NIS2 active since Oct 2024 · DORA active since Jan 2025 · SEC cyber disclosure active since Dec 2023. Are you compliant?Check your obligations →
Cyber Governance

Cyber Governance &
Resilience

NIS2, DORA, SEC cyber disclosure, ISO 27001, and NIST CSF — all in one platform. Cyber risk registers, policy management, incident workflows, vendor reviews, and board-level reporting.

Check your cyber readiness →Talk to a specialist
NIS2DORASEC cyberISO 27001NIST CSFISO 27001SOC 2NIST 800-53
72h
NIS2 report
full incident report to national authority after significant cyber incident
€10M
or 2%
maximum NIS2 fine for essential entity non-compliance
4 days
SEC 8-K
to disclose material cybersecurity incidents as a US public company
Art. 20
NIS2
board members personally accountable for cyber risk management
Three active frameworks

NIS2. DORA. SEC cyber. All active. All enforced.

EU NIS2 Directive
Active since October 2024
Essential and important entities across 18 sectors in the EU — energy, financial, health, transport, technology, manufacturing, and more
Article 20: Board personal accountability for cyber risk
Article 21: MFA, supply chain security, incident handling, encryption
Article 23: 24h early warning · 72h full report · 1-month final report
Fines: up to €10M or 2% global turnover (essential entities)
EU DORA
Active since January 2025
Financial entities with EU operations — banks, insurers, investment firms, crypto-asset service providers, and their critical ICT third-party providers
ICT risk management framework — policies, procedures, controls
Digital operational resilience testing — including TLPT
ICT-related incident classification and reporting
Third-party ICT risk management and CTPP oversight
SEC Cyber Rules
Active since December 2023
US publicly listed companies — NYSE, Nasdaq, and other SEC-registered issuers
Form 8-K: material cyber incident disclosure within 4 business days
Form 10-K: annual cyber risk management programme description
Board oversight and CISO governance disclosure required
SEC enforcement already underway — no grace period
Platform capabilities

Everything your cyber governance programme needs.

Cyber risk register
Structured cyber risk identification, assessment, and treatment. NIST CSF and ISO 27001 Annex A control mapping. Risk heat maps and board-ready risk summaries.
Policy management
Information security policy library aligned to ISO 27001:2022 and NIS2 Article 21. Version control, review workflows, and staff acknowledgement tracking.
Incident response
NIS2-compliant incident classification and notification workflow. 24h early warning, 72h full report, and 1-month final report templates. SEC 8-K materiality assessment.
Vendor cyber reviews
Supplier ICT risk assessment questionnaires, DORA Critical Third-Party Provider (CTPP) register, and ongoing vendor cyber monitoring. NIS2 supply chain security compliance.
Board reporting
Cyber risk dashboard for board and audit committee. NIS2 Article 20 personal accountability documentation. SEC 10-K governance disclosure preparation. CISO briefing packs.
Resilience testing
DORA digital operational resilience testing programme management. TLPT coordination, penetration test tracking, and finding remediation. TIBER-EU framework alignment.
Incident notification timelines

The clock starts the moment you detect it.

ThemisIQ's incident response workflow triggers the right notification at the right time — so you never miss a regulatory deadline under pressure.

Hour 1
Contain & assess
Isolate affected systems. Assign incident commander. Open ThemisIQ incident record. Determine severity classification.
Hour 24
NIS2 early warning
Submit early warning to national competent authority. Indicate whether incident is suspected to be malicious. Customer notification if data breach confirmed.
Hour 72
Full report + SEC 8-K
NIS2 full incident notification. DORA ICT incident report. US public companies: assess 8-K materiality and file if material. GDPR Article 33 if personal data involved.
Day 30
Final report
NIS2 final report with root cause, impact assessment, cross-border effects, and measures taken. Post-incident review completion. Corrective action verification.
Full framework coverage

Every cyber framework. One platform.

FrameworkJurisdictionApplies toStatusThemisIQ coverage
EU NIS2 DirectiveEuropean UnionEssential + important entities · 18 sectorsActive Oct 2024✓ Full — gap assessment + incident workflow
EU DORAEU financial servicesBanks, insurers, investment firms, cryptoActive Jan 2025✓ Full — ICT risk + CTPP register + testing
SEC Cybersecurity RulesUSA · public companiesNYSE / Nasdaq listed companiesActive Dec 2023✓ Full — 8-K + 10-K disclosure workflow
ISO 27001:2022GlobalAny organisation seeking ISMS certificationVoluntary / customer-required✓ Full — Annex A control mapping
NIST CSF 2.0USA (global adoption)US federal + voluntary for all sectorsActive 2024✓ Full — Govern, Identify, Protect, Detect, Respond, Recover
NIST 800-53 Rev.5USA federalFederal agencies + contractorsMandatory for federal✓ Partial — control mapping
SOC 2 Type IIUSA (industry standard)SaaS and technology companiesCustomer-required✓ Partial — TSC alignment
UK Cyber EssentialsUnited KingdomUK government suppliers + voluntaryActive✓ Partial — basic controls mapping

NIS2 is active. DORA is active.
Are you compliant?

ThemisIQ's cyber governance gap assessment identifies where you stand against NIS2, DORA, and SEC cyber rules — and tells you exactly what to fix first.

Check your cyber readiness →Talk to a specialist