You've heard the buzz about NIS2. You know it affects your company somehow. But when you try to figure out exactly what you need to do, you end up in a maze of EU directive text, national transposition documents, and vendor whitepapers that all seem to recommend buying their product.
Let's cut through that. Here's a practical, actionable checklist for Nordic companies working toward NIS2 compliance. No legal jargon, no sales pitches disguised as guidance. Just the stuff your IT and security team actually needs to figure out.
First: are you even in scope?
NIS2 applies to "essential" and "important" entities in specific sectors. The two main criteria:
Sector. NIS2 covers energy, transport, banking, financial markets, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space, postal services, waste management, manufacturing of certain products, food production and distribution, chemicals, and research.
Size. Generally, medium-sized enterprises (50+ employees OR 10M+ EUR annual turnover) in these sectors are in scope. Large enterprises (250+ employees OR 50M+ EUR turnover) are definitely in scope.
Some entities are in scope regardless of size, particularly critical infrastructure operators and domain name registries.
Nordic specifics:
- Sweden: Transposition through MSB (Myndigheten for samhallsskydd och beredskap). New legislation under "Cybersäkerhetslagen."
- Denmark: Handled through the Centre for Cyber Security (CFCS) and sector-specific authorities.
- Finland: Traficom leads implementation alongside sector-specific regulators.
- Norway: While not an EU member, Norway typically adopts EU cybersecurity directives through the EEA agreement.
If you're unsure whether your company is in scope, check with your national authority. It's better to know now than to find out during an incident.
The checklist
Governance and risk management
- Designate responsibility. Someone at the management level needs to own cybersecurity. NIS2 explicitly puts responsibility on management bodies (boards and C-level executives). This isn't something you can fully delegate to the IT team.
- Conduct a risk assessment. Identify your critical systems, the threats they face, and the potential impact of a security incident. This doesn't need to be a 200-page document, but it needs to be thorough and documented.
- Create or update your cybersecurity policy. Based on the risk assessment, define your security policies. These should cover access control, incident response, business continuity, supply chain security, and employee training. Again, practical and followed beats comprehensive and ignored.
- Establish management accountability. Management must approve cybersecurity measures and can be held personally liable for non-compliance. Make sure your leadership understands this and is engaged, not just signing off on documents they haven't read.
Access control and identity management
- Implement role-based access control (RBAC). Define who needs access to what, based on their job function. Document these role definitions. Remove the "everyone is admin" approach if it still exists anywhere.
- Enforce least privilege. Users should only have the access they need to do their job. Review current access levels and cut anything unnecessary. Yes, this includes that developer who has Global Admin "just in case."
- Automate user provisioning and deprovisioning. When someone joins, they get the right access. When they leave, all access is revoked the same day. Manual processes create gaps, and NIS2 doesn't look kindly on gaps.
- Enable multi-factor authentication. MFA on all accounts, especially privileged ones. This should already be standard, but if it's not, do it now. Conditional Access in Entra ID makes this straightforward.
- Conduct regular access reviews. Quarterly at minimum. Managers review their team's access and confirm it's appropriate. Document the results and remediate any findings.
- Manage privileged accounts separately. Admin accounts should be separate from daily-use accounts. Use just-in-time access where possible. Monitor and log all privileged activity.
Incident handling
- Build an incident response plan. Define what constitutes a security incident, who handles it, what steps to follow, and how to communicate internally and externally.
- Set up your reporting chain. NIS2 requires early warning to your national CSIRT within 24 hours of becoming aware of a significant incident. Full incident notification within 72 hours. Final report within one month. Know who to contact and how.
- Test your incident response. Run tabletop exercises at least annually. Walk through scenarios. Find the gaps in your plan before a real incident finds them for you.
- Implement monitoring and detection. You can't report what you don't detect. Set up logging for critical systems, configure alerts for suspicious activity, and make sure someone is actually watching.
Business continuity
- Document your business continuity plan. What happens when your primary systems go down? How do you keep operating? How quickly can you recover?
- Implement and test backups. Regular backups of critical data and systems. Test restores periodically. An untested backup is not a backup.
- Plan for crisis management. Who makes decisions during a major incident? How do you communicate with employees, customers, and regulators?
Supply chain security
- Assess your suppliers' security. NIS2 puts emphasis on supply chain risk. Know who your critical suppliers are, what access they have to your systems, and what their security posture looks like.
- Include security requirements in contracts. When you procure ICT services, include cybersecurity requirements in the agreements. This covers cloud providers, managed service providers, and any vendor with access to your data or systems.
- Monitor third-party access. External accounts and service accounts should be subject to the same access controls as your internal users. Review them regularly.
Training and awareness
- Train your employees. NIS2 specifically requires cybersecurity awareness training. Cover the basics: phishing, password hygiene, reporting suspicious activity. Annual training at minimum, with more targeted training for high-risk roles.
- Train your management. Management needs to understand cybersecurity risks and their responsibilities under NIS2. This is separate from general employee training.
Documentation and evidence
- Maintain audit logs. Log access events, security incidents, configuration changes, and administrative actions. Retain logs according to your retention policy (and regulatory requirements).
- Document your compliance measures. For each NIS2 requirement, document what you've implemented, when, and how. This is your evidence base for regulators.
- Plan for regulatory audits. National authorities can conduct audits. Be prepared to demonstrate your compliance measures with evidence, not just assertions.
Penalties for getting it wrong
NIS2 includes significant financial penalties:
- Essential entities: Up to 10 million EUR or 2% of global annual turnover
- Important entities: Up to 7 million EUR or 1.4% of global annual turnover
Plus personal liability for management. The days of cybersecurity being "just an IT problem" are over.
Where to start if you're behind
Don't try to tackle everything at once. Prioritize:
- Determine if you're in scope (week 1).
- Assign management responsibility (week 1).
- Run a gap assessment against this checklist (weeks 2 to 3).
- Fix access control first because it's both high-impact and achievable quickly (weeks 3 to 6).
- Build incident response capability (weeks 4 to 8).
- Address remaining gaps in order of risk (ongoing).
The identity and access management piece is often the fastest win. Automating provisioning, deprovisioning, and access reviews closes a large number of compliance gaps in a relatively short time.
If this sounds like your situation, Adcyma is free for up to 25 users. For larger teams, you can start a free 14-day trial. No credit card, no consultants.