Success Stories — Catalan SMEs achieving NIS2 compliance

Success Stories

Catalan SMEs that moved from risk to compliance. Real sectors, real results, protected identities.

Case 01 — Industrial company in the metalworking sector

Challenge

A 90-employee company supplying major automotive corporations. Their main client demanded proof of NIS2 compliance and a documented security policy. They had 3 months to get compliant or lose the contract.

Solution

NIS2 diagnosis in 5 days. 8 critical gaps identified. Implementation of priority controls (access control, data encryption, network segmentation) with an external vCISO over 4 months. Full documentation for audit in ISO 27001-compatible format.

Results

  • ✅ Contract renewed
  • ✅ 8 gaps closed in 16 weeks
  • ✅ Documented security policy
  • ✅ Internal team trained (12 people)

Sector: Industry / Metalworking
Size: 85–100 employees
Duration: 4 months

Case 02 — Accounting and tax advisory firm

Challenge

A practice of 15 professionals managing data for over 200 client companies. Fully manual processes: data entry, document management and AEAT communication duplicated across email and Drive. 3 people dedicated to repetitive tasks that could be automated.

Solution

Implementation of Majordomm to automate document classification, bank reconciliation and client notifications. All data processed on European infrastructure (servers in Germany). No sensitive client data leaves the European circuit.

Results

  • ⏱ 32 hours/week recovered
  • ✅ 0 privacy incidents in 12 months
  • ✅ Data 100% on EU infrastructure
  • 💶 Positive ROI in month 3

Sector: Tax advisory
Size: 12–18 professionals
Duration: 2 months of implementation

Case 03 — Private medical clinic

Challenge

A clinic of 28 professionals with medical records on paper and in legacy software without encryption. An APDCAT inspection flagged that health data protection measures (GDPR + basic ENS) were insufficient. Risk of fines of up to €300,000.

Solution

GDPR risk analysis and 3-phase remediation plan. Implementation of disk encryption, role-based access control and training for medical staff. Drafting of the Record of Processing Activities (RPA) and patient information clauses. Everything completed in 10 weeks.

Results

  • ✅ No APDCAT penalty
  • ✅ GDPR compliant in 10 weeks
  • 🔒 Medical records 100% encrypted
  • ✅ Staff trained in data protection

Sector: Private healthcare
Size: 25–30 professionals
Duration: 10 weeks

Your SME could be the next success story

Start with a free 5-minute NIS2 diagnosis. No commitment. No installation required.

Free NIS2 diagnosis

⚙️ ️ Transparency note: All cases described are based on real projects, with anonymised and aggregated data to preserve client confidentiality. The results shown are indicative and may vary depending on each company’s starting position.