← Blog
April 20, 2026 · 8 min · Nordic Defence

NIS2 in practice: The complete 2026 guide for Nordic businesses

NIS2 is now law across the EEA. We cut through the legalese and explain who's covered, the ten core requirements, the deadlines, and six concrete steps to become compliance-ready.

The NIS2 directive (EU 2022/2555) is the most comprehensive cybersecurity regulation the Nordic region has ever had to deal with. Norway implements it through the Digital Security Act. Sweden, Denmark, Finland and Iceland have their equivalent national laws. For thousands of businesses that never thought of themselves as critical infrastructure, this is a new reality.

If you're unsure whether you're covered, or what you actually need to do — you're not alone. This guide cuts through the bureaucracy and gives you a clear picture.

What is NIS2 — and why now?

NIS2 replaces the original 2016 NIS directive. The rationale is simple: NIS1 was too narrow, inconsistently implemented, and cyber threats have exploded. Compared to its predecessor, NIS2 covers more sectors, more companies, sets stricter requirements, and introduces substantial fines for non-compliance.

New for leadership teams: NIS2 imposes personal liability. Board members and CEOs can be held accountable if the organisation lacks adequate cybersecurity.

Are we covered? Size and sector

NIS2 has two tiers: essential and important entities. Both face broadly similar requirements, but with different supervisory intensity.

Essential entities (strictest oversight)

  • Energy (electricity, oil, gas, district heating, hydrogen)
  • Transport (air, rail, maritime, road)
  • Banking and financial market infrastructure
  • Healthcare (hospitals, pharmaceutical manufacturers, laboratories)
  • Drinking water and wastewater
  • Digital infrastructure (cloud, DNS, IXP, data centres)
  • Public administration (central bodies)
  • Space

Important entities

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food production and distribution
  • Manufacturing (medical devices, computing equipment, vehicles, machinery)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations

The ten core requirements

NIS2 Article 21 lists ten minimum requirements every covered entity must meet. These aren't checkboxes — regulators expect documented implementation.

  1. Risk analysis and information security policies — formal, current, board-approved.
  2. Incident handling — defined processes, exercised.
  3. Business continuity and crisis management — including backup and disaster recovery.
  4. Supply chain security — map and contractually secure third parties.
  5. Security in procurement, development and maintenance — secure SDLC, patching.
  6. Policies to assess the effectiveness of security measures.
  7. Basic cyber hygiene and training — phishing awareness, password discipline.
  8. Cryptography and encryption — where and how.
  9. Personnel security, access control, asset management.
  10. Multi-factor authentication and secured communications.

Reporting obligations that will surprise you

The reporting obligation is arguably the strictest part of NIS2. The moment you detect a 'significant incident' — something that has or may have serious operational consequences — the clock starts.

  1. Within 24 hours: Early warning to the supervisory authority with what you know.
  2. Within 72 hours: Updated assessment including attack vector and initial countermeasures.
  3. Within 1 month: Full final report with root cause analysis and closed actions.

Fines, personal liability, and oversight

Essential entities face fines of up to 10 million euros or 2 percent of global annual turnover — whichever is higher. For important entities, the ceiling is 7 million euros or 1.4 percent.

Personal liability is the new element. Board members and CEOs can be temporarily barred from management positions for gross negligence. Cybersecurity is now a board issue — not an IT issue.

Six steps to compliance readiness

  1. Clarify status: Are we covered? Essential or important? Register with the supervisory authority if you haven't already.
  2. Gap analysis: Measure current state against the ten requirements. Be honest — it's cheaper to uncover gaps now than after an attack.
  3. Risk-based prioritisation: Don't try to fix everything at once. What are the most likely attack paths? What would hurt most? Start there.
  4. Build incident response: Define roles, create a contact list, exercise scenarios at least twice a year. The 24-hour window requires that you already know what to do.
  5. Lock down the supply chain: Map critical third parties. Contractually embed security requirements. Request SOC 2 reports or ISO 27001 certificates.
  6. Document everything: Policies, exercises, incidents, actions, decisions. Regulators want evidence — not intentions.

What does this cost, realistically?

For a mid-sized business (100–500 employees) without mature security, first-year investment typically falls between 50,000 and 200,000 euros. This includes gap analysis, policy development, technical controls (MFA, EDR, logging), training, and initial incident response setup.

Ongoing operations: 1–3 percent of the IT budget is a common rule of thumb for security work after establishment.

How Nordic Defence helps

We've been running NIS2 gap assessments for Nordic businesses since the directive was adopted. Our approach is pragmatic: we document what you have, identify what's missing, and prioritise by actual risk — not by what's easiest to tick off.

For organisations lacking internal SOC capacity, we offer SOC-as-a-Service with 24/7 monitoring and incident response within NIS2 deadlines. That makes you reporting-ready from day one.