Book a demo

NIS2 – What It Is and How It Affects Your Organization

What is NIS2 and why is it introduced?

NIS2 is the EU’s updated directive on network and information security, aimed at raising the common level of cybersecurity across the Union. It replaces the first NIS directive from 2018 and comes with stricter requirements. The EU introduced NIS2 because the original law was no longer considered sufficient to address today’s cyber threats and society’s reliance on digital systems. In short, there was a need for stronger and more harmonized regulation to protect critical infrastructure and services against increasingly sophisticated attacks.

Impact in Sweden

For Sweden, NIS2 means a major change. The number of sectors covered increases from seven to eighteen, and for the first time includes public administration (national and regional authorities). The scope of private sectors also expands: in addition to energy, transport, banking, and healthcare, NIS2 now covers food supply, manufacturing industry, chemicals, digital service providers, postal and logistics services, waste management, and research.

In practice, a large number of companies in these industries will be affected, provided they are medium-sized or larger (≥50 employees or €10 million turnover) – and in some cases even smaller actors if they perform critical societal functions. Overall, the number of affected Swedish organizations is expected to increase dramatically – from about 900 today to an estimated 6,000–8,000 when NIS2 takes effect.

To implement the directive, a new Swedish Cybersecurity Act is being prepared, where NIS2 and the related CER directive (critical infrastructure) will be merged. A government inquiry (SOU 2024:18) has proposed how the law should be designed, and the government plans to present a bill in 2025. According to the current timeline, the law is expected to enter into force around the turn of 2025/2026, with a transition period for organizations to register and comply.

Supervision and sanctions

All affected organizations must register with their supervisory authority once the law comes into force. Each sector will have one or more designated supervisory authorities that monitor compliance and issue regulations. MSB (the Swedish Civil Contingencies Agency) will have a coordinating role nationally and also serve as the national contact point to the EU. Private companies risk significant fines for shortcomings – up to €10 million or 2% of global turnover for “essential” entities, and €7 million or 1.4% for “important” entities. Public organizations are subject to requirements and supervision but are not subject to financial penalties.

Requirements on IT security, incident reporting, supply chains, and documentation

NIS2 introduces stricter requirements in several areas:

  • Strengthened IT security and risk management: Regular risk assessments, action plans, multi-factor authentication, encryption, and active responsibility at management level.
  • Mandatory incident reporting: Early warning within 24 hours, detailed report within 72 hours, and final report within 30 days.
  • Supply chain security: Organizations must assess and monitor risks in their supply chains and ensure that their providers also meet cybersecurity standards.
  • Documentation and traceability: Policies, processes, and technical measures must be documented and traceable so that compliance can be demonstrated during inspections.

How VisionFlow helps organizations comply with NIS2

Complying with NIS2 can feel challenging, but modern tools make the job easier. VisionFlow can support your NIS2 work in several ways:

  • Incident handling and traceability: Full logging, categorization and follow-up of incidents. Simple reporting options, including for regulatory reporting.
  • Documentation and knowledge sharing: Collect policies, procedures and guides in a central knowledge base with controlled access.
  • Assets, suppliers, and continuity: Manage IT assets in a CMDB, link cases to supplier contracts and ensure SLA follow-up.
  • Swedish provider: VisionFlow is hosted in Sweden, under Swedish and European legislation—reassuring for organizations with high compliance requirements.

Professional and systematic management of IT security is the key to meeting NIS2. With VisionFlow, you gain both overview and control. It shouldn’t be hard to follow the applicable security rules!

Sources

MSB – “Det här är NIS2-direktivet”

https://www.msb.se/sv/amnesomraden/informationssakerhet-cybersakerhet-och-sakra-kommunikationer/krav-och-regler-inom-informationssakerhet-och-cybersakerhet/nis-direktivet/det-har-ar-nis2-direktivet/

Regeringen/SOU 2024:18 – “Nya regler om cybersäkerhet”

https://www.regeringen.se/contentassets/1e56bf5cad214fc78eb80d91c11cccb6/nya-regler-om-cybersakerhet-sou-202418.pdf

MSB – “Tidsplan för NIS2-införandet i Sverige”

https://www.msb.se/sv/amnesomraden/informationssakerhet-cybersakerhet-och-sakra-kommunikationer/krav-och-regler-inom-informationssakerhet-och-cybersakerhet/nis-direktivet/tidsplan-for-nis2-inforandet-i-sverige/

Digital Strategy EU – NIS2 Directive: securing network and information systems

https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Directive (EU) 2022/2555 – “NIS2-direktivet”

https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

DELA POST