Building on the foundation of the Network and Information Security (NIS) directive of 2016, the NIS2 Directive marks a pivotal shift in the European Union's approach to cybersecurity. It reinforces the need for robust protections across critical sectors by improving network security, enhancing the resilience of critical infrastructure and creating a unified cybersecurity framework with faster incidence reporting requirements.
Countries across Europe are actively tailoring their laws to comply. In the Nordic region, countries are in the process of transposing the Act into their national laws. NIS2, therefore, represents more than just a legal obligation for large businesses in the region — it is also an opportunity to ensure your business is on track to meet today's cybersecurity demands.
Here's everything you need to know about the NIS2 directive and the emerging national frameworks to help you lead the way into cybersecurity.
The impact of NIS2 on the Nordic business landscape
The Nordic countries are key players in Europe's digital economy, known for their advanced digital infrastructure and strong tech sectors. As these nations become more interconnected, the rise in cyberattacks on critical infrastructure underscores the need for robust, unified cybersecurity policies across the region.
NIS2 presents a valuable opportunity to strengthen the region's resilience against cyber threats and reinforce stability in the Nordic digital economy. Moreover, NIS2 will impact all businesses in Europe — particularly those that serve the European Economic Area (EEA).
As part of the EEA, both EU member states and Nordic non-member states are aligning their national frameworks with NIS2. Sweden's set of new cybersecurity laws is expected to come into effect later in 2025, with other countries following suit. Businesses across the region must adapt to these changes and strengthen their cybersecurity practices to b become compliant with the new regime.
NIS2: Broader scope and applicability
The NIS2 directive applies to all businesses operating within the EEA under the sectors listed below — including critical infrastructure providers and public administration bodies. Supply chains and third-party providers must also ensure compliance with NIS2. As a result, the regime has a much broader reach and application than the original NIS framework.
The NIS2 directive also widens the scope of coverage from NIS's original seven sectors to a total of 18 sectors. Sectors are divided into essential and important entities.
Essential entities are sectors of high criticality whose disruption could have a major economic impact and encompass the following:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health, including manufacturing of pharmaceuticals and vaccines
- Drinking water
- Wastewater
- Digital infrastructure and related service providers
- ICT service management
- Public administration
Important entities encompass other critical sectors, including:
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing of devices, electronics, machinery, vehicles and equipment
- Digital providers, including social networking platforms, online marketplaces and search engines
- Research organisations
Understanding which category your business falls into is imperative to determine your compliance obligations.
Key NIS2 requirements: What businesses need to do
To comply with the NIS2 Directive, businesses must meet requirements in four key areas: risk management, corporate accountability, reporting obligations and business continuity.
Enhanced cybersecurity risk management
The new regime expects firms to focus on reducing cyber risks through proactive measures such as building a strong risk framework, strengthening supply chain security, improving network security and enhancing access control via multi-factor authentication and encryption.
24-Hour incident reporting obligations
The Act encourages firms to be ready with efficient processes to quickly report security incidents that could impact their services. In the event of a major data breach affecting availability or confidentiality, firms are expected to report the breach within 24 hours and provide detailed updates within 72 hours to comply with the NIS2 reporting guidelines.
Robust business continuity plan
Organisations are encouraged to create a business continuity plan for major cyber incidents. This includes having a Computer Security Incident Response Team (CSIRT) team as a single point of contact, training employees on national preparedness measures, having emergency procedures in place, keeping backups up to date and ensuring access to IT systems during and after an incident.
Union and international co-operation
NIS2 promotes closer coordination with national and international authorities than the previous regime, enabling faster and more coordinated responses to cyber threats across the EU. The directive also mandates a coordinated vulnerability disclosure plan and a European vulnerability database to identify and list past and ongoing vulnerabilities.
Strategic considerations for C-suite executives
The NIS2 Directive emphasises the responsibility of senior leadership in fostering a robust cybersecurity-focused environment, placing the duty of bolstering the organisation's digital resilience squarely on its shoulders.
To get ahead of their enhanced responsibilities, senior leaders are advised to consider:
Proactive involvement in security management
Oversight of cybersecurity measures allows senior managers to demonstrate that they have implemented the necessary controls within their organisation.
Taking a head start on compliance
Organisations within the purview of NIS2 can get out in front of the regime by:
- Assess whether they fall under NIS2's scope and identify the affected units
- Reviewing and updating security measures and policies to align with NIS2 requirements
- Implementing new security protocols and incident reporting obligations across the supply chain
Penalties on non-compliance
The NIS2 directive introduces significant fines for non-compliance. Essential entities can face penalties of up to €10 million or 2% of global turnover, whichever is higher, while important entities may incur fines of up to €7 million or 1.4% of global turnover, whichever is higher.
Partnering with Gallagher for a cyber-resilient future
The evolving cybersecurity regulatory landscape can be complex, but NIS2 and related national laws provide a valuable opportunity to enhance your business's cybersecurity strategy. At Gallagher, our expert Cyber Risk Management team is here to simplify the process. We'll help you navigate NIS2 and national requirements, assess your current security posture, uncover any gaps and guide you through every step to ensure seamless compliance and stronger protection for your business. Our services include:
- Risk assessments
- Cyber incident response planning
- Supply chain risk management
- Regulatory reporting compliance
The NIS2 Directive is more than just a regulatory change; it's a game-changer for the future of Europe's digital economy. For businesses in the Nordic region, staying ahead of NIS2 and national cybersecurity laws aren't just about compliance; it offers a competitive advantage that will enhance your firm's ability to respond to a rich and evolving threat landscape.
Let Gallagher help you navigate the NIS2 transition, keeping your business secure, compliant, resilient and ready for the future.