Table of content

• Introduction

• From NIS to NIS2 – why an update?

• Who is covered by NIS2?

• Key requirements in NIS2

• How will Swedish companies and organizations be affected?

• Opportunities with NIS2

• Challenges along the way

• What should companies do now?

• Recommended courses at AVC

• Conclusion

Introduction

Digitalisation continues to permeate all areas of society. Business models, critical societal functions and citizens' everyday lives are increasingly based on digital infrastructure. However, this development is accompanied by a sharp increase in vulnerability to cyberattacks, data breaches, and other IT-related incidents. To boost the digital resilience of its member states, the EU has introduced a new framework: the NIS2 Directive

When the directive is to be implemented in national legislation by October 17, 2024, it will mean significant changes for thousands of companies and organizations in Sweden. Here we go through what NIS2 means, why it is important, and how Swedish actors can prepare.

From NIS to NIS2 – why an update?

The first NIS Directive (2016) was the EU's first common framework for cybersecurity. Its purpose was to ensure that operators of essential services and digital service providers had a basic level of security and that serious incidents were reported.

Despite this, the number of cyber threats has increased dramatically in recent years: ransomware attacks, state-sponsored cyber warfare, supply chain attacks, and sabotage against critical infrastructure. NIS1 was no longer considered sufficient.

NIS2 therefore aims to:

• Cover more sectors and companies – not just the most critical societal functions.
• Raise the requirements for risk management, security measures, and incident reporting.
• Create a more uniform application throughout the EU, so that the level of security does not vary between member states.
• Give authorities more powers to monitor and intervene in cases of non-compliance.

Who is covered by NIS2?

One of the most significant changes is that the directive broadens the scope of those covered. NIS1 mainly applied to energy, transport, finance, healthcare, and digital infrastructure.

NIS2 adds more sectors, including:

• Public administration
• Waste and sewage management
• Food production and distribution
• Manufacture of certain critical products (e.g., medical devices, pharmaceuticals, chemicals, electronics)
• Providers of IT and cybersecurity services

Another important difference is that the directive covers all medium-sized and large companies in the designated sectors. Small companies (fewer than 50 employees and less than €10 million in turnover) are generally exempt, but may be covered if they are considered particularly critical.

For Sweden, this means that significantly more organizations than before will need to meet the requirements – both public and private.

Key requirements in NIS2

NIS2 imposes a number of specific obligations on the parties concerned. The most important of these are listed below:

1. Security measures

Organizations must implement both technical and organizational measures to manage risks. These may include:

• Cybersecurity governance and risk management at management level.
• Measures to prevent, detect, and manage incidents.
• Security in supply chains.
• Security in networks and systems, including encryption and multi-factor authentication.
• Continuity and recovery plans in the event of disruptions.

2. Incident reporting

NIS2 tightens reporting requirements:

• Early warning notification within 24 hours of detecting an incident.
• Detailed report within 72 hours.
• A conclusive report must be submitted within one month of the incident.

This means that organizations need to establish procedures for rapid internal reporting, analysis, and communication with authorities.

3. Management responsibility

A key change is that company management and boards of directors are given explicit responsibility for ensuring that the organization complies with the requirements. They must:

• Approve security measures.
• Participate in cybersecurity training.
• Be held personally accountable for serious deficiencies.

4. Regulatory oversight and sanctions

Each Member State shall designate supervisory authorities with the power to:

• Conduct audits and inspections.
• Request information and evidence of compliance.
• Issue binding instructions.
• Impose fines for non-compliance.

The level of sanctions is high – up to €10 million or 2% of global annual turnover for the most serious violations.

How will Swedish companies and organizations be affected?

In Sweden, work is currently underway to develop a new cybersecurity law to replace the previous NIS law. It is expected to come into force by fall 2024 at the latest.

For Swedish actors, this means that they need to:

• Determine whether they are covered
  • Organizations must determine whether they belong to the sectors and size classes that fall under NIS2.

• Strengthen governance and management
  • Management needs to be trained in cybersecurity and integrate the issue into the organization's overall risk management.
• Conduct gap analyses
  • How well do current security measures meet the requirements of NIS2? Where are the gaps?
• Build robust incident reporting procedures
  • Processes are needed to detect, analyze, and report incidents in a timely manner.
• Secure the supply chain
  • Since many cyber threats spread through subcontractors, organizations must also place demands on their partners.

Opportunities with NIS2

It is easy to view NIS2 solely as a burden with increased costs and administrative work. But the directive can also be seen as an opportunity:

• Increased competitiveness: Companies that can demonstrate high cybersecurity become more attractive to customers and partners.
• Strengthened trust: Being able to guarantee secure handling of data and systems builds trust.
• Improved resilience: Investments in security reduce the risk of costly interruptions, data breaches, and damage to the brand.
• Standardization: By harmonizing the rules, the EU provides companies operating in several countries with a clearer and more uniform playing field.

Challenges along the way

However, there are real challenges:

• Complexity: Many organizations today lack a clear picture of their digital assets and risks.
• Skills shortage: Cybersecurity experts are in short supply, both in the private and public sectors.
• Costs: Investments in systems, processes, and training can be significant, especially for medium-sized companies.
• Cultural change: Cybersecurity must become a natural part of the entire organization—not just the responsibility of the IT department.

What should companies do now?

To be well prepared for NIS2, Swedish companies and organizations should already be doing the following:

• Appoint a project group responsible for NIS2 compliance.
• Train the board and management in the new requirements and risks.
• Conduct a status analysis of information security and risk management.
• Introduce incident management procedures and practice scenarios.
• Engage suppliers and ensure that they meet reasonable security requirements.

Recommended courses at AVC

To help your organization meet the new NIS2 requirements, we recommend two tailored e-learning programs:

• SecurityLearn® NIS2 Essentials – A e-Learning course that provides a fundamental understanding of cybersecurity risks and the compliance obligations outlined in Article 20 of the NIS2 Directive. Designed for non-technical staff, it builds awareness and promotes a culture of security across the organization.
• Certified NIS2 (CNIS2) – A e-Learning course for managers, specialists, and professionals responsible for implementing and maintaining NIS2 compliance. This advanced training bridges the gap between cybersecurity best practices and organizational governance, giving participants the skills to manage risks, address incidents, and ensure compliance.

Both courses are delivered online, in English, and include certification. They provide the knowledge and tools you need to meet the new directive’s requirements.

Conclusion

NIS2 marks a new era for cybersecurity in Europe. While GDPR focused on data protection and individual privacy, NIS2 focuses on robustness and resilience across the entire digital infrastructure.

For Swedish companies and organizations, the message is clear: cybersecurity is no longer a matter for specialists in the IT department—it is a strategic management issue with legal, financial, and trust implications.

Waiting for the new law to come into force risks being costly. But acting in time can make the difference between seeing NIS2 as a heavy regulatory burden – or as an opportunity to strengthen your business for the future.