NIS2 compliance for Nordic businesses, without the legal complexity.
Free, no signup required for assessment.
Are you in scope?
Not sure? The 5-minute assessment gives you a definitive answer.
Take the assessment- 01Operating in one of the 18 NIS2 sectors (energy, transport, banking, healthcare, water, digital infrastructure, manufacturing, food, chemicals, and more).
- 02Medium-sized entities (50+ employees or over €10M turnover): automatic in-scope status.
- 03Smaller entities operating critical infrastructure or services that, if disrupted, would have significant societal or economic impact.
- 04Suppliers to in-scope entities. Supply chain obligations cascade down to your customers' vendors.
- 05Headquartered outside the EU but providing in-scope services to EU customers.
What's required
Plain language, not legal jargon. Citations link to the source regulation.
Risk management measures
Adopt appropriate technical and organisational measures covering policies, incident handling, business continuity, supply chain security, system acquisition, cryptography, access control, asset management, and human resources security.
Article 21, NIS2 Directive (EU) 2022/2555 →Incident reporting within 24 hours
Submit an early warning to your national CSIRT within 24 hours, an incident notification within 72 hours, and a final report within one month for any significant incident.
Article 23, NIS2 Directive →Supply chain due diligence
Assess and document the cybersecurity practices of your critical suppliers. NIS2 explicitly extends responsibility for your vendors' weaknesses to you.
Management accountability
Boards and executive leadership must approve the cybersecurity risk-management measures, oversee implementation, and complete specific cybersecurity training.
Article 20, NIS2 Directive →Registration with the national authority
Essential and important entities must register with their national competent authority. In Norway, this will be operationalised under the Digitalsikkerhetsloven.
Vulnerability disclosure and threat intelligence sharing
Operate a coordinated vulnerability disclosure process and participate in voluntary threat-intelligence sharing arrangements where possible.
Deadlines
- January 2023NIS2 entered into force at EU level
- 17 October 2024Member State transposition deadline (most EU states in force)
- Q1 2025Sweden, Denmark, Finland enforcement underway
- 1 October 2025Norway: Digitalsikkerhetsloven in force; full NIS2 act expected during 2026, dependent on EEA incorporation
- OngoingNational competent authorities issue sector-specific guidance
Consequences
Up to €10M or 2% of global turnover for essential entities
Beyond fines, non-compliance can block enterprise sales contracts, expose directors personally, and trigger reportable incidents under adjacent regulations.
How Skarpix helps
Scope determination
Automated classification of essential vs important vs out-of-scope based on your sector, size, and operations.
Control mapping
Map your existing controls to NIS2 Article 21 requirements and surface what's missing.
Incident reporting workflow
Templates and timelines for the 24h / 72h / 1-month notification cascade.
Supplier register
Track critical suppliers' cybersecurity posture and trigger reassessments automatically.
Board pack generator
One-click cybersecurity briefings for management oversight requirements.
Ready to see where you stand on NIS2 / Digitalsikkerhetsloven?
Frequently asked
Does NIS2 apply to my company in Norway?+
Digitalsikkerhetsloven, which transposes the original NIS1 directive with selected NIS2 requirements integrated, has been in force in Norway since 1 October 2025. NIS2 itself will be implemented through a separate new act, expected during 2026 and dependent on incorporation into the EEA Agreement. NSM estimates that 5,000 to 8,000 Norwegian organisations will fall in scope under the NIS2 baseline.
What's the difference between essential and important entities?+
Essential entities (large companies in critical sectors like energy and banking) face the strictest supervision and highest fines. Important entities have similar obligations but lighter supervisory oversight. Both must meet the same Article 21 risk-management measures.
How does NIS2 differ from NIS1?+
NIS2 covers far more sectors (18 vs 7), adds management accountability and supply chain obligations, mandates 24-hour incident reporting, and imposes substantially higher fines. It also extends to all entities of significant size in covered sectors, not just designated 'operators of essential services'.
We're already ISO 27001 certified. Are we NIS2 compliant?+
ISO 27001 covers most of NIS2 Article 21, but not all. You still need to address incident reporting timelines, management accountability training, supply chain due diligence specific to NIS2, and registration with your national competent authority.
Do supply chain obligations apply to us as a vendor?+
If your customers are in-scope entities, you'll face cybersecurity expectations cascading down from them. Even if you're not directly in scope, expect contractual requirements and security questionnaires from in-scope customers.
What happens if we don't comply?+
Fines up to €10M or 2% of global turnover for essential entities (€7M or 1.4% for important entities), plus suspension of management certification, plus personal liability for management in some member states.