På Svenska
Hero image

NIS2 directive

NIS2 directive

Increased demands on vital societal functions

The NIS Directive entered into force in August 2018, with the aim of establishing and maintaining a high level of security in critical infrastructure and information systems throughout the EU. As a result of increased digitalization and the threats it entails, the European Commission has chosen to present a revised proposal, called NIS2. The new proposal entered into force in December 2020, and involves, among other things, increased requirements for risk and incident management, reporting and continuous security testing. In addition to that, more sectors are also covered by the regulation, as well as suppliers and subcontractors.

Content image

Affected businesses

The original NIS Directive covers sectors within two categories; providers of vital societal functions and providers of digital services. The category of vital societal functions includes seven sectors; energy, transport, banking, financial market infrastructure, healthcare, supply and distribution of drinking water and digital infrastructure. The category of providers of digital services includes actors that provide internet-based marketplaces, internet-based search engines or cloud services.

Content image

More sectors are covered when NIS becomes NIS2

When the NIS directive is now replaced by NIS2, additional sectors will be covered by the regulation. A further change is that the sectors are now classified as either "substantial entities" or "important entities".

The sectors that have now been added are;
- Sewage management
- Waste management
- District heating or district cooling, hydrogen gas
- Food
- Public Administration
- The manufacturing industry
- Postal operations
- Space operations


Security requirements of NIS2

Risk assessment

Affected businesses must assess security risks associated with their services and implement appropriate measures to manage them.

Incident management

Affected businesses must have a plan for how potential cyber security incidents will be handled and how services can be restored as quickly as possible.

Security measures

Affected businesses must take appropriate technical and organizational measures to ensure the security of their networks and information systems, for example through security testing.

Incident reporting

Affected businesses must report serious security incidents to the national cybersecurity authority as quickly as possible.

Supplier security

Affected businesses must ensure security in the entire supply chain by managing security aspects in the relationship between the business and its suppliers and service providers.


Affected businesses must cooperate with national cybersecurity authorities and other service providers to manage incidents and share information about threats and vulnerabilities.

Content image

Consequences in case of violation

The NIS2 directive was approved in December 2022, and the member states of the European Union (EU) then have 21 months, i.e. until October 2024, to incorporate the directive into national legislation. If affected actors subsequently do not comply with the requirements of NIS2, it can result in sanctions of up to EUR 10 million or 2 % of the total global annual turnover. These sanctions can range from fines and warnings to business bans and other legal sanctions. Even non-reporting of serious security incidents can lead to penalties and sanctions.

Contact us

We offer several contact routes and provide feedback as soon as possible. If you have sensitive information, we ask you to use the encrypted method.