1-2 days
Before you spend a euro on NIS2 readiness: are you actually in scope?
An independent advisory practice for regulated technology teams.
We work out what you actually are under Annex I and II - cloud computing service, managed service provider, digital provider, or none of them. This is the question Article 2(1) turns on, and it is the one most advice skips.
Where the entity type is contested - a B2B SaaS against the Article 6(30) cloud test, say - we set out the argument both ways, including where national regulators disagree, rather than pretending it is settled.
Headcount, turnover and balance sheet against the medium-sized thresholds, including partner and linked aggregation. For a lot of companies this, not the entity type, is what decides it.
A short written scope opinion: in or out, essential or important, which authority, and what registration follows. Something you can put in front of a buyer or a regulator.
This is for you if
Not for you if
We tell you what will block ISO 27001 certification before the certification body does.
Learn more →5-15 daysReadiness finds the blockers. The Remediation Sprint helps remove them.
Learn more →3-7 daysWe organise your ISO 27001 evidence so your team can show the right proof, in the right order.
Learn more →Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.