ISMS |
| Cost logic | Day rates for judgement work | Ongoing licence and project effort | low / internal |
How to lower your consulting bill.
Before the first meeting, prepare the repeatable parts yourself: clarify scope, capture measure status, prioritise the gaps. Then consulting time goes to judgement questions — not to collecting the basic data you already know best.
FAQ
Is a consultant mandatory for NIS2?
No. There's no requirement to use a consultant. They're worth it for edge cases and ISMS build — not for repeatable evidence work.
What does it cost if I do it myself?
Mostly internal time. The evidence comes from systems you already run; budget a few person-days for the first package.
Is GRC software worth it for a mid-sized company?
Often not. Many platforms are built for large ISMS organisations and are oversized for SMEs.