Knowledge that creates value for you
Easily achieve compliance with NIS2
There’s no need to pay costly lessons when you can stand on the shoulders of others' experience.
Information security law is a discipline that has become quite established, and we have had the pleasure of practicing it for many years.
To help guide you in the best possible way, we have assembled a classic implementation process in the boxes below
If you have any questions about the individual steps, feel free to contact us – it’s free of charge.
NIS2 implementation in practice
Management commitment is crucial for NIS2 compliance, as it ensures that information security is prioritized strategically and integrated into the company’s core processes.
When leadership takes the lead, employee awareness and engagement increase, and a culture of information security is established.
Leadership allocates the necessary resources for compliance, such as training and technology, and ensures the proper implementation of policies. Additionally, leadership support enables continuous monitoring and improvement, as well as effective risk management and response to data breaches, helping to avoid fines and reputational damage.
NIS2 also does not set specific requirements regarding the individual organization's risk appetite, so if it is not specifically regulated, it will be up to management to decide how long they are willing to accept NIS2 activities being out of operation.
One of the key prerequisites for effective implementation and compliance with NIS2 is a shared understanding of risk.
It is essential that everyone in the organisation understands that NIS2 is about maintaining and restoring its delivery capacity.
NIS2, for example, deals with the risk of not having clean drinking water coming from the tap because the chemical composition at the water plant has been tampered with. NIS2 also addresses the risk of a bridge being struck by a vessel due to compromised navigation control on a cargo ship. And, of course, NIS2 also concerns the risk of undermining the emergency plans of the affected organisations because they have been shared on the public internet.
NIS2 is one of those tasks where resource consumption can spiral out of control if it is not managed from the start.
If you want to quickly move past the implementation phase and into the easier operational phase, the recommendation is clear: Allocate the necessary resources at the start to gain a comprehensive overview of the entire implementation work and related resource demands.
Genuine compliance with NIS2 can only be achieved if there is consensus within the organisation that the reality you are addressing is accurate.
Alternatively, there is a risk of both over-implementation and under-implementation, and neither of these outcomes is desirable.
In the following steps, we will explain how you can establish an accurate picture of your NIS2 activities.
NIS2 is essentially about protecting society.
It is therefore important to maintain focus on the processes and sub-processes that support society. This could include the supply of drinking water, food, or medicine. But it could also involve roads, harbours, and airports.
Regardless of the activity that causes an organization to be subject to the regulations, the focus should be on protecting the activity and the supporting processes.
It is rare for a single person to have in-depth knowledge of all the processes that support your NIS2 activities.
We therefore recommend that you involve those of your colleagues who are most familiar with the individual workflows. They are important allies in the ongoing work of defining the scope of the NIS2 tasks.
You are now well on your way to handle the NIS2 work within your organisation.
The management is committed, the understanding of risks is consistent, sufficient resources have been allocated, and, in collaboration with your colleagues, you have gained insight into the processes that support your NIS2 activities.
The next step is to examine which tools are being used within the organisation to support the processes.
We recommend that you start by looking at each individual activity and talk to your colleagues about which IT systems, folder structures, and possibly physical media they use in their daily work. It should be noted that it will rarely be sufficient to only talk to IT about this. This is because IT usually does not have a complete picture of which systems are actually being used within the organisation.
Your work is now progressing faster and faster. The processes, personnel, and systems are under control.
The next step is to clarify which hardware is being used. In this context, it is important to think broadly, outside the box, and so on.
Most people naturally use the equipment provided by their workplace, but it does happen that private devices are used in urgent situations. We therefore recommend striving for an open, honest, and unbiased discussion about which equipment is actually being used.
The dialogue has been productive. Colleagues have shared extensively about the systems and hardware they use in their daily work. This is perfect, as the next step is to identify the organisation's suppliers.
Based on the above, it is essentially a matter of groundwork to note which external organisations are involved in the organisation's handling of NIS2 activities.
The next step would be to examine whether all of them are involved and if they align with the top management's risk appetite.
"Safety first," as they say. However, it simply doesn't hold up in practice.
Before implementing security measures, an assessment of what is truly needed must be made. What you want to know is whether the way the organisation handles its NIS2 activities poses risks to the functioning of society. For example, it could be a lack of management commitment, which results in information security work not being prioritized at all. It could also be that the organization is so busy that there is no time to follow up on whether the technical support is security-wise adequate.
No matter where the issue lies, it must be documented so that it can be included in the mapping of the NIS2 work.
Congratulations! You are now at the final step of the implementation process.
This is where top management is presented with the mapping of the organisation's NIS2 activities, and most importantly, it is here that top management steps in and makes the decision on whether the identified risks should be accepted or managed.
If there are risks that need to be managed, there will naturally be follow-up actions for their specific handling. This could include revisiting emergency plans, renegotiating supplier contracts, or implementing new security solutions.
The implementation is complete. You now have a clear and, most importantly, accurate overview of the organisation's management of NIS2 activities.
The fact is, however, that the otherwise clear and accurate picture will lose its value over time if it is not maintained to remain accurate on its own.
The ongoing work to maintain an accurate picture and continuously report and manage emerging risks is best compared to training for a marathon. The longer the gap between each training session, the harder the next one becomes. We therefore recommend creating a plan for ongoing maintenance and ensuring that the work is carried out collectively.
English (UK) 
Dansk