Cross-framework
NIS2
- Am I in scope for NIS2? Essential vs important entities explained A plain-language walkthrough of who NIS2 applies to: the covered sectors, the size threshold, the essential vs important classification, and the entities caught regardless of size. Last reviewed Jul 12, 2026
- NIS2 security measures: the requirements of Article 21 The ten baseline cybersecurity risk-management measures NIS2 requires under Article 21, in plain language — from risk policies and incident handling to supply-chain security and MFA. Last reviewed Jul 12, 2026
- NIS2 incident reporting: the 24-hour and 72-hour deadlines What counts as a significant incident under NIS2, who to notify, and the reporting timeline — an early warning within 24 hours, a notification within 72 hours, and a final report within one month. Last reviewed Jul 12, 2026
- NIS2 transposition by country: why your obligations depend on national law NIS2 is an EU directive, so it applies through each member state’s own law. What that means in practice, why the details differ by country, and how to find the rules that actually bind you. Last reviewed Jul 12, 2026
ISO 27001
- ISO 27001 for SMBs: a plain-language guide What ISO 27001 actually requires, how certification works, and why a growing number of EU small and mid-sized businesses adopt it — the ISMS, Annex A controls, the SoA, and the audit cycle. Last reviewed Jul 12, 2026
- ISO 27001 Annex A controls explained (2022) The 93 Annex A controls in ISO 27001:2022, grouped into four themes — what changed from the 2013 version, how the new controls fit, and how you choose which apply. Last reviewed Jul 12, 2026
- The ISO 27001 Statement of Applicability (SoA), explained What the SoA is, why ISO 27001 requires it, and what it must contain — the document that links your risk assessment to the Annex A controls you apply. Last reviewed Jul 12, 2026
- ISO 27001 vs SOC 2: which do you need? ISO 27001 is an international certification; SOC 2 is a US attestation report. How they differ, where they overlap, and which one your customers actually want. Last reviewed Jul 12, 2026
GDPR
- GDPR compliance for SMBs: the core obligations A practical overview of what GDPR requires of a small or mid-sized team — the principles, lawful basis, records of processing, data subject rights, security, breach notification, DPIAs and when you need a DPO. Last reviewed Jul 12, 2026
- GDPR DPIA: when you need one and what it must contain (Art. 35) A Data Protection Impact Assessment is required before high-risk processing under GDPR Article 35. When it applies, what it must include, and when to consult your supervisory authority. Last reviewed Jul 12, 2026
- GDPR breach notification: the 72-hour rule (Art. 33 & 34) When a personal data breach must be reported under GDPR, what the 72-hour deadline actually means, what to include, and when you also have to tell the affected individuals. Last reviewed Jul 12, 2026