NIS2: A guide to the new EU cybersecurity directive
NIS2 is the new EU cybersecurity directive that came into force in October 2024. It can be described as the IT security equivalent of the GDPR - a clear signal that cybersecurity is no longer an option, but a requirement.
Just when many businesses were starting to feel comfortable with the GDPR, here comes a new regulatory framework. "Again..." you might be thinking, but this is an opportunity to strengthen your business.

A robust cybersecurity strategy can not only protect your business, but also build trust with customers and partners.
In this article, we explain what the Directive means and highlight the key points.
What is the purpose of NIS2?
The EU has developed NIS2 to raise the common level of cybersecurity within the Union. By imposing higher requirements on both large and small actors, the directive aims to create a more resilient digital ecosystem and protect essential services from cyber threats.
The threat is clear: small and medium-sized enterprises often have weaker protection than larger players and therefore become attractive targets for hackers. Through them, cybercriminals can gain access to larger companies or critical infrastructure. NIS2 aims to break this chain.
Who is covered by NIS2?
NIS2 applies to businesses and organizations in vital and critical sectors. Among those affected are:
- Bankers
- Energy
- Transportation
- Water and sewerage
- Health and medical services
- Public administration
- Space industry
- Digital services such as cloud providers and data centers
Companies with more than 50 employees or an annual turnover of over €10 million are directly affected. Smaller companies may also be affected if they are part of critical supply chains.
If your company fails to comply with NIS2, the consequences can be severe. A business can be fined up to €10 million or 2% of its global annual turnover.
What does NIS2 require?
NIS2 strengthens the requirements for companies' cybersecurity and sets specific requirements in three areas:
Risk management
- The company must have systems to identify, manage and report risks
- Supplier management and value chain risk assessment is also mandatory
Reporting and management responsibilities
- Incidents that critically affect operations must be reported to the supervisory authority within 24 hours
- A summary report shall be submitted within 72 hours and a final report within one month
- Management has a personal responsibility to ensure compliance and can be held accountable for breaches
Compliance and training
- The company shall have internal procedures for IT security training
- Employees should have access to information on measures to increase cybersecurity
- Plans are required for crisis management and to ensure business continuity in the event of an incident
How to prepare your business for NIS2
Like the GDPR, NIS2 requires time and resources to implement. Here are some steps you can take to prepare:
1. carry out an analysis of the current situation
Map your current cybersecurity practices and identify the gaps compared to NIS2 requirements.
2. creating a holistic approach to cybersecurity
Ensure that IT security is part of the overall business strategy.
3. train management and staff
Involve management and ensure that all employees understand their role in protecting the business.
4. Get help from experts
Implementing NIS2 can be complex. Get specialist help to ensure you meet the requirements.
The way forward with Upheads
NIS2 is here to stay, and the requirements are extensive. But with the right preparations, you can strengthen your business, protect your operations and build trust in the market.
Do you need support to get started? Contact us and we'll help you analyze how NIS2 affects your business and what actions are required. We can also be with you every step of the way to ensure that your business meets all the requirements of the regulations - safely and smoothly.
[ Want help with NIS2 for your business?]
Get in touch - we are happy to help you!
Tired of filling in forms?
You can also call 040-626 75 00, Monday-Friday 08-17, or send an e-mail to kontakt@upheads.se.
Inspiration and knowledge straight to your inbox
Sign up for our monthly inspirational newsletter that gives you tips, insights and advice on new ways of working, processes and security related to Microsoft 365, Azure and various tools in Microsoft's cloud platform.