Risk frame
Risk is asymmetric: a low-probability, high-impact event (deliberate sabotage, drone-borne disruption, insider compromise) sits alongside the day-to-day risk of theft, vandalism, and contractor error. The regulatory frame now expects operators to demonstrate readiness against both.
NIS2 brings cyber-physical scope; CER brings physical resilience requirements; Dutch national supervisors expect a programme that is auditable end-to-end. Suppliers without a documented programme are an audit liability.
Service fit
- Site hardening and continuous monitoring. Physical-security review, perimeter design, alarm and SOC integration, and documented response protocols for site-level incidents.
- Drone counter-measures. Drone detection and counter-measure integration for sites where airborne threat or unauthorised reconnaissance is a documented concern.
- NIS2 and CER programme support. Programme-level engagement combining physical-security work with the cyber and governance requirements of NIS2 and the CER Directive.
Example case patterns
- Substation hardening — regional grid. A regional grid operator commissioned a hardening review across substations, integrated alarm and SOC coverage, and documented response timing. Subsequent regulator review closed without findings on physical controls.
- Drone-incident integration. A water-treatment operator integrated drone-detection at perimeter following two unauthorised overflights. Subsequent overflights were detected and reported within minutes; regulatory disclosure timelines were comfortably met.