NIS2: a board-level cyber resilience agenda to strengthen and improve cyber security across EU
From IT concern to governance responsibility
NIS2 is changing the rules of the game for cyber risk in Europe and will be enforced through binding legislation across all EU Member States. For leadership teams and boards, this is not “another IT initiative”. It is a governance obligation that requires you to demonstrate control over cyber risk across both IT and OT (industrial control, production, building systems, and other operational environments), with clear accountability, documented decisions, and measurable progress.
Why this matters now
Most organizations will be affected by NIS2 in three ways regardless of whether they currently label themselves “IT-heavy” or “industrial”:
- Board accountability becomes explicit. NIS2 pushes cyber risk into the core of corporate governance: leadership must approve, steer, and follow up risk management measures and meet training expectations.
- Operational disruption is the real business risk. In OT-intensive environments, cyber incidents often translate into halted production, compromised safety, delayed deliveries, and contractual exposure.
- Customers and supply chains will demand evidence. Procurement, partner assurance, and supplier onboarding increasingly require proof of resilience, incident readiness, and structured security management.
What NIS2 requires in practice
- Governance, accountability, and leadership oversight
- Risk-based security measures across IT and OT
- Incident readiness and reporting capability
- Supply chain and service-provider control
- Clear ownership across first and second line (business/operations, IT/OT, security, risk, and compliance).
- Mandatory cyber security training for management bodies, to ensure informed oversight of cyber risks.
- Active leadership involvement in prioritization, resource decisions, and follow-up.
- Documented decision-making, oversight, and evidence that withstands regulatory scrutiny, including traceability from decisions to implemented measures and results.
- Maintained visibility of critical services and assets to support effective governance and risk ownership.
- A realistic and up-to-date understanding of the organization’s attack surface, including legacy systems, OT environments, and interdependencies.
- Risk-based security controls that reduce the likelihood and impact of disruptive events, not only formal compliance controls.
- Structured vulnerability and patch management, including identification, prioritization, and remediation based on risk.
- An operational incident management capability to detect, assess, escalate, and coordinate responses across the organization.
- Reporting readiness aligned with NIS2 timelines that are operational, rehearsed, and supported by established escalation procedures for significant incidents.
- Tested backup, recovery, and business continuity arrangements to ensure resilience and timely restoration of critical services.
- Governance mechanisms covering contractual requirements, ongoing oversight, and practical verification of supplier security measures.
- Visibility and documentation of critical supplier dependencies to support risk assessment and regulatory evidence.
- Risk-based cyber security requirements for key suppliers and service providers (including those with deep system access).
Who is in scope: “Essential” and “Important” entities
NIS2 distinguishes between Essential entities (Väsentliga entiteter) and Important entities (Viktiga entiteter). This classification determines the intensity of supervision and the level of sanctions, and it sets expectations for the organization’s cyber security maturity and evidence.
Examples of sectors commonly associated with each category include:
Essential entities
- Energy (district heating/cooling, electricity, oil, gas, hydrogen)
- Transport (air, rail, shipping, roads)
- Banking and financial market infrastructure
- Drinking water and sewage
- Digital infrastructure
- Public administration
- Space services
Important entities
- Postal and courier services
- Food production and distribution
- Medical equipment
- Digital marketplaces and search engines
- MSP/MSSP (managed service and security service providers)
- Chemicals
- Health care (including labs and research)
- Gas (including biogas and hydrogen)
- Digital social networks
A practical point for many organizations: even if you are not directly in scope, you may still face NIS2-driven requirements through clients, partners, and supply chains.
Enforcement and financial exposure
Sanctions can be significant. NIS2 introduces fines of up to EUR 10 million or 2% of global annual turnover (whichever is higher), depending on entity category and national implementation.
Beyond financial penalties, the regulatory direction is clear: authorities can require corrective actions, and leadership accountability is explicitly emphasized meaning organizations must take cyber governance seriously at board level.
How AFRY helps: from regulation to real resilience in IT and OT
AFRY supports leadership teams with a pragmatic path from requirement to execution combining deep technical expertise (IT/OT) with governance, risk, and regulatory understanding.
Typical engagement tracks:
Board-ready NIS2 readiness sprint
- Rapid applicability and entity assessment (Essential vs Important).
- Perform cyber security training for management bodies.
- Executive briefing: risk evaluation, obligations, and decision points.
- A prioritized action plan with owners, timelines, and investment logic.
IT/OT gap analysis and roadmap
- Current state assessment across technology, operations, and suppliers, based on proven methods and frameworks such as ISO27000 and IEC62443.
- A risk-based roadmap that balances compliance, resilience, and business continuity.
- Evidence structure: what you need to document and how to maintain it.
- Review current state of policies, standards, and routine documents.
Implementation and operationalization
- Implement steering and governance procedures for cyber security based on proven frameworks.
- Targeted operational and technical implementation in critical areas such as, IAM, network segmentation, incident response etc.
- Organizational cyber security trainings for awareness or for specific operational areas.
- Exercises and simulations within cyber incident response.
- Support for supplier requirements and verification.
