What is the NIS2 Directive?
NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity law. It replaces the original NIS Directive from 2016, which was the EU's first attempt at creating a common cybersecurity framework across member states.
The original directive had problems. It applied to a narrow set of organizations, enforcement varied wildly between countries, and too many companies fell through the cracks. NIS2 addresses all of this by casting a much wider net and standardizing requirements across the EU.
NIS2 was adopted by the European Parliament in November 2022. EU member states were required to transpose it into national law by October 2024. For organizations in scope, this is current regulation, not something on the horizon.
Who does NIS2 apply to?
NIS2 divides affected organizations into two categories.
Essential entities include organizations in sectors like energy, transport, banking, healthcare, water supply, digital infrastructure, and public administration. These face the strictest requirements and most active supervision.
Important entities include organizations in sectors like postal services, waste management, manufacturing, food production, chemicals, and digital providers (including SaaS companies, online marketplaces, and search engines).
The key change from the original directive is the size threshold. Generally, NIS2 applies to medium-sized and large organizations in these sectors — companies with at least 50 employees or an annual turnover above 10 million euros. Some critical organizations are covered regardless of size.
For Swedish and Nordic companies, this means many mid-sized businesses that never dealt with EU cybersecurity regulation before are now in scope.
What does NIS2 require?
NIS2 mandates that covered organizations implement "appropriate and proportionate" technical, operational, and organizational measures to manage cybersecurity risks. Article 21 lists specific areas that must be addressed: risk analysis and security policies, incident handling and reporting, business continuity and crisis management, supply chain security, security in system acquisition and development, policies to assess the effectiveness of cybersecurity measures, basic cyber hygiene and cybersecurity training, policies on cryptography and encryption, human resources security, access control policies and asset management, and use of multi-factor authentication and secured communication systems.
That second-to-last point is directly relevant to identity governance. NIS2 explicitly requires access control policies and human resources security measures. You need to demonstrate that you control who has access to your systems and that you manage that access throughout the employee lifecycle.
What are the penalties for non-compliance?
NIS2 introduced significant financial penalties. Essential entities face fines up to 10 million euros or 2% of global annual turnover, whichever is higher. Important entities face fines up to 7 million euros or 1.4% of global annual turnover, whichever is higher.
Beyond fines, NIS2 introduces personal accountability for management. Senior leadership can be held personally liable for failing to ensure compliance. Cybersecurity is no longer just an IT problem — it is a board-level responsibility.
How does NIS2 affect identity and access management?
NIS2 does not prescribe specific tools or technologies. It requires organizations to implement proper access control measures proportionate to their risk. In practice, this means several things.
You need documented access control policies that define how access is granted, modified, and revoked. You need to manage the user lifecycle — when people join, move between roles, or leave, their access must be updated accordingly. Stale accounts and accumulated permissions are exactly the kind of risk NIS2 wants you to manage. You need regular access reviews to verify that users still need the access they have. The directive explicitly mentions multi-factor authentication as an expected measure. And you need audit trails so that when a regulator asks who had access to a specific system six months ago, you can answer that question.
NIS2 in Sweden and the Nordics
Sweden is transposing NIS2 into national law through updates to existing cybersecurity legislation. The Swedish Civil Contingencies Agency (MSB) is the coordinating body for NIS implementation.
For Swedish companies: if you were already covered by the original NIS directive, expect stricter requirements. If you are a mid-sized company in one of the covered sectors, you may be in scope for the first time. Swedish companies that provide services across the EU should also be aware that other member states may have slightly different national implementations, though the core requirements are harmonized.
Nordic companies often have an advantage here because the region already has a strong culture of compliance and data protection. Many of the practices NIS2 requires overlap with what well-run Nordic organizations are already doing.
How identity governance helps with NIS2 compliance
Meeting NIS2's access control requirements manually is possible at small scale, but it quickly becomes impractical as your organization grows. Spreadsheets and manual reviews do not scale, and they leave gaps that auditors and regulators will notice.
Adcyma helps organizations meet NIS2's identity-related requirements by automating the governance processes the directive demands. Automated provisioning and deprovisioning ensure that user lifecycle management is consistent. Scheduled access reviews provide the regular certification that regulators expect. And detailed audit logs give you the evidence trail you need when compliance questions arise.
For mid-sized Nordic companies newly in scope for NIS2, this kind of tooling can be the difference between a manageable compliance effort and a painful scramble.