Key focus areas for NIS2 compliance

Albin Finne, Director and cyber security specialist at Deloitte, highlights the most important considerations for entities that will be covered by the revised NIS directive – for example companies within the energy, transport or healthcare sectors.

A major milestone was reached on 10 November 2022 when the European Parliament adopted NIS2, ending the legislative process. The regulation was approved by the Council of Ministers and published in the EU Official Journal on 27 December 2022 and thereafter entered into force on 16 January 2023. Swedish entities in scope have until 18 October 2024 to meet the requirements.

The current threat and regulatory landscape pressures organizations to establish capabilities to prepare for and manage a cyber crisis effectively and efficiently. During recent years we have noticed that cyber-attacks targeting critical infrastructure have increased worldwide. Additionally, the conversion to remote work during the pandemic opened new vulnerabilities resulting in an increase in individuals who fell for phishing attacks. With the current geopolitical situation, the threat of cyber-attacks has increased further, especially for entities that provide essential or important services that could be targets in hybrid warfare.

NIS2 has the goal of strengthening organizations’ security posture to address emerging cyber threats, and these changes could lead to a significant impact in the ways of working.

Depending on the maturity of your organization and the current state of the market, we see the below activities as focus areas to protect critical infrastructure and maintain compliance with NIS2:

  • Assess whether your organization is in scope for NIS2
  • Assess current level of compliance with NIS2 requirements by performing a gap assessment
  • Secure funding of cybersecurity
  • Perform a risk assessment related to network and information systems
  • Perform training and awareness of management and staff
  • Streamline incident reporting and enhance incident management procedures
  • Assess security of your supply-chain and establish appropriate third-party risk management procedures
  • Develop or enhance your business continuity and disaster recovery plans

This will result in an enhanced cybersecurity posture of your organization. We believe that with increasing controls from governments and regulators, there is a momentum for companies to pursue their security objectives.

Considerations for covered entities

If you are an organization that provides a service which is essential or important for the maintenance of critical societal and/or economic activities, for example an energy company – you may be classified as an "essential entity" or “important entity” according to NIS2. The following sectors are covered by NIS2 (sectors in light green and dark blue covered already in NIS1):


"With the current geopolitical situation, the threat of cyber-attacks has increased further, especially for entities that provide essential or important services”

- Albin Finne, Director at Deloitte

Sectors that will be regulated

NIS2 puts pressure on your technical and organizational structure and capabilities. The following measures are included in NIS2 Directive:

(a) policies on risk analysis and information system security
(b) incident handling
(c) business continuity, such as backup management and disaster recovery, and crisis management
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures
(g) basic cyber hygiene practices and cybersecurity training
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption
(i) human resources security, access control policies and asset management
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Furthermore, management bodies will have a crucial and active role in the supervision and implementation of these measures. What could happen if an essential or important entity is non-compliant?

  • Fines up to 10 million EUR or 2% of the total global annual turnover for essential entities
  • Fines up to 7 million EUR or 1.4% of the total global annual turnover for important entities
  • Management liability for infringements to the directive
  • Temporary bans against senior management
  • Temporary suspension of services

What are the next steps?

To effectively manage the evolving cyber risks, your board and senior-level management should define (if not already existing) or enhance your cybersecurity strategy to adapt, evolve and improve your organization’s cyber resilience capabilities. We have identified 3 areas where the key requirements of the NIS2 Directive must be addressed:

Cyber strategy/governance
  • Information security management
  • Awareness and training
  • Cyber risk management and compliance
Detection and response
  • Incident handling
  • Incident reporting
  • Business continuity and crisis management
Infrastructure and application security
  • Infrastructure/network security
  • Secure development practices
  • Identity and access control
  • Third party risk management

Learn more

Why has NIS2 been developed?

Since the start of the COVID-19 pandemic the cybersecurity landscape has evolved rapidly. The European Commission has acknowledged this and proposed a repeal of the EU Network and Information Security directive (NIS Directive) to align and enhance cybersecurity within all member states of the EU. The repeal of the NIS Directive will enter into force 2024 and is expected to impose stronger requirements to a broader scope of actors. The overall purpose of the legislation is to achieve a high common level of cybersecurity across all member states. NIS2 has three general objectives:

  1. Increase level of cyber resilience of a comprehensive set of businesses operating in the European Union across all relevant sectors, which fulfill important and critical functions.
  2. Reduce inconsistencies in resilience across the internal markets in sectors already covered by the directive, by further aligning cybersecurity capabilities.
  3. Improve level of joint situational awareness and the collective capability to prepare and respond by a) taking measures to increase the level of trust between competent authorities by sharing more information; and b) setting rules and procedures in the event of a large-scale incident or crisis.

These are some of the most important changes/additions to NIS2 compared with NIS1:

Hade du nytta av den här informationen?