NIS2: risk assessment and compliance
The NIS2 directive has sharpened cybersecurity requirements for thousands of European companies. Here's who is covered, what's required of the risk management process, and how RiskNote helps you get going.
What is NIS2?
NIS2 (Network and Information Security Directive 2) is EU directive 2022/2555, which sharpens cybersecurity requirements across the Union. It replaces the original NIS directive from 2016 and covers significantly more sectors and organisations.
EU member states were required to transpose NIS2 by 17 October 2024. In Sweden it's implemented through the Cybersecurity Act.
Sanctions: up to €10 million or 2% of global revenue for essential entities.
NIS2 risk management requirements (Art. 21)
1. Risk analysis and information security policy
Documented risk analysis of systems. Policy approved by the management body.
2. Incident handling
Process to detect, report, and remediate incidents. Reporting to CSIRT within 24 hours.
3. Business continuity and backup
Business continuity, disaster recovery, tested backups.
4. Supply-chain security
Vendor risk assessment. Contractual security requirements.
5. Access control and encryption
MFA, principle of least privilege, encryption at rest and in transit.
6. Awareness training
Security training for staff, especially management.
7. Vulnerability handling and patching
Process for identifying and remediating vulnerabilities.
NIS2 checklist: are you in scope?
Size above the threshold
Medium or large enterprises (over 50 employees or €10 million revenue) in qualifying sectors.
Qualifying sector: essential entities
Energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure (TLD, IXP, cloud, data centre), public administration, space.
Qualifying sector: important entities
Postal and courier services, waste management, manufacturing of certain products, chemicals, food, medical devices manufacturing, digital providers (search engine, marketplace, social media).
Exemption for very small
Micro and small enterprises (under 50 employees and under €10 million) are generally exempt, but exceptions exist in critical digital infrastructure sectors.
Critical to national security
Member states can include smaller companies if they're critical to national security.
How RiskNote supports NIS2
NIS2 Art. 21 requires a documented, risk-based cybersecurity process. RiskNote provides it: a living register of information and ICT risks, traceability per risk, and a PDF report that can be attached to supervisory filings.
NIS2-specific mappings (the AI understands NIS2 requirements when suggesting risks, and each risk can be tagged with NIS2 Art. 21 control) ship in RiskNote V1.2 (Q3 2026).
Frequently asked questions about NIS2
When does NIS2 apply?
The NIS2 directive was required to be transposed by member states by 17 October 2024. Sweden's Cybersecurity Act came into force in 2026. Supervisory activity is ongoing from 2026 onwards.
We have 40 employees, are we in scope?
Probably not, since the threshold is 50 employees or €10 million revenue for a medium enterprise. But exceptions exist: digital infrastructure (e.g. domain registries, IXPs, DNS) can be in scope regardless of size. Check your sector with the relevant authority.
What's the difference between essential and important entities?
Essential entities face higher reporting requirements, proactive supervision, and higher sanctions (up to €10M or 2% of revenue). Important entities have the same security requirements but reactive supervision and somewhat lower sanctions.
Do we need a CISO?
NIS2 doesn't mandate a formal CISO, but requires management to be involved and trained in cybersecurity risk. In practice most essential entities appoint a security lead (can be part-time or external).
Must the board approve the risk management process?
Yes. NIS2 Art. 20 requires the management body (board or equivalent) to approve cybersecurity risk management. Board members can be held personally liable for breaches.
Start NIS2 where it matters: the risk register
NIS2 compliance starts with a documented, traceable risk management process. RiskNote gives you one in an afternoon.