NIS2: Which businesses are covered?
Expanded cybersecurity requirements
The NIS2 Directive broadens the scope of NIS1 to such an extent that it can be considered the first general regulation on how businesses should handle cybersecurity. The requirements include risk management, access control, contingency plans, and measures to prevent and manage security breaches. This means businesses must have robust systems and procedures in place to protect themselves from cyberattacks and other digital threats.
The directive also introduces stricter reporting requirements for security incidents, with clear deadlines for notifying relevant authorities.
Who is covered by NIS2?
This directive expands the scope compared to the previous NIS Directive from 2016, regulating a broader range of sectors and services. As a result, not only are sectors such as
- energy,
- healthcare,
- transport,
- finance,
- water supply and digital services like cloud services, data storage, and network infrastructurecovered,
covered, but also:
- district heating,
- hydrogen,
- pharmaceutical industry,
- manufacturers of medical equipment,
- waste and sewage,
- IT and OT managers,
- postal and courier services,
- chemists,
- food producers and distributors,
- manufacturers of various hardware equipment,
- public administration, and
- aerospace.
Although the general rule is that businesses must have at least 50 employees and a turnover or balance sheet of at least 10 million euros, there are special rules and exceptions that also include smaller businesses. If a business is not directly covered by the NIS2 Directive from 2022, it may still be indirectly affected through contracts, if its customers are covered.
This means that many smaller businesses will also be included. Step one is therefore to determine whether the business, directly or indirectly, will be covered. Since the directive has not yet been implemented in Norwegian law, this is particularly relevant for Norwegian companies operating in the EU or with customers there.
Since public entities deliver many critical services, both state and county-level public bodies are covered. The directive also invites countries to include municipalities and educational institutions, especially if important research is being conducted.
Implications for norwegian businesses
For norwegian businesses, the NIS2 Directive brings both challenges and opportunities. On one hand, the directive requires investments in technology, expertise, and internal processes to meet the new requirements. This can be resource-intensive, especially for smaller companies that may not have previously focused on cybersecurity. On the other hand, compliance with the directive can increase trust from customers and partners, as well as strengthen the company's competitiveness in an increasingly digitalized market.
Having robust security systems in place will also reduce the risk of financial losses and reputational damage resulting from cyberattacks, making investments in cybersecurity a long-term advantage.
How can businesses prepare?
To ensure compliance with the NIS2 Directive, Norwegian businesses should start with a thorough assessment of their own cybersecurity. This involves identifying potential risks, evaluating existing security measures, and implementing necessary improvements. Furthermore, businesses should develop clear contingency plans and ensure training for management and employees in handling security incidents. This includes establishing routines for rapid reporting of security breaches and regularly testing contingency plans to ensure they work in practice. At the same time it is important to stay updated on how the directive will be implemented in Norway and what specific requirements will apply.
Read more about the specific security requirements that apply here.
What happens if we don’t comply?
The most critical concern with low data security is the damage an attack can inflict on the business, its customers and users. Beyond such consequences, NIS2 introduces quite drastic sanctions for non-compliance, including the risk of personal liability, removal of management, and suspension of operations.
Review the personal responsibility of management and employees in our article here.
If you have questions about NIS2, feel free to contact us. You can find us here.
Norway implements NIS1 from 2016 in extended version – in effect from 1 October 2025
The Digital Security Act, along with its accompanying regulations, comes into force on October 1, 2025. This marks a ...
Read more
The CER Directive: New physical security requirements for critical entities
The EU is now introducing the CER Directive, which imposes extensive requirements for physical security and operation...
Read more
Our recognition in the market continues to increase
As Chambers and Partners release their rankings for 2024 (Europe edition) today, we are delighted to note the continued upward trend for Bull.
Read more
How can we help?
In need of legal assistance? Call or email us, and we'll figure out how we can help.
Expertise
- Auditing and accounting
- Climate, environment, waste and sustainability
- Company law and transactions
- Competition law, state aid and EU/EEA
- Construction
- Employment law
- Energy
- Familiy law, guardianship and divorce
- Inheritance, probate and succession planning
- Insurance and liability
- Intellectual property and marketing law
- Investigation and compliance
- Life sciences and health technology
- Litigation and dispute resolution
- Logistics and transport law
- Manufacturing, retail and services
- Media, entertainment and culture
- Parental disputes and child custody
- Privacy
- Procurement
- Real estate
- Restructuring, insolvency and bankruptcy
- Space
- Taxes and duties
- Technology, IT and AI