NIS2 directive - What does it mean, who are included and how will it affect you?
NIS2: Key changes in cyber security
The EU is strengthening protection against cyber threats with the NIS2 Directive. Highly digitalised industries are particularly affected, and companies need to adapt with new security routines and strategies. Make sure your business is prepared for implementation.
The EU, with its 27 member states, is currently the global leader in digital security, i.e., the protection of digital structures and systems against hostile attacks. An increasing number of IT incidents are taking place, threatening society's essential and important operations. Such incidents may entirely disable IT systems, distort built-in functions without the knowledge of the system owners, or otherwise seriously disrupt normal operations.
Consequently, the EU must protect the Common Market, which is increasingly dependent on a high level of digital maturity. By implementing NIS2 and a series of other legislations, member states are able to increase their capability to resist cyber threats.
How NIS2 affects cyber security in the industry
Sectors marked by a high degree of automation and digitalisation, particularly operational technology (OT) in the manufacturing industry, will be greatly affected by the NIS2 directive. Companies must start taking into account cyber security hygiene requirements throughout all product and service life cycles.
Companies must implement many new routines and processes to maintain a high level of security. AFRY has extensive experience with implementing a management system for systematic security procedures and can support all parts of the organisational change process.
How to prepare your business according to NIS2
- Does NIS2 apply to your business? Assess according to directive entity rules.
- Identify and analyse cyber security threats and vulnerabilities.
- Map your business, supply chain and collaboration with others.
- Design a strategy to address discovered vulnerabilities and create a cyber hygiene management system.
- Train everyone in the business - create a culture of security.
The NIS2 Directive expands supervision
The NIS2 directive expands a list of industries and public services already catalogued in the first NIS directive appendices. These industries and services are divided into two classes - essential and important entities. The two classes demand essentially the same kind of cyber security, but they differ when it comes to supervision and sanctions.
For important entities, any supervision must be justified in advance by an incident, suspicion of incident, deficiency, or non-conformity. For essential entities, however, regulators may conduct proactive unannounced ad-hoc inspections, regardless of any previous incidents or suspicions. Regulators also have a range of sanctions at their disposal.
National cyber incident reporting to the European Commission and to the EU Cyber Security Agency ENISA will become more extensive after NIS2 than it was before. Supervisory possibilities will also be expanded. According to the NIS2, the supervision of the essential entities will be proactive, which means the supervisory authority can carry out supervisory inspections without any previous incident report or suspicion of deviations. Supervision of important entities will be more reactive and will be based on a reason determined prior to inspection.
Frequently asked questions about the NIS2 directive
- What is the NIS2 Directive?
- How will NIS2 be implemented?
- What's new compared to the previous NIS directive?
- What is required of organisations covered by NIS2?
- Is my organisation affected by the NIS 2 directive?
- What is the penalty for not complying with NIS2?
The NIS2 Directive is an EU directive aimed at strengthening cyber security across the union. NIS2 raises the requirements for security measures and risk management for various operations. The directive is designed to enhance the resilience of the most critical societal functions, particularly increasing resistance to cyberattacks.
The NIS2-directive will be implemented through each member state's local laws.
For specifics on implementation in Sweden, see more information on our Swedish page about NIS2.
- Expanded scope covering more sectors and operations.
- Stricter requirements for risk management and security measures.
- Improved incident reporting with clearer timelines and content requirements.
- Increased responsibility for organisational leadership.
- Harmonisation of the sanctions system across the EU.
- Enhanced collaboration and mandatory information sharing between member states and relevant authorities, including the Cyber Crisis Liaison Organisation Network (EU-CyCLONe), to strengthen overall cyber resilience and crisis management.
- Harmonised and stricter supervisory measures for competent authorities to enhance their oversight of organisations' compliance with cybersecurity requirements.
In short, NIS2 requires organisations to:
- Implement systematic information security practices.
- Take appropriate technical and organisational security measures.
- Appoint a contact point within the organisation for incident reporting. This designated contact person is responsible for communicating with the relevant Computer Security Incident Response Team (CSIRT) or competent authority in the event of a significant incident.
- Report significant incidents to the relevant supervisory authority.
- Ensure that management approves and oversees risk management measures.
- Ensure the organisation has secured its supply chain, including setting security requirements for their suppliers and service providers.
If the organisation is one of the essential services listed below, and has more than 50 employees and an annual turnover or balance sheet total exceeding 10 million euros, it is covered by NIS. Certain exceptions to the size threshold apply for particularly critical activities. If in doubt, it is best to contact your local authorities.
New functions of societal importance that are covered by NIS2
- Mail and courier handling
- Waste management
- Food
- Medical equipment
- Digital marketplaces
- Search engines
- Community administration
- MSP and MSSP
- Chemicals
- Social networks
- Space services
- Drainage
Functions of societal importance that are already covered by NIS1 and now by NIS2
- Energy (District heating, cooling, electricity, oil, gas, hydrogen)
- Gas, incl. biogas and hydrogen
- Transport
- Banking and Finance
- Health care, incl. lab and research
- Drinking water
- Digital infrastructure
Functions that are critical (Essential Entities)
- Energy (district heating, cooling, electricity, oil, gas, hydrogen)
- Transport (air, rail, shipping, roads)
- Banking and Financial market infrastructure (payment services, etc.)
- Drinking water and sewage
- Digital infrastructure
- Community administration (public administration)
- Space services
Important Entities
- Mail handling
- Food production and distribution
- Medical equipment
- Digital marketplaces
- Search engines
- MSP and MSSP
- Chemicals
- Health care incl. lab and research
- Gas incl. biogas and hydrogen
- Social networks (digital)
NIS2 is implemented through local laws in each member state, which means states can set their own financial penalties. However, the directive provides a clear framework and outlines a maximum penalty limit. This approach ensures flexibility while keeping everyone aligned under a unified standard.
The maximum penalty amount depends on the organisation; for essential service providers, the maximum fine is the greater of €10,000,000 or 2% of the total global annual turnover. For important service providers, the figures are €7,000,000 or 1.4% of the total global annual turnover.
There will also be the possibility to hold the organisation's management personally liable for non-compliance, and they may additionally be prohibited from performing management functions.
AFRY's services in cybersecurity
