We see NIS2 as more than just a regulatory requirement; it’s an opportunity to build resilience and strengthen security in the face of rising cyber threats.

Here’s some guidance on how our organization can approach NIS2 compliance, understand the regulations and supervisory authorities' directions, and turn it into a strength.

‍Key Aspects of NIS2 Compliance‍

NIS2 sets the minimum requirements for essential and critical entities' cybersecurity measures to minimize the impact of incidents. In the directive, clear “conditions to operate” are defined in today’s risk management landscape. Here’s a summary of the directive’s key aspects and 7th November 2024 implementation regulations:

For many organizations, NIS2 compliance is essential to operate in the European market. It’s more than a regulatory box to tick—it’s a significant shift in how businesses must approach their risk-based cybersecurity measures and incident response.

NIS2 Compliance Requirements and Potential Penalties in 2025

Supervisory Authorities has weaponized their sanction and injunction measures since October 2024 supervisory guidance. Failing to comply with NIS2 exposes companies to potential severe penalties under Articles 21 and 23, which put the onus on top management and boards to ensure adequate cybersecurity measures are in place. These measures aren’t just about ticking boxes; they’re about proving to regulators, stakeholders, and customers that your organization takes cybersecurity seriously.‍

• ‍Article 21: Cybersecurity Risk Management Measures: Top management is directly responsible for implementing appropriate technical, operational, and organizational measures.
• ‍Article 23: Incident Reporting Obligations: Firms are obligated to report significant incidents. Non-compliance can lead to sanctions, financial penalties, and legal injunctions.

Without proper preparation, companies face more than just fines. The operational, financial, and reputational impact of non-compliance could create long-lasting consequences.

The Risk-Based Approach to NIS2 Compliance‍

One of the defining features of NIS2 is a risk-based and all hazards-based approach. This means cybersecurity measures must align with your organization’s unique risk profile. Instead of imposing a one-size-fits-all model, NIS2 allows you to allocate resources where they’re most needed. This is meant to maximize both efficiency and security efforts.

What does this mean for you?

1. Identify and Prioritize Risks: Map out your critical processes and assets to understand where your vulnerabilities lie.
2. Proportionate Measures: Allocate cybersecurity resources based on the level of risk associated with each area.
3. Document and Defend: Keep records of actions taken and provide clear, documented reasons for any measures you choose to exclude from the directive and implementation guidance.

NIS2 emphasizes, “maintain sufficient documentation to demonstrate compliance.” The documentation isn’t just for regulatory purposes; it builds a defensible, transparent position that can stand up to scrutiny.

How to Prepare for NIS2 Compliance‍

‍We recommend the below basic steps to help you get NIS2-ready:‍

• Map Critical Processes and Assets: Identify dependencies and risks specific to your organization.
• Risk Assessment: Evaluate threats and vulnerabilities in key areas.
• Implement Proportionate Measures: Apply cybersecurity controls aligned with the assessed level of risk.
• Document Decisions: Justify exclusions with a defensible, documented rationale approved by top management.

This isn’t just a checklist; it’s fundamental for starting to build resilience into your operations. With compliance structured around best practices, international standards, and well-documented rationale, your organization is not only meeting regulatory requirements, but also building the foundation for long-term resilience.

ISO, IEC, and ENISA Standards for NIS2 Compliance

‍One of the most efficient ways to align with NIS2 is by following recognized frameworks and standards (some are actually expected by supervisory authorities), such as ISO 27000, IEC/ISA, and ENISA’s guidelines. These standards provide a structured approach to cybersecurity, resilience, and incident management, helping organizations meet NIS2’s compliance requirements. Below is an overview of these standards, organized by focus and relevance to NIS2.

Using these standards as your compliance framework ensures that your organization meets industry best practices while tailoring your approach to specific operational risks. Standards like ISO and IEC not only help structure your cybersecurity measures but also provide recognized benchmarks for audits and regulatory inspections.

Leveraging ENISA’s Guidance for NIS2 Compliance

The European Union Agency for Cybersecurity (ENISA) offers a crucial resource for organizations preparing for NIS2: the Implementation Guidance. This guidance breaks down NIS2’s technical requirements into actionable steps which can guide your pathway for compliance.

What’s in the ENISA Guidance?

• Practical steps for aligning with NIS2 and expected evidence for compliance.
• Best practices for implementing risk management measures.
• Structured approaches to defining and handling significant incidents.
• Documentation guidelines to ensure compliance readiness.

Our Recommendation: Use ENISA’s guidance as the backbone of your compliance strategy. Treat it as a checklist for your documentation, compliance processes, and cybersecurity & risk measures.

Documentation Essentials for NIS2 Compliance: What to Document (and What Not to)

‍NIS2 mandates not only the implementation of cybersecurity measures, but also a robust documentation strategy. This means maintaining clear records of your risk management processes, cybersecurity measures, and incident reporting protocols — and justifying any exclusions.

A strong documentation strategy doesn’t just satisfy regulatory requirements; it positions your organization as audit-ready and demonstrates a proactive, defensible approach to cybersecurity, approved by top management. Well-maintained records will be invaluable during an audit, providing transparency and supporting your risk-based decisions.

Key Steps for NIS2 Readiness & Compliance‍

‍To support Danish companies in preparing for NIS2, we recommend these immediate actions:‍

• Self-Register: Register your organization per Danish CVR protocols, unless covered by the CER Directive.
• Engage Leadership: Assign roles for compliance oversight. Top management and boards are ultimately responsible.
• Conduct a Risk Assessment: Map critical processes, evaluate threats, and prioritize cybersecurity measures accordingly.
• Leverage ENISA’s Guidance: Use it to guide your compliance strategy and documentation processes.

Conclusion: From Compliance to Resilience‍

‍NIS2 isn’t just another regulatory requirement; it’s a roadmap to resilience in a world of increasing cyber threats. By taking a risk-based approach and leveraging tools like ENISA’s guidance, you can transform compliance into a strategic asset, aligning cybersecurity with operational goals to ensure long-term resilience.

‍Key Takeaways:

• Use ENISA’s guidance to align with best practices and structure your documentation.
• Start compliance efforts now to avoid penalties and operational risks.
• Appoint a leader to keep pace with directives, implementation regulations, and guidance (yes, we’ve read all 1,000 pages).
• Conduct risk assessments and document decisions to build a defensible compliance position.

If parts of NIS2 remains unclear, or if your organization needs support navigating its requirements, Torsten or Mads are here to help!