The firm reached out to us after an incident at a company it knew well, which made the partners realise a simple thing: data in Microsoft 365 is not automatically protected against deletion, ransomware or employee error. On top of that came the awareness that some of the firm’s clients are entities covered by NIS2, so questions about supply chain security were only a matter of time.

The starting situation

Email, documents and team communication ran in Microsoft 365, but with no independent backup. Accounts were protected by a password alone, and the workstations ran a classic antivirus that gave the IT team no insight into what was happening on the devices. The firm also had no organised security documentation, which is where a conversation about NIS2 begins.

Why it was urgent

In the legal profession, losing a document or leaking correspondence is not just a technical problem but a real risk of professional liability. Microsoft 365 itself protects Microsoft’s infrastructure, but it does not protect a company from its own mistake: a deleted case, a hijacked account or malicious encryption of files synchronised with the cloud.

How we ran the project

We started with the backup, because it provides an immediate safety net. In parallel we enabled MFA and conditional access to close the most common attack route, namely account takeover. Only then did the EDR layer come in, along with putting the NIS2 documentation in order, so that the changes would be lasting rather than a one off exercise.

We spread the whole thing out so as not to halt the firm’s work. We rolled out login changes in groups, with a short briefing for the team, rather than all at once on a single day.

What changed

Today the firm has an independent backup with tested restores, logins resistant to a password leak and real insight into workstation security. Just as importantly, it has documentation and procedures that organise the NIS2 topic before it becomes urgent under the pressure of an audit or client questions.