What specific security measures does NIS2 require businesses to implement?

Is your business covered by the NIS2 directive? Check it out here.

What specific security measures does NIS2 require businesses to implement?

This is the second question that arises once you determine that the NIS2 directive applies to your business, and it is the topic of our article in the legal journal Lov & Data, which was recently published. The answer is not straightforward, as the approach must be risk- and "all-hazard"-based.

The minimum requirements are outlined in NIS2 Articles 21(2) and 20(2) and include, among other things, requirements for:

• Risk assessment and management: Regular risk assessments must be conducted to identify potential security threats and vulnerabilities in network- and information systems (NIS).
• Protection: Measures must be implemented to protect network- and information systems from unauthorized access, modification, loss, damage, or destruction.
• Detection: Mechanisms must be in place to detect and analyze security incidents and threats.
• Response and recovery: Measures must be established to respond to security incidents and restore systems to normal operation.
• Security awareness and training: Management must be trained in cybersecurity and informed about best practices to minimize risks.

Review the personal responsibility of management and employees in our article here.

Six initial steps to get started:

1. Anchoring: The board and management must be involved and understand the risks. Prepare a white paper or similar document and/or present the issue in board and management meetings.
2. Mapping: Identify critical systems, suppliers, and data. Document these in an appropriate location.
3. Risk assessment: Conduct an annual risk assessment and GAP analysis against NIS2 requirements.
4. Planning measures: Create a prioritized list of what needs to be implemented. Coordinate with other regulations to reduce administrative overhead.
5. Implementation: Implement measures and update routines.
6. Testing and improvement: Test plans, conduct exercises, and regularly update plans and systems.

NIS2 imposes comprehensive security requirements but also provides businesses with the flexibility to tailor measures based on risk and size. The responsibility of businesses is to find the appropriate level and demonstrate that the necessary measures have been implemented.

The latest informal update we have received is that the consultation paper for the implementation of NIS2 has been delayed, reportedly due to delays in underlying agencies and plans to coordinate the implementation into Norwegian law with the CER Directive. The consultation is therefore expected to take place no earlier than winter 2025.

For those who wish to provide input on the NIS2 proposal, it is important to be prepared when the consultation opens. One relevant topic for comments could be the level of fines. In the consultation paper for the implementation of NIS1, published on September 11, 2024, the ministry proposed that Norwegian businesses could be fined up to 4% of annual turnover—a doubling compared to the NIS2 directive’s limit of 2%. However, it was unclear whether this would apply solely to the company’s turnover or the total turnover of the corporate group. This level of fines was later codified into the Digital Security Act.

For questions or additional information, feel free to contact attorney Kristian Foss, one of Norway’s leading experts on the NIS2 directive and related legal issues. Additional contact information can also be found here.