NIS2 is the EU’s toughest cybersecurity law yet — and it reaches Norwegian and EEA businesses through national law such as the Digitalsikkerhetsloven. If you operate in energy, transport, health, manufacturing, food, waste or digital services — or you supply anyone who does — you are likely in scope as an essential or important entity. Significant incidents must be flagged to authorities within 24 hours, and management can be held personally accountable for non-compliance.
ITSecOps takes you from “does this even apply to us?” to audit-ready: a fixed-price NIS2 readiness programme run by our Stavanger team and backed by a 24/7 security operations centre.
Who NIS2 applies to
- Essential entities: energy, transport, banking and financial infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space.
- Important entities: manufacturing, food production, chemicals, waste management, postal services and digital providers such as marketplaces and search engines.
- Suppliers: even below the 50-employee / €10M threshold, you get pulled in through your customers’ supply-chain security requirements — expect NIS2 questionnaires in every large tender.
What NIS2 actually requires
- Risk-management measures (Article 21): security policies, incident handling, business continuity and backups, supply-chain security, secure configuration, vulnerability handling, cryptography, MFA and security training.
- Incident reporting: early warning within 24 hours, full notification within 72 hours, final report within one month.
- Management accountability: boards must approve the measures, oversee them and take the training — liability sits at the top.
- Fines: up to €10 million or 2% of global turnover for essential entities.
Our NIS2 readiness programme
- 1. Scoping call (free): we confirm whether and how NIS2 hits you — 30 minutes, plain answers.
- 2. Gap assessment: your current state measured against every Article 21 control, mapped to ISO 27001 so the work counts twice.
- 3. Prioritised roadmap: what to fix, in what order, at what cost.
- 4. Implementation: policies, MFA, backup and logging architecture, incident-response playbooks — our engineers do the work, not just the paperwork.
- 5. 24/7 SOC monitoring: the 24-hour reporting clock only works if someone is watching at 03:00. Ours is.
- 6. Ongoing compliance: quarterly reviews, evidence collection and audit support.
Why ITSecOps
One partner for NIS2, GDPR and ISO 27001: local presence in Stavanger, a 24/7 global SOC, and fixed monthly pricing typically 30–50% below local-only consultancies. We implement as engineers first and document as consultants second.
The ten Article 21 measures, in plain language
Article 21(2) of NIS2 lists ten cybersecurity risk-management measures every in-scope entity must implement. Here is what each means operationally — and what evidence a supervisor or auditor will ask for:
| Measure | What it means in practice | Typical evidence |
|---|---|---|
| Risk analysis & security policies | A living risk register and approved ISMS policies | Risk assessment, policy set, management sign-off |
| Incident handling | Detection, response and escalation that actually works at 03:00 | IR plan, on-call rota, SOC alerting logs |
| Business continuity | Backups, disaster recovery, crisis management | Tested restore records, BCP/DR plans |
| Supply chain security | Security requirements on your suppliers and providers | Vendor register, contract clauses, assessments |
| Secure acquisition & development | Security built into systems you buy and build | Hardening baselines, change management |
| Effectiveness assessment | You measure whether controls work | Audit reports, pentest results, KPIs |
| Cyber hygiene & training | Baseline practices and staff awareness | Training records, phishing-test results |
| Cryptography | Policy on encryption and key management | Crypto policy, TLS/disk-encryption evidence |
| HR security & access control | Joiner/mover/leaver discipline, least privilege | Access reviews, offboarding checklists |
| MFA & secured communications | Multi-factor authentication and secure comms | MFA coverage report, conditional-access policies |
Deadlines, reporting and penalties
Reporting: significant incidents require an early warning within 24 hours, a full notification within 72 hours, and a final report within one month. That cadence is impossible without monitoring that never sleeps — it is why our programme is delivered on top of a 24/7 SOC, not a document binder.
Penalties: essential entities face fines up to €10M or 2% of global turnover (important entities: €7M or 1.4%), plus personal accountability for management bodies — boards must approve and oversee the measures, and can be held liable for gross negligence.
Norway: NIS2 lands through the EEA and the Norwegian digitalsikkerhetsloven, extending duties well beyond the old NSM-regulated circle — mid-size manufacturers, logistics, food production, waste, digital providers and public suppliers are in scope. Norwegian detail in our answer: does NIS2 apply to Norwegian companies? — or read this in Norwegian on our IT-drift page.
Frequently asked questions
Does NIS2 apply to Norwegian companies?
Yes. Norway follows the EU cybersecurity framework through the EEA, implemented nationally via the Digitalsikkerhetsloven. Norwegian companies in covered sectors — and their suppliers — should align with NIS2 requirements now rather than wait for enforcement to mature.
We already have ISO 27001. Are we NIS2 compliant?
You are most of the way there — but NIS2 adds mandatory incident reporting deadlines, management liability and sector-specific supervision that ISO 27001 alone does not cover. We map the delta and close it.
How long does NIS2 readiness take?
A typical SMB goes from gap assessment to audit-ready in 8–12 weeks, depending on how much of the technical baseline (MFA, backups, logging, incident response) already exists.
What does it cost?
Fixed-price, scoped after the free assessment call. Because we combine consulting with our own 24/7 SOC delivery, total cost is usually well below hiring separate consultants and tooling.