NIS2: Does Your Company Need to Comply with NIS2?

NIS2 is one of the most comprehensive cybersecurity regulations introduced by the European Union. Its purpose is to strengthen the protection of critical infrastructure, digital services, and essential societal functions against cyberattacks and security incidents. For many organizations, the new rules introduce additional requirements related to management responsibility, risk management, documentation, and reporting.

With the implementation of NIS2, cybersecurity is no longer solely a technical matter. The legislation places clear responsibility on organizational leadership and requires a systematic approach to managing cybersecurity risks.

What Is NIS2?

NIS2 is EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union. The directive replaces the previous NIS Directive (NIS1) and expands both the number of covered sectors and the requirements imposed on organizations.

The objective is to create a more consistent and robust level of cybersecurity across EU member states. The directive ensures that organizations providing essential or important services have the necessary processes, technologies, and preparedness measures to withstand cyber threats.

In Denmark, NIS2 has been implemented through legislation on measures to ensure a high level of cybersecurity, along with a range of sector-specific regulations. The legislation entered into force in 2025 and applies to both public and private organizations across a broad range of sectors.

Why Was NIS2 Introduced?

The digitalization of society has made organizations and public authorities increasingly dependent on networks and information systems. At the same time, cyberattacks have become more sophisticated and more frequent.

A successful cyberattack targeting energy supply, healthcare, transportation, or digital infrastructure can have serious consequences for citizens, businesses, and society as a whole.

NIS2 is therefore intended to ensure that organizations work more systematically with cybersecurity, risk management, and incident handling.

Who Must Comply with NIS2?

NIS2 applies to essential and important entities operating in a range of critical and economically significant sectors. Compared to the previous NIS Directive, NIS2 significantly expands the scope of covered organizations.

As a general rule, an organization is covered if it operates within one of the regulated sectors and meets the size criteria for medium-sized or large enterprises. However, there are several exceptions where organizations may be covered regardless of size.

Covered Sectors and Organizations

• Energy
  Organizations that produce, transport, distribute, or store electricity, district heating, oil, gas, or hydrogen. This includes electricity grid operators, energy producers, and gas distribution companies.
  
  
• Transport
  Organizations operating within aviation, rail transport, maritime transport, and road transport. Examples include airports, ports, railway operators, and traffic management companies.
  
  
• Banking and Financial Market Infrastructures
  Credit institutions, banks, and certain organizations supporting financial transactions and market functions.
  
  
• Healthcare
  Hospitals, private healthcare providers, laboratories, pharmaceutical companies, and medical device manufacturers.
  
  
• Drinking Water and Wastewater
  Organizations and utilities supplying drinking water or managing wastewater treatment.
  
  
• Digital Infrastructure
  Providers of internet exchange points, DNS services, top-level domain registries, cloud infrastructure, and other key internet services.
  
  
• Digital Services
  Cloud providers, data center operators, managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, search engines, and social networking platforms.
  
  
• Electronic Communications
  Telecommunications operators and providers of public electronic communications networks and services.
  
  
• Public Administration
  Government authorities, regions, municipalities, and other public sector bodies covered by national implementation of the directive.
  
  
• Manufacturing
  Selected manufacturing companies within sectors such as medical devices, computers, electronics, machinery, motor vehicles, and chemical products.
  
  
• Postal and Courier Services
  Organizations providing postal and logistics services.

How Large Must an Organization Be?

As a general rule, NIS2 follows the EU definition of medium-sized and large enterprises.

An organization will typically be covered if it has:

• At least 50 employees, and
• An annual turnover exceeding €10 million or an annual balance sheet total exceeding €10 million.

For example, a manufacturing company with 120 employees or a cloud service provider with 75 employees will generally be covered if it operates within one of the relevant sectors.

Organizations with fewer than 50 employees and below the financial thresholds will generally not be covered by NIS2. However, exceptions exist for organizations providing particularly critical services or operating critical infrastructure, where coverage may apply regardless of size.

Exceptions Where Size Is Not Decisive

Some organizations may be covered by NIS2 even if they do not meet the size criteria.

This may apply if the organization:

• Provides a service that is critical to society or the economy.
• Has particular importance within a critical supply chain.
• Is the sole provider of an important service within a geographic area or sector.
• Operates critical digital infrastructure.
• Has been designated as a critical entity under other relevant legislation.

This means that relatively small organizations may, in certain circumstances, be covered if their function is considered critical to society.

Organizations Must Assess Their Own Status

An important difference compared to previous regulation is that many organizations must determine for themselves whether they fall within the scope of NIS2. The assessment should be based on the organization's sector, size, activities, and significance to society or supply chains.

If an organization is covered, it must register with the relevant authority and be able to document the basis for its assessment.

How Does an Organization Determine Whether It Is Covered?

Organizations are generally responsible for determining whether they fall within the scope of the legislation. This represents a significant change compared to previous regulations, where authorities more often designated covered organizations.

The assessment depends on factors such as:

• The organization's sector
• The organization's size
• The services or products provided
• The organization's importance to society or supply chains
• Any sector-specific regulations

Covered organizations must register with the relevant authorities and be able to demonstrate why they are or are not subject to the regulations.

What Are the Requirements Under NIS2?

NIS2 focuses on risk-based cybersecurity. Organizations must implement appropriate technical, operational, and organizational security measures.

Key requirements include:

• Risk management and information security policies
• Incident management
• Business continuity and contingency planning
• Backup and recovery procedures
• Crisis management
• Supplier and supply chain security
• Secure system development and maintenance
• Vulnerability management
• Cybersecurity training and awareness
• Access control
• Encryption where appropriate
• Multi-factor authentication and strong authentication
• Ongoing evaluation of the effectiveness of security measures

The requirements must be adapted to the organization's risk profile, size, and exposure to threats. Therefore, there is no single standard solution that fits all organizations.

Incident Reporting Requirements

A central element of NIS2 is the requirement to report significant security incidents.

When an organization becomes aware of a significant incident, it must respond promptly and notify the relevant authorities within the specified deadlines.

The purpose is to ensure rapid coordination, limit the consequences of attacks, and strengthen the collective European cybersecurity response.

Management Responsibility Under NIS2

NIS2 makes cybersecurity a management responsibility. The directive emphasizes that organizational leadership must approve cybersecurity measures and oversee their implementation.

Management is expected to:

• Understand the organization's cybersecurity risks
• Ensure adequate resources for cybersecurity activities
• Monitor security measures
• Ensure compliance with applicable legislation
• Promote a security-conscious culture throughout the organization

This means cybersecurity is increasingly becoming an integral part of corporate governance and enterprise risk management.

What Is Required of an Organization That Must Comply with NIS2?

An organization covered by NIS2 must be able to demonstrate a structured and risk-based cybersecurity program.

This includes, among other things, the ability to:

• Identify and assess cybersecurity risks
• Implement appropriate security measures
• Develop relevant policies and procedures
• Manage security incidents effectively
• Continuously improve cybersecurity practices
• Actively involve management in cybersecurity efforts
• Register with relevant authorities where required by law

The organization must also be able to demonstrate that the selected measures are proportionate to the risks it faces.

Consequences of Non-Compliance

NIS2 provides authorities with expanded supervisory and enforcement powers. Organizations may face orders, remediation requirements, and financial penalties in cases of serious non-compliance.

In addition, inadequate cybersecurity can result in significant operational and reputational consequences if the organization becomes the target of a cyberattack.

NIS2 as Part of Enterprise Risk Management

Ultimately, NIS2 is about making organizations more resilient to cyber threats. The directive imposes requirements on technology, processes, and management while emphasizing that cybersecurity should be integrated into the organization's overall risk management framework.

For covered organizations, NIS2 compliance is therefore not a one-time compliance project but an ongoing process where security, documentation, and organizational maturity go hand in hand.

Learn More About NIS2 and Disclaimer

This blog post is intended to provide information and guidance regarding NIS2 to the best of our ability and is primarily aimed at organizations operating in Denmark. It is always your responsibility to determine whether NIS2 applies to your organization, and the author cannot be held liable for any decisions made based on this content, including any inaccuracies contained within the article.

Learn more about NIS 2 at the Danish Agency for Societal Security (Danish link)
Learn more about NIS 2 at the Danish Agency for Digital Government (Danish link)