BW-NIS2-2026-03

Confidential Commercial Proposal
March 2026 · Validity 30 days

Recipient

Fraccaro Radiant Solutions

fraccaro.it · NIS2 Proposal — Vanguard Package + Add-ons

NIS2 Compliance — EU Directive 2022/2555

Vanguard Package
for NIS2 compliance

A managed security plan designed to fully address the requirements of the NIS2 Directive, with 24/7 monitoring, advanced threat detection, and security governance in a single scalable solution.

Base Package

✦ Platinum

Vanguard Package

Enterprise-grade endpoint protection with independent external SOC 24/7/365 — Advanced EDR + Bitwire SOC MDR Essentials + proactive remote management and automatic patch management. NIS2 Art. 23 incident response documentation.

Monthly fee

€515

50 endpoints · 12 months

Multi-layered Endpoint Protection

Static and behavioral AI, malware prevention, ransomware, fileless attacks, exploits

24/7/365 Managed SOC

Real-time human analysts — triage, containment, and immediate response with 30 min SLA

Automatic Isolation

Immediate disconnection of the infected endpoint from the network without manual intervention

Post-Incident Recovery

Rollback of endpoint state to pre-infection, complete removal of malicious artifacts

Advanced Threat Hunting

Proactive search for indicators of compromise, total visibility of the endpoint environment

Incident Response Report

Detailed documentation for every incident — NIS2 Art. 23 notification requirement

24/7 RMM Monitoring

Real-time visibility on every device — CPU, disk, RAM, uptime, and hardware anomalies

Automatic Patch Management

OS and application updates deployed automatically — zero open vulnerabilities

Available Add-ons

Add-on · Compliance

Log Protection & Retention

Raw telemetry stream on S3 Data Lake — NIS2 Art. 21 prerequisite. Base fee includes 1 TB/month (estimate for 50 endpoints). Higher volumes quoted separately.

Raw telemetry of collected XDR data (process, network, files, DNS)
S3 storage included up to 1 TB — extra volumes quoted
Unlimited ingress — no writing costs
Elastic retention — no limits imposed by the vendor
Immutable audit trail and anti-tampering protection for NIS2 inspections
Log export via API / Syslog for third-party integrations

The service ensures constant data availability for Forensic Analysis and Incident Response activities as required by the Directive.

Monthly add-on

50 endpoints · up to 1 TB

+€110

/month

Add-on · Governance

vCISO — NIS2 Governance

Virtual Chief Information Security Officer, a continuous point of contact for governance, risk, and NIS2 compliance.

Continuous supervision of the corporate security posture
Definition and update of security policies and frameworks
Cyber risk management and risk register
Reporting for management and supervisory bodies
Coordination with auditors and authorities (AGID/ACN)
2 hours of monthly support included for document drafting and product support

NIS2 assessment, gap analysis, remediation plans, and any other operational intervention are quoted separately.

Monthly retainer

per tenant

+€729

/month

Why Vanguard + Bitwire SOC — vs Bitdefender MDR

EDR and SOC are two independent layers — by design

Our architecture deliberately separates the EDR engine (Vanguard) from the SOC analyst (Bitwire SOC). 72% of threats that the EDR alone does not detect — lateral movement, privilege escalation, fileless techniques — are intercepted by the independent SOC layer. Two brains, one response.

SOC Architecture

Vanguard

Independent external SOC

Bitwire SOC operates on a separate layer from the EDR — double coverage

Bitdefender

Integrated same-vendor SOC

MDR and EDR share the same engine — single point of failure

Threats without EDR alert

Vanguard

+72% detected

Bitwire SOC intercepts threats that Vanguard has not yet flagged

Bitdefender

EDR alerts only

If the EDR doesn't detect it, the SOC doesn't intervene

AI / ML Engine

Vanguard

Best-in-class

5th consecutive year Gartner Leader EPP 2025 — MITRE 100% detection

Bitdefender

Good, not leader

Lower ranking in MITRE tests compared to top vendors

Lateral movement

Vanguard

Native Bitwire SOC

Patented detection via agent-independent network telemetry

Bitdefender

Agent-based only

Depends on the agent installed on the compromised endpoint

Alert fatigue

Vanguard

Eliminated

Bitwire SOC filters and notifies only real and verified threats

Bitdefender

Present

Higher false positive rate, requires continuous manual tuning

NIS2 Incident response

Vanguard

NIS2-ready reports

Every SOC intervention produces a report with timeline, actions, and resolution

Bitdefender

Limited reports

Less granular documentation, often unsuitable for NIS2 Art. 23 requirements

Vendor lock-in

Vanguard

None

EDR and SOC replaceable independently — open architecture

Bitdefender

High

Changing EDR = changing MDR, expensive and risky migration

Platform stability

Vanguard

Proven

No critical outages — balanced local + cloud architecture

Bitdefender

Acceptable

Stable platform but older architecture, more frequent updates

Remote Management (RMM)

Vanguard

Included

24/7 monitoring, automatic OS & app patches, BitLocker, hardening, hardware asset visibility

Bitdefender

Not included

No RMM, no patch management, no remote management — additional cost

Characteristic	Vanguard + Bitwire SOC	Bitdefender + Integrated MDR
SOC Architecture	Independent external SOC Bitwire SOC operates on a separate layer from the EDR — double coverage	Integrated same-vendor SOC MDR and EDR share the same engine — single point of failure
Threats without EDR alert	+72% detected Bitwire SOC intercepts threats that Vanguard has not yet flagged	EDR alerts only If the EDR doesn't detect it, the SOC doesn't intervene
AI / ML Engine	Best-in-class 5th consecutive year Gartner Leader EPP 2025 — MITRE 100% detection	Good, not leader Lower ranking in MITRE tests compared to top vendors
Lateral movement	Native Bitwire SOC Patented detection via agent-independent network telemetry	Agent-based only Depends on the agent installed on the compromised endpoint
Alert fatigue	Eliminated Bitwire SOC filters and notifies only real and verified threats	Present Higher false positive rate, requires continuous manual tuning
NIS2 Incident response	NIS2-ready reports Every SOC intervention produces a report with timeline, actions, and resolution	Limited reports Less granular documentation, often unsuitable for NIS2 Art. 23 requirements
Vendor lock-in	None EDR and SOC replaceable independently — open architecture	High Changing EDR = changing MDR, expensive and risky migration
Platform stability	Proven No critical outages — balanced local + cloud architecture	Acceptable Stable platform but older architecture, more frequent updates
Remote Management (RMM)	Included 24/7 monitoring, automatic OS & app patches, BitLocker, hardening, hardware asset visibility	Not included No RMM, no patch management, no remote management — additional cost

NIS2 Coverage — Art. 21

NIS2 Requirement	Regulatory Reference	Coverage
Incident detection and response Identification, containment, and notification within 24h Art. 21(2)(b) · Art. 23	Art. 21(2)(b) · Art. 23	Vanguard
Endpoint security Protection of workstations, servers, and devices Art. 21(2)(a)	Art. 21(2)(a)	Vanguard
24/7 continuous monitoring Real-time detection of anomalies and threats Art. 21(2)(b)	Art. 21(2)(b)	Vanguard
Patch Management & maintenance Automated OS and app updates, compliance evidence Art. 21(2)(e)	Art. 21(2)(e)	Vanguard
Endpoint encryption & key escrow Centralized BitLocker, policy enforcement, key recovery Art. 21(2)(h)	Art. 21(2)(h)	Vanguard
Hardening & security baseline Disabled insecure protocols, firewall, registry hardening Art. 21(2)(a) · Art. 21(2)(g)	Art. 21(2)(a) · Art. 21(2)(g)	Vanguard
Log retention & audit trail Event traceability — S3 Data Lake, elastic retention Art. 21(2)(b)	Art. 21(2)(b)	Add-on Log
System integrity Immutable raw telemetry, searchable audit trail for NIS2 Art. 21(2)(e)	Art. 21(2)(e)	Add-on Log
Governance and risk management Framework, security policies, risk register Art. 21(1) · Art. 20	Art. 21(1) · Art. 20	Add-on vCISO
Risk assessment and treatment Continuous gap analysis and remediation plan Art. 21(2)(a)	Art. 21(2)(a)	Add-on vCISO
Reporting for supervisory bodies Audit-ready documentation for AGID / ACN Art. 20 · Art. 23	Art. 20 · Art. 23	Add-on vCISO
Identity and access security MFA, Active Directory protection, IDR Art. 21(2)(i)	Art. 21(2)(i)	Phase 2
Business continuity and backup DR, documented RTO/RPO, system resilience Art. 21(2)(c)	Art. 21(2)(c)	Phase 2
Vulnerability Scanning — Network & Endpoint Agentless network scanning, CVE tracking, patch prioritization Art. 21(2)(e) · Art. 21(2)(a)	Art. 21(2)(e) · Art. 21(2)(a)	Phase 3

Economic Summary — 50 Endpoints

Vanguard Package

Endpoint Protection + 24/7 SOC + Patch Management + RMM Monitoring

€515/month

Log & Retention Add-on

Cloud Funnel + S3 Storage up to 1 TB— additional volumes quoted

+€110/month

vCISO Add-on

NIS2 Governance — Bitwire vCISO + Third-party risk management

+€729/month

Complete NIS2 Solution

Annual commitment · 50 endpoints · 1 tenant · VAT excluded

€1,354/month

≈ €16,248 / year

After the 2 included monthly hours, an hourly rate of 70€/h is applied

Progressive activation available.

The Vanguard package can be activated immediately as a first step. The Log and vCISO add-ons can be added in later phases according to the agreed roadmap, without service interruptions.