{"id":7273,"date":"2024-10-04T08:06:23","date_gmt":"2024-10-04T08:06:23","guid":{"rendered":"https:\/\/haavind.no\/techinsight-new\/?post_type=tech-insight&#038;p=7273"},"modified":"2026-05-29T13:48:19","modified_gmt":"2026-05-29T13:48:19","slug":"nis2-directive","status":"publish","type":"tech-insight","link":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/","title":{"rendered":"NIS2 Directive"},"content":{"rendered":"\t<div class=\"template-tech-insight alignwide has-media wp-block-dekode-hero\">\n\t\t<div class=\"hero__inner\">\n\t\t\t<div class=\"hero__inner_blocks\">\n\t\t\t\t\n<h1 class=\"wp-block-post-title\">NIS2 Directive<\/h1>\n\n<p class=\"t2-ingress wp-block-t2-ingress\"><em>Directive (EU) 2022\/2555 replaces the NIS1 Directive and establishes a broader, more harmonized cybersecurity framework for essential and important entities, with minimum requirements for cybersecurity risk management and measures.<\/em><\/p>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<div class=\"hero__image\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/GettyImages-2173923576-1.jpg\" class=\"attachment-ultra size-ultra\" alt=\"\" srcset=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/GettyImages-2173923576-1.jpg 1920w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/GettyImages-2173923576-1-300x169.jpg 300w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/GettyImages-2173923576-1-1024x576.jpg 1024w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/GettyImages-2173923576-1-768x432.jpg 768w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/GettyImages-2173923576-1-1536x864.jpg 1536w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/>\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\n\n<div class=\"haavind-tech-info alignleft wp-block-haavind-tech-info\">\n\t\t\t<div class=\"haavind-tech-info__categories\">\n\t\t\t\t<h4>Category<\/h4>\n\t\t\t\t\n\t\t\t<div class=\"t2-post-dynamic-part is-source-term term-tech-insight-category haavind-tech-meta__category wp-block-t2-post-dynamic-part\"><a href=\"https:\/\/haavind.no\/techinsight\/cybersecurity\/\" class=\"t2-post-dynamic-part__term\" rel=\"tag\">Cybersecurity<\/a><\/div>\n\t\t\t<\/div>\n<div class=\"haavind-tech-info__blocks\">\n<h3 class=\"wp-block-heading\" id=\"h-status\">Status<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-eu\"><strong>EU<\/strong><\/h4>\n\n\n\n<p>Date of application is 18 October 2024. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-eea\"><strong>EEA<\/strong><\/h4>\n\n\n\n<p>Pending. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-norway\">Norway<\/h4>\n\n\n\n<p>Pending.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hot-topics\">Hot topics<\/h2>\n\n\n\n<ul>\n<li>New incident reporting regime for NIS2 proposed under the <a href=\"https:\/\/haavind.no\/techinsight\/tech-insight\/digital-omnibus-major-amendments-to-the-gdpr-and-several-data-regulations\/\">Digital Omnibus Proposal<\/a>.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-is-affected\">Who is affected<\/h2>\n\n\n\n<p>Operators of essential and important services within several sectors such as energy, transport, wastewater, food, research, IT (managed service providers and managed security service providers), public administration and postal and courier services. The margin of maneuver for member states in identifying entities subject to the Directive is reduced compared with the NIS 1 Directive.<br><br>Micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are as a starting point not subject to the Directive. Such enterprises may still be encompassed, e.g. if they are considered to have a key role in society, the economy or a certain sector (e.g., sole supplier to an EU country, or entities operating a particularly vulnerable business).<br><br>The distinction between essential and important services is only relevant for the supervisory regime (ex-ante supervision for essential services, and ex-post supervision for important services).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-act-now\">Why act now?<\/h2>\n\n\n\n<p>NIS2 is already in force or in most EU states, and organizations operating in the EU should be able to demonstrate whether they are in scope and how they comply with the requirements, in addition to complying with mandatory notification obligations towards local supervisory authorities.<br><br>The enforcement exposure is significant. Administrative fines of at least up to 10 MEUR or 2% of total worldwide annual turnover may be imposed, with relevant caps depending on the entity and breach in question. Supervisory authorities may also use supervisory and enforcement tools such as on-site inspections and security audits.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-key-obligations\">Key obligations<\/h2>\n\n\n\n<p>Like under the NIS 1 Directive, entities in scope are required to conduct a risk assessment and implement security measures appropriate to the risk. However, the NIS 2 Directive imposes a broad range of minimum measures, including: i) business continuity; ii) supply chain security; iii) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; basic cyber hygiene practices and training; iv) policies and procedures regarding use of cryptography; and v) human resources security.<br><br>The Directive further enhances the notification regime for cybersecurity incidents, through a three-step model where an early warning and initial information must be provided within 24 hours, an initial assessment of the incident within 72 hours, and a detailed report with identified root cause and mitigation measures within one month.<br><br>Implementing regulation 2024\/2690 details the general requirements in NIS2 with about 400 specific mandatory requirements, applicable to various digital service providers, including cloud service, data centre and managed service providers.<br><br>Supervisory authorities are given broad powers to supervise and impose sanctions, e.g. trough on-site inspections, security scans, requests for evidence of implementation of policies, and binding instructions. Further, the regime for regulatory fines is harmonized, meaning the maximum fine must be at least EUR 10 million or 2% of the total global annual turnover of the business, whichever is higher for essential service providers. For important service providers, the maximum fine must be at least EUR 7 million or 1.4% of the total global annual turnover.<br><br>Under the Digital Omnibus Proposal, a single EU-wide entry point for incident reporting will be established by ENISA (the European Union Agency for Cybersecurity). The unified reporting portal will allow organizations and regulated entities to fulfil their incident and breach notification obligations under several EU legal acts, including the NIS2 Directive, DORA, the eIDAS Regulation, the CER Directive, and the GDPR through one secure interface.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-recommended-actions\">Recommended actions<\/h2>\n\n\n\n<ol>\n<li>Consider whether you are in scope of the Directive, including if you are a Norwegian entity providing services to other EU Member States.<\/li>\n\n\n\n<li>Establish a security management system, or map your existing security management system against the requirements of the Directive.<\/li>\n\n\n\n<li>Establish processes to enable rapid notification to the authorities in case of cyber incidents. It may be a complex exercise to assess notification requirements in an emergency situation, meaning roles and criteria should be anchored in the organization.<\/li>\n\n\n\n<li>Update board and management governance so that cybersecurity risk-management measures are formally approved, overseen and documented at management level.<\/li>\n\n\n\n<li>Conduct risk assessments of network and information systems used to provide societally important services. Risk assessments will serve as the basis for which technical, organizational, physical and personnel-related obligations should be implemented to ensure adequate security in accordance with the Directive.<\/li>\n\n\n\n<li>Review supplier and service provider agreements, and ensure flow-down obligations are complied with.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-can-we-assist\">How can we assist?<\/h2>\n\n\n\n<ul>\n<li>Assessing the applicability of the digital security act to your organization.<\/li>\n\n\n\n<li>Reviewing commercial contracts to ensure that the obligation to flow-down security requirements are complied with.<\/li>\n\n\n\n<li>Reviewing your security management system to assess whether changes needs to be made to comply with the act.<\/li>\n\n\n\n<li>Establishing policies for incident response, enabling your company to comply with the notification requirements.<\/li>\n\n\n\n<li>Supporting impact assessments of network and information systems.<\/li>\n\n\n\n<li>Supporting M&amp;A due diligence on target companies subject to NIS2.<\/li>\n<\/ul>\n\n\n\n<p>We have recently assisted a Norwegian company with establishing a security management system under applicable laws, including NIS2. We have also conducted a gap analysis of a major cloud service provider&#8217;s security management system against the requirements under Implementing regulation 2024\/2690.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-contact-us\">Contact us<\/h2>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-1 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p><strong>Andreas Gard Meyer<\/strong><br>Senior Lawyer<br><br>a<em>.meyer@haavind.no<br>+47 988 37 538<\/em><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-large is-resized is-style-50\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"1024\" src=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Andreas-Gard-Meyer-2-1-683x1024.jpg\" alt=\"\" class=\"wp-image-8083\" style=\"width:168px;height:auto\" srcset=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Andreas-Gard-Meyer-2-1-683x1024.jpg 683w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Andreas-Gard-Meyer-2-1-200x300.jpg 200w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Andreas-Gard-Meyer-2-1-768x1151.jpg 768w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Andreas-Gard-Meyer-2-1-1025x1536.jpg 1025w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Andreas-Gard-Meyer-2-1.jpg 1281w\" sizes=\"(max-width: 683px) 100vw, 683px\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-2 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p><strong>Kari Gimmingsrud<\/strong><br>Partner<br><br>k<em>.gimmingsrud@haavind.no <br>+47 922 91 006<\/em><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1281\" height=\"1920\" src=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Kari-Gimmingsrud-1.jpg\" alt=\"\" class=\"wp-image-8095\" style=\"width:170px;height:auto\" srcset=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Kari-Gimmingsrud-1.jpg 1281w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Kari-Gimmingsrud-1-200x300.jpg 200w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Kari-Gimmingsrud-1-683x1024.jpg 683w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Kari-Gimmingsrud-1-768x1151.jpg 768w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2026\/05\/Kari-Gimmingsrud-1-1025x1536.jpg 1025w\" sizes=\"(max-width: 1281px) 100vw, 1281px\" \/><\/figure>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Deadline for implementation in the EU (Directive 2022\/2555)<\/p>\n","protected":false},"featured_media":7660,"menu_order":0,"template":"","meta":{"tech-insight-date":"2024-10-18T10:03:04","footnotes":""},"tech-insight-category":[92],"tech-insight-jurisdiction":[83,84],"tech-insight-status":[86,97],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.2) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>NIS2 Directive - Haavind Tech Insight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NIS2 Directive\" \/>\n<meta property=\"og:description\" content=\"Deadline for implementation in the EU (Directive 2022\/2555)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/\" \/>\n<meta property=\"og:site_name\" content=\"Haavind Tech Insight\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-29T13:48:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"460\" \/>\n\t<meta property=\"og:image:height\" content=\"352\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/\",\"url\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/\",\"name\":\"NIS2 Directive - Haavind Tech Insight\",\"isPartOf\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg\",\"datePublished\":\"2024-10-04T08:06:23+00:00\",\"dateModified\":\"2026-05-29T13:48:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#primaryimage\",\"url\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg\",\"contentUrl\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg\",\"width\":460,\"height\":352,\"caption\":\"3d rendering of rows of network servers machine farm cloud computing hardware on blue sky background.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/haavind.no\/techinsight\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NIS2 Directive\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/haavind.no\/techinsight\/#website\",\"url\":\"https:\/\/haavind.no\/techinsight\/\",\"name\":\"Haavind Tech Insight\",\"description\":\"Stay ahead with our digital roadmap of EU Tech regulations\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/haavind.no\/techinsight\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"NIS2 Directive - Haavind Tech Insight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/","og_locale":"en_US","og_type":"article","og_title":"NIS2 Directive","og_description":"Deadline for implementation in the EU (Directive 2022\/2555)","og_url":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/","og_site_name":"Haavind Tech Insight","article_modified_time":"2026-05-29T13:48:19+00:00","og_image":[{"width":460,"height":352,"url":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/","url":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/","name":"NIS2 Directive - Haavind Tech Insight","isPartOf":{"@id":"https:\/\/haavind.no\/techinsight\/#website"},"primaryImageOfPage":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#primaryimage"},"image":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#primaryimage"},"thumbnailUrl":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg","datePublished":"2024-10-04T08:06:23+00:00","dateModified":"2026-05-29T13:48:19+00:00","breadcrumb":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#primaryimage","url":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg","contentUrl":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/NIS2-460x352-1.jpg","width":460,"height":352,"caption":"3d rendering of rows of network servers machine farm cloud computing hardware on blue sky background."},{"@type":"BreadcrumbList","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/nis2-directive\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/haavind.no\/techinsight\/"},{"@type":"ListItem","position":2,"name":"NIS2 Directive"}]},{"@type":"WebSite","@id":"https:\/\/haavind.no\/techinsight\/#website","url":"https:\/\/haavind.no\/techinsight\/","name":"Haavind Tech Insight","description":"Stay ahead with our digital roadmap of EU Tech regulations","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/haavind.no\/techinsight\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7273"}],"collection":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight"}],"about":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/types\/tech-insight"}],"version-history":[{"count":8,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7273\/revisions"}],"predecessor-version":[{"id":8105,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7273\/revisions\/8105"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/media\/7660"}],"wp:attachment":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/media?parent=7273"}],"wp:term":[{"taxonomy":"tech-insight-category","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-category?post=7273"},{"taxonomy":"tech-insight-jurisdiction","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-jurisdiction?post=7273"},{"taxonomy":"tech-insight-status","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-status?post=7273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}