The need for NIS2 arises from the ever-growing sophistication of cyber threats. As technology advances, so do the risks. NIS2 provides a comprehensive framework to safeguard essential services and digital platforms against cyberattacks, data breaches, and disruptions.

Risk Management
Risk management is crucial for businesses to mitigate their exposure to online threats. This involves being prepared for incident management, which entails handling security-related issues professionally. Additionally, organizations should focus on improving supply chain security by ensuring the entire chain remains secure from start to finish. Strengthening network security is essential, and managing user access to systems and data can enhance access control. Finally, safeguarding sensitive information through encryption is a critical practice.

Corporate Accountability
Corporate management must supervise, approve, and receive cybersecurity training for the organization. They must also take proactive measures to mitigate cyber risks. Violations of these rules may result in consequences, including liability and possibly temporary suspensions from their positions. This underscores the critical role that management plays in safeguarding an organization’s digital security.

Reporting Obligations
When an organization encounters a security incident under the NIS2 directive, there are specific reporting requirements to follow. Within 24 hours, an early warning must be sent to the Computer Security Incident Response Team (CSIRT) or the national authority. This early warning should indicate whether the incident is believed to be caused by malicious or illegal behavior and whether it has cross-border implications. Within 72 hours, an incident report should be submitted, including an initial assessment of the incident’s severity, consequences, and any signs of a breach. Finally, a final report detailing the incident’s description, severity, impact, root cause, risk reduction measures, and international implications must be provided within one month. These steps ensure effective incident management and compliance with NIS2 guidelines.

Business Continuity
Providers of vital services must have a strategy for continuing to deliver their services in the event of a major security incident since NIS2 applies to them. The plan should, for instance, encompass crisis team formation, emergency protocols, and system recovery.

Swedish Legislation and Supervisory Authorities
In Sweden, the NIS2 directive has been incorporated into the Cybersecurity Act (cybersäkerhetslagen). The legislative process is nearing completion, with the Act expected to take effect on January 1, 2025.

Risk Management
The NIS2 Directive (Network and Information Security 2) is an updated EU regulation to strengthen cybersecurity across critical infrastructure sectors. Expanding on the original NIS Directive, NIS2 covers additional sectors, including healthcare, energy, and digital services, and mandates stricter security measures for organizations. Companies are required to adopt comprehensive risk management, incident reporting, and governance practices to protect against cyber threats.Non-compliance can lead to substantial fines of up to €10 million or 2% of global annual turnover, whichever is higher. This underscores the importance of NIS2 compliance in reducing legal, financial, and reputational risks.

Important dates
• By early summer 2025: Member states must implement and publish necessary compliance measures for NIS2.
• By late summer 2025: Organizations must submit requested information to supervisory authorities.

If your organization falls under NIS2’s scope, compliance is not optional but a legal requirement. Implementing necessary measures will enhance cybersecurity, operational resilience, and regulatory trust.

Assessing your organization’s NIS2 scope. Is your organization classified as an essential entity?

Essential Entity: Yes / No
• Includes sectors such as Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Waste Water, Digital Infrastructure, ICT Service Management, Public Administration, and Space.
• To qualify, organizations must have an annual turnover of at least €50 million or employ 250+ employees.

Important Entity: Yes / No
• Includes sectors such as Postal and Courier Services, Waste Management, Chemical Production, Food Production and Distribution, Manufacturing, Digital Providers, and Research.
• To qualify, organizations must have an annual turnover of at least €10 million or employ 50+ employees.

If your organization provides a critical service for societal or economic stability, it may still be categorized as an essential or important entity under NIS2.

Compliance steps and services we offer at Knightec
If classified as an essential or important entity, your organization is required to implement specific controls to meet NIS2 compliance.
1. Determine Compliance Gaps: Knightec can conduct a gap analysis to assess your current compliance with NIS2.
2. Develop an Implementation Plan: We assist in formulating a clear strategy to address any missing requirements.
3. Implement Risk Management and Compliance Measures: This includes evaluating risks, improving incident response, securing supply chains, and training staff.
4. Key security measures include:
• Risk Analysis and System Security Processes
• Incident Handling and Crisis Management
• Supply Chain Risk Management
• Cybersecurity Training and Cyber Hygiene Practices
• Data Security (e.g., cryptography and encryption)
• Network Security and Business Continuity
• Authentication and Identification Enhancements

Organizations must report status updates and any breaches to the National Centre for Cyber Security (CSIRT) within 24 hours of detection.
Contact Us

To ensure your organization meets NIS2 requirements, contact us at Knightec: Patrik.malmenklev@knightec.se. Let us help you secure compliance and safeguard your operations.