Skip to content
BastionSec
Contact us
EU Compliance · GDPR · NIS2 · DORA

Enter Italy and the EU, fully compliant. Without becoming an EU red-tape expert.

GDPR, NIS2 and DORA aren't the same obligation for everyone: each has its own scope. We tell you which one applies to you and get you genuinely compliant, in your language.

  • Three different EU rules, three different scopes: we tell you which applies to you.
  • A local partner who speaks your language and knows the rules here.
  • GDPR is a regulation, NIS2 a directive, DORA a sector regulation.
Talk to us in your languageWhat GDPR is

Which one is yours?

Three different EU rules, three different scopes. In short:

GDPR

GDPR

Do you process personal data of people in the EU? It almost certainly applies.

NIS2

NIS2

Do you operate in an essential/important sector (energy, health, transport, digital…) above certain thresholds? It may apply.

DORA

DORA

Are you in the financial sector (or one of its critical ICT providers)? It applies.

GDPR: personal data protection

The General Data Protection Regulation applies to anyone processing personal data of people located in the EU, even if the company is based elsewhere. For market entrants it's almost always the first hurdle.

What we do for GDPR

  • Processing mapping and records of processing.
  • Legal bases, notices and consent management.
  • Risk assessment and DPIA where needed.
  • Data-subject rights and breach handling.
  • Supplier contracts (DPA) and non-EU transfers.
  • Support for the DPO / EU representative role where required.
Many GDPR controls rest on an ISMS: if you're also aiming for ISO 27001, we optimise the work and avoid duplication.

NIS2: network and information systems security (essential/important sectors)

The NIS2 directive raises the cybersecurity bar for 'essential' and 'important' entities in sectors such as energy, transport, health, digital infrastructure, ICT providers and others, above certain size thresholds.

Transposed nationally, it introduces risk-management obligations, technical and organisational measures, and incident notification, with accountability resting on management bodies.

What we do for NIS2

  • Applicability and category assessment (essential vs important) and registration with the competent authority where required.
  • Risk analysis and the required technical/organisational measures.
  • Incident-management and notification processes within the required timeframes.
  • Supply-chain and supplier security.
  • Governance and management accountability.
Much of NIS2 overlaps with the controls of an ISO 27001 ISMS: working together you avoid duplication.

DORA: digital operational resilience (financial sector)

The DORA regulation applies to the EU financial sector (banks, insurers, payment firms, asset managers) and their critical ICT providers, to ensure they withstand technology incidents.

It's more vertical than NIS2: if you're not in finance (or one of its critical ICT providers), it most likely doesn't apply to you.

What we do for DORA

  • Applicability check (financial entity or critical ICT provider).
  • ICT risk management and resilience framework.
  • ICT incident management, classification and reporting.
  • Digital operational resilience testing (including advanced testing where required).
  • Third-party ICT risk management and contractual clauses.
Resilience testing connects to our pentests: see the Audit & Pentest page.

Your local partner in Italy/the EU

You don't have to learn EU red tape: we already have. We speak your language, we know the rules here, and we translate EU obligations into your context. A reliable bridge that saves you the costly misstep, not a maze.

Entering Italy/the EU

The dedicated path for those entering the Italy/EU market, with a local point of contact in your language.

Go to path

Synergy with ISO 27001

Many GDPR and NIS2 controls rest on an ISMS: we optimise the work between law and standard.

Learn more

How we proceed and what it costs

Same staged method: initial assessment → what actually applies to you → getting compliant → maintenance.

Price depends on how many rules apply and on scope: a more focused engagement for GDPR alone, a more structured one for NIS2/DORA. We define it, transparently, after a first conversation.

Frequently asked

Which of these rules applies to my company?

Almost always GDPR, if you process data of people in the EU. NIS2 if you're in an essential/important sector above certain thresholds. DORA if you're in finance or a critical ICT provider to it. Write to us and we'll figure out what you need: we tell you exactly which apply, without selling you more than you need.

I already have SOC 2 (US): is it enough for the EU?

No. SOC 2 is a US attestation; in the EU, clients usually ask for ISO 27001 and you must comply with GDPR regardless. We tell you what you actually need here and avoid duplicating work.

Are NIS2 and DORA the same thing?

No. NIS2 is a broad directive across essential/important sectors; DORA is a vertical regulation for the financial sector (and its critical ICT providers). Different scopes: if you're in finance, look at DORA first.

Do you speak my language?

Content and contact in the languages we can genuinely serve (starting from Italian, English, German, French, Spanish, Arabic). We only publish a language when we can actually reply in it: no empty promises.

Are GDPR and ISO 27001 the same thing?

No, but they reinforce each other: GDPR is a data-protection law, ISO 27001 a security-management standard. Many controls overlap, so it's worth tackling them together.

How long does it take to get compliant?

It depends on how many rules apply and on your starting point. GDPR alone is faster; NIS2 or DORA, being more structured, take longer. We qualify it after a first conversation: no fixed timelines sight unseen.

Do I need a representative or a DPO in the EU?

Sometimes yes (it depends on your processing and your EU presence). We check, and where needed we support you. We don't impose it when it isn't required.

Go deeper

What GDPR is

The guide to the Regulation: scope, obligations, data-subject rights. Before you decide.

Read the guide

ISO 27001

The security-management standard many EU controls reuse: no duplication.

Learn more

ISO 42001 and the EU AI Act

Have AI in your product? The EU regulatory frontier also includes AI governance.

Learn more

Not sure where to start? We'll tell you, in your language.

Tell us your need: we figure out which rules apply to you and get you genuinely compliant.

Talk to us in your language