Key Governance

Five structured packages to make cybersecurity governable. From NIS2 to vCISO, from operational resilience to supply chain.

Cybersecurity governance is not a one-off project: it is a continuous process requiring structure, expertise and ongoing regulatory awareness. Our five packages cover the full cycle — from regulatory compliance to risk management, through to supply chain oversight.

01
NIS2 Readiness
Who it's for
Soggetti Essenziali Soggetti Importanti Fornitori NIS2 Management
We classify your organisation according to NIS2 criteria, perform a gap assessment against the 219 measures, analyse risks and build the compliance roadmap. Includes appointment of the CSIRT Representative and mandatory incident reporting procedures.
Deliverable
  • NIS2 subject classification report
  • Gap assessment — 219 measures
  • Documented risk analysis
  • Prioritised compliance roadmap
  • Policy and procedure document set
  • CSIRT-IT incident reporting procedures
02
Cyber Governance Program
Who it's for
CEO / CDA Direzione IT Risk Manager
AptGetDefence's monthly vCISO service: ongoing advisory to senior management to build and maintain the security governance model. Strategic roadmap, KPIs, updated risk register, executive reporting and support for technology decisions.
Deliverable
  • Risk register updated quarterly
  • KPI dashboard for management
  • Board-ready quarterly report
  • 12–24 month strategic roadmap
  • Policy framework and governance model
  • Attendance at management meetings (4/year)
03
Business Resilience
Who it's for
Operations Direzione IT Risk & Compliance
Business Impact Analysis, Business Recovery Plan, Disaster Recovery Plan and Incident Response Plan. We build the organisation's response and recovery capability with operational documents and tabletop exercises to test plans in realistic scenarios.
Deliverable
  • Business Impact Analysis (BIA)
  • Business Recovery Plan (BRP)
  • Disaster Recovery Plan (DRP)
  • Incident Response Plan (IRP)
  • Tabletop exercise with post-exercise report
  • Process criticality and dependency matrix
04
Digital Compliance
Who it's for
DPO Legal Compliance Produttori HW/SW
Gap assessment and compliance with GDPR, AI Act, Cyber Resilience Act and Machinery Regulation. For hardware, software and connected system manufacturers required to conform to the new European cybersecurity regulations.
Deliverable
  • Gap assessment GDPR / AI Act / CRA
  • Prioritised action plan
  • Updated records of processing activities
  • DPA template (Data Processing Agreements)
  • Product security technical documentation
  • Machinery Regulation compliance assessment
05
TPRM — Third-Party Risk
Who it's for
Procurement Supply Chain Legal CTO
Critical supplier assessment framework: security questionnaires, risk scoring, remediation plans for high-risk vendors and cyber-aligned contractual clauses. Mandatory for NIS2 entities with complex supply chains.
Deliverable
  • Customised TPRM framework
  • Security questionnaires for critical suppliers
  • Vendor risk scoring and classification
  • Remediation plan for high-risk vendors
  • Suggested cyber contractual clauses
  • Supplier register with risk level

Operational tools for your teams

Downloadable operational checklists. Completable online, printable as PDF.

Checklist NIS2 Readiness Checklist Ransomware Response Incident Reporting Guide

Not sure which package to start with?

A 30-minute call is enough to identify your priorities and build a tailored governance plan.