At a time when technology is evolving at a rapid pace, and speed of new products to market is crucial, cyber threats are becoming increasingly sophisticated. The European Union has responded by adopting a new and improved cybersecurity directive expected to come into force in October 2025, known as NIS2.

What is NIS2?

NIS is an acronym for Network and Information Systems security directive. NIS2 is a successor to the original NIS Directive and aims to strengthen security within Member States and protect societies against digital threats. But what does NIS2 actually mean, and what challenges and opportunities do we face?

The Directive requires companies and organizations to take measures to protect their networks and information systems, as well as reporting requirements on incidents and information security. NIS2 is considered by many to be more comprehensive than the GDPR, and may also apply to companies and organizations that are part of supply chains.

It's not just about protecting data, but also about safeguarding company culture, relationships and brand. Companies that have already adopted frameworks or standards and are working on quality management systems are better prepared to deal with new regulations.

Improving cybersecurity and incident response

One of the main benefits of NIS2 is that it offers a stronger and more coherent framework for cybersecurity across the EU. It also sets the stage for other rules and frameworks.

The directive requires companies to report security incidents within a certain timeframe, leading to faster response and more effective management of cyber threats.

Who is covered by the NIS2 Directive?

Here is an overview of who is covered by the Directive:

Significant service providers

These include companies and organizations that provide services that are essential to the functioning of society and the economy. Examples of such service providers are:

• Energy companies (e.g. electricity, gas and oil)
• Transport companies (e.g. air, rail, sea and road transport)
• Banks and financial institutions
• Health care providers
• Drinking water, wastewater and waste management companies
• Digital infrastructure (e.g. internet and data centers)

Digital service providers

These companies offer services online and also have a critical role in the functioning of society. Examples include digital marketplaces, cloud service providers and search engines.

Medium and large enterprises

NIS2 primarily covers large companies and organizations in the sectors mentioned. Small and medium-sized enterprises can often be excluded, unless they provide essential services that can affect the functioning of society, or are subcontractors to a larger company or organization.

Supply chains

Companies and organizations that are part of supply chains to the mentioned sectors can also be covered by NIS2. This includes subcontractors and partners that provide critical services or products that affect the overall security of the supply chain.

Public administrations

Most public authorities and institutions providing vital services to the public are covered by the Directive, depending on the Member State's implementation.

How is NIS2 monitored by authorities?

The NIS2 Directive introduces stricter enforcement and sanctioning measures. Regulators will have increased powers to monitor and enforce the rules, as well as to carry out regular audits and inspections of companies and organizations covered by the directive.

In Sweden, the Swedish Civil Contingencies Agency (MSB) has national coordination responsibility for supervisory authorities. Examples of authorities that have supervisory responsibility for their societal functions are the Swedish Financial Supervisory Authority, the Swedish Post and Telecom Authority (PTS), the Swedish Energy Agency and the Swedish Health and Social Care Inspectorate (IVO).

Sanctions

Companies and organizations that do not comply with the NIS2 Directive's requirements risk facing significant sanctions. These can include administrative fines, which vary depending on the seriousness of the breach and the size of the company. In the case of serious or repeated breaches, sanctions may include:

• Fines of up to €10 million or 2% of global annual turnover, whichever is higher
• Orders to remedy safety deficiencies within a certain timeframe
• Publication of the infringement to inform the public and other stakeholders
• Restricting access to certain services or markets until security measures are in place

Challenges with NIS2

Meeting the requirements of NIS2 can be costly for many businesses, especially SMEs. Investing in new technology, hiring cybersecurity experts and implementing new security protocols can pose significant financial challenges.

The implementation of NIS2 may require extensive adaptation and changes to a company's existing security systems and processes. This complexity can be difficult to manage, especially for companies that lack sufficient resources and expertise in cybersecurity and information management.

Opportunities with NIS2

Companies and organizations often see regulations as obstacles rather than assets. As an example, we can take the issue of the early introduction of GDPR, which for many was imposed at the last minute and led to limited added value in terms of synergies realized and new business opportunities. Management often hesitates to invest in compliance until it becomes mandatory or until, for example, inefficiencies or cyber incidents force their hand.

As an example of synergies, NIS2 and GDPR together can further strengthen organizations' overall security and data protection strategies and facilitate future regulations etc.

Update and improve existing processes

By seeing regulations as a tool to strengthen their security architecture, companies can build a stronger platform for innovation and future growth.

The NIS2 Directive gives companies a chance to recycle and optimize their existing processes, frameworks and regulations. Examples of these are ITIL, SOC2, GMP, MDR, GDPR and ISO 9001. By integrating these standards, companies can not only ensure legal compliance, but also prepare for e.g. IPOs, expansion into new markets and new product launches.

Training and awareness-raising for staff

Training and knowledge are key to the successful implementation of NIS2. By using existing security awareness training programs and adapting them to include NIS2 requirements, companies can ensure that all staff are informed of their roles and responsibilities. This creates a security culture that supports compliance with existing and new directives.

Merge NIS2 with existing business continuity plans

Business continuity and disaster recovery are critical areas already addressed by many companies. By integrating NIS2 requirements into these plans, businesses can ensure that their preparedness for cyber incidents and disruptions is even more comprehensive and well-coordinated.

Leveraging existing technologies and tools

Businesses can also leverage their current tools and investments in technology to meet NIS2 requirements. By analyzing and evaluating how existing systems can support the new rules, companies can avoid unnecessary costs while ensuring a smooth transition. This can include everything from security monitoring tools to reporting and analysis tools.

We can help you see the challenges as an opportunity

At Anchor, we have many years of experience in implementing regulatory directives, standards and certifications so that they both create business value and meet the requirements in a cost-effective way. Please contact me if you want to know how we can help you with NIS2, GDPR and other regulatory requirements.