The NIS2 directive is an update of the previous NIS directive (Network and Information Security), adopted by the EU in December 2022. The purpose of NIS2 is to raise the common level of cybersecurity across the EU. The directive imposes stricter requirements on how organizations should work with information security, especially regarding risk assessments, incident reporting, and management's responsibility in security work.
Unlike the previous directive, NIS2 covers significantly more sectors and activities. This means that more actors must comply with the rules, which in turn strengthens the common protection against cyber threats within the EU. The directive is particularly important at a time when digital services and critical infrastructure are increasingly dependent on robust and secure networks and information systems.
Those covered by NIS2 are referred to as operators, and these are found in 18 different sectors. Examples of sectors include:
Energy
Transport
Banking and finance
Healthcare
Digital infrastructure
Public administration
Manufacture of critical products
Both public and private actors can be covered, depending on their size and importance to society. It is not only large companies that are affected – even medium-sized companies and some smaller actors may be covered if they provide essential services.
For the organizations affected by NIS2, it means, among other things:
Requirement to conduct regular risk assessments.
Implement technical and organizational security measures.
Report incidents within 24 hours.
Clear responsibility of the management for cybersecurity work.
Possibility of sanctions for non-compliance.
In Sweden, NIS2 is expected to be implemented through a new cybersecurity law that will come into force on January 15, 2026. The government has recently presented a legislative proposal on how the directive should be implemented nationally.
We at Defensify specialize in OT security and have extensive experience in helping customers meet the requirements of NIS and now also NIS2.