For directors and managers in SMEs and healthcare who must be NIS-2 compliant due to chain responsibility

As the director of an SME or healthcare institution, you’ll be faced with NIS-2 compliance—often not because your organization itself falls under the directive, but because your supply chain partner requires it. Your clients in healthcare, government, or industry must be NIS-2 compliant, and therefore you must demonstrate that their data is secure with you.

The problem: compliance without context

The challenge is that as a director you have to answer questions such as:

• “Are you NIS-2 compliant?”
• “Do you have security awareness training?”
• “How is your access control arranged?”
• “What is your backup strategy?”

And honestly? You often don’t know exactly. Your IT supplier says, “Sure, we’ll take care of that,” but you have no insight. No dashboard. No objective status. You have to take their word for it. That doesn’t feel comfortable – and rightly so.

What you need as a director

You don’t need to become a cybersecurity expert. But you do need:

1. Understanding your security status “Where are we now? Are we compliant or not?”

2. Objective data. Not: “We have that arranged” But: “94% of our workplaces have disk encryption active”

3. Simple reporting. To your chain partner: “Here is our compliance dashboard” To your board: “This is our status, these are the risks”

4. Value for your investment. Is this money well spent? Will it actually improve safety?

5. No hassle with timelines. You don’t have time for months-long implementation processes

The traditional approach: expensive and opaque

Scenario: You call a security consultant

• Week 1-2: Intake interviews, collecting documents
• Week 3-4: Gap analysis (€5,000-€10,000)
• Week 5-8: Drafting an implementation plan
• Week 9-12: Organizing training sessions
• Week 13-16: Audits and reporting

Costs: €15,000 – €30,000. Result: A 50-page report and a certificate. Problem: In six months, the information will be outdated, and the hourly rate makes data collection very expensive.

And your most important question remains unanswered: “Are we safe NOW?”

The Lupasafe approach: insight in hours, not months

What you get (concrete)

As a director you log in and see:

📊 Dashboard with compliance score

NIS-2 QM-10 BASIC Status: 87%

🟢 Compliant (8 out of 17 control)

🟡 In progress (9 checks)

🔴 Attention needed (1 check)

Per control group:

• Organizational: 85% – Policy approved, roles identified ✅
• Staff: 78% – Training: 39/50 employees completed 🟡
• Technisch: 94% – Encryption, firewall, back ups in order ✅

What this means for you

1. You’re in control. You can demonstrate your position at any time. No surprises during audits.

2. You get value for your money

• Visible: Exactly which employees still need training
• Measurable: Compliance score goes from 78% to 94%
• Actionable: “These 3 actions will get us to 95%”

3. You can manage. You see: “Training compliance: 78%.” You ask HR: “Can we still get those 11 employees trained this month?” Next week you see: “Training compliance: 96%.”

4. You can report

• To chain partner: “Here is our NIS-2 status” (1 link to dashboard)
• To the board: “We scored 87%, the industry average is 72%”
• To IT supplier: “Disk encryption is still disabled on 2 laptops”

Practical example: Director of a healthcare institution

Situation: Martjn is the director of a home care organization with 45 employees. His largest client (a hospital) requires NIS-2 compliance for their collaboration.

No hassle with timelines – the process

Day 1: Open an account

• Your IT manager or supplier connects your systems
• Entra ID (Microsoft 365) connection
• Duration: 30 minutes

Day 2: First dates

• Platform automatically starts collecting data
• Endpoints are being scanned
• Cloud configuration analyzed
• Duration: Happens automatically

Day 3-7: Dashboard available

• You see your first compliance score
• Trainings are being rolled out
• You have your first management report

No waiting for months. No expensive consultants needed.

The administrative controls – what you pay attention to

As a director, you’re responsible for the “why” and the “what,” not the “how.” Here are some examples of QM controls that give you control:

1. Information security policy (1.2)

What you need to know: Is there an approved policy? What Lupasafe shows: ✅ Policy in place, approved on 15-03-2024 Your action: Approve the policy annually

2. Cybersecurity Responsibilities (1.3)

Wat je moet weten: wie is waarvoor verantwoordelijk?

What Lupasafe shows:

• Director: J. Parker (you)
• IT-manager: P. Smith
• DPO: M. JOhnson. Your action: Confirm that roles are correct

3. Security awareness Training (2.2)

What you need to know: Are employees trained?

What Lupasafe shows:

Training status: 78%

• Management: 5/5 completed ✅
• Healthcare staff: 28/35 completed 🟡
• Support personnel: 6/10 completed 🟡
• Average score: 8.1/10
• Latest phishing test: 12% click rate (branche: 18%)

Your action: Instruct HR to approach stragglers

Value for money: the ROI

A brief comparison between traditional and Lupasafe

Savings: €17,160 per year

But more important than the costs: You actually get more security

Example risk reduction:

For Lupasafe: “According to IT supplier, all laptops have disk encryption”

With Lupasafe: “All laptops are compliant, including home work devices”

Difference: You know for SURE. And if it’s not right, you’ll see it immediately.

The business case for your board

Investment

€3,000 – €5,000 per year (depending on the number of users)

Benefits

Hard benefits:

• Compliance with chain obligations → maintain contracts
• Avoid non-compliance fines (up to €10M)
• Reduction in consultant costs: €10,000-€15,000/year
• Reduction of audit preparation time: 80%

Soft benefits:

• Transparency towards management and supervisors
• Competitive advantage in tenders
• Trust among customers and partners
• Reputation protection in case of incidents
• No surprises when questions arise, respond quickly to customer requests

Payback period

3-6 months (through consultancy and audit savings)

Practical steps

Step 1: Orientation (this week)

• Demo request with Lupasafe
• Discuss with IT manager/supplier
• View sample dashboard

Step 2: Decision (next week)

• Submit business case to board if necessary
• Free up budget
• Agree to implementation
• You appoint those responsible

Step 3: Implementation by IT/Supplier (week 3)

• After signing the quotation, the IT manager/supplier can open an account on Lupasafe
  • Linking systems (Lupasafe works on the basis of read-only rights, no changes)
  • Endpoint deployment
  • Starting network scan
  • Connecting Microsoft 365 for security checks
  • Monitoring email traffic
• Employees receive training invitation (30+ languages)
• Phishing is started

Step 4: In operation (week 4)

• You are viewing the first dashboard with IT
• You share link with chain partner
• You report status to management

Frequently asked questions from directors

“Should I become an IT expert myself now?” No. You get management information, not technical details. Just like you look at profit figures without being an accountant.

“Can’t my IT supplier just handle this?” Possible, but then you won’t have any insight. Lupasafe puts you in control. Your IT supplier can also be given access to implement it.

“What if we are already compliant?” Lupasafe then confirms this objectively. You then have evidence for audits and supply chain partners.

“How much time does this cost me as a director?”

• Start-up phase: max 1 hour (assign roles, approve policy)
• Walking: 15 minutes per month (view dashboard)
• Reporting: Automatically generated

“What if we find too many non-compliant cases?” The dashboard prioritizes. You don’t solve everything at once. You create a plan: first critical issues (red items), then areas for improvement (yellow items).

“Can we do this step by step?” Yes. Start with the basic level (QM-10), and expand to QM-20 or QM-30 later if needed for your sector.

The chain partner report

You can share what your chain partner wants to see directly using the following options:

Option 1: Sharing the detailed (PDF, Excel) reports

You give access to the compliance reports.

Option 2: Dashboard access

You or IT give the auditor access to your Lupasafe dashboard (portal user).

Option 3: Certificate

After external audit: NIS-2 QM-10 or QM-20 certificate.

What chain partners value:

• Transparency (no vague answers)
• Objectivity (data, not opinions)
• Current events (no year-old report)
• Traceability (which version, when)

Conclusion: from obligation to opportunity

NIS-2 chain responsibility feels like a burden. With Lupasafe, it becomes a strategic tool:

✅ You’re in control – You know where you stand
✅ You can manage – You see what needs to be done
✅ You can report – Transparent to all stakeholders
✅ You add value – Actual better security, not just paper
✅ You’re efficient – No months of implementation, no expensive consultants

Next step

Direct insight into your situation? Start with our free NIS-2 Quick Scan (10 minutes) and discover where your organization stands.

Questions? Personal consultation? Schedule a 30-minute consultation with one of our advisors. No obligations, just concrete answers tailored to your specific situation.

Demo of the platform? View the dashboard as you would see it for your organization.

Lupasafe – NIS-2 Compliance for Directors Who Want to Stay in Control

This article is written for directors and executives in SMEs and healthcare organizations who are faced with NIS-2 compliance due to supply chain responsibility. For technical implementation details, see our article for IT managers.