EN / NB Contact us →
EN / NB

Consulting

Detection and Response

AI

Compliance

Assessments & Testing

Security Products

Featured

Read

News

Events & Webinars

Browse by topic

About us

Contact

Compliance ↗

How Nordic SMBs prepare for NIS2

Practical compliance steps for the new EU directive — what to do this quarter, and what can wait.

1 min read By Johan Vorgaard
How Nordic SMBs prepare for NIS2

NIS2 widens the scope of “essential” and “important” entities and tightens incident-reporting timelines. Most Nordic SMBs we talk to are unsure whether they’re in scope. Here’s a practical sequence.

1. Confirm scope first

Before you spend a single hour on controls, confirm whether the directive applies to your sector and headcount. The criteria changed; many businesses that scoped out of NIS1 are inside NIS2.

2. Map current state to Annex I

Annex I is your control library. Run a gap analysis — most ISO 27001-aligned organisations are 60–70% of the way there.

3. Get the incident playbook right

The 24-hour early-warning obligation is the operational change with real teeth. If your IR runbook still measures in days, fix that first.

4. Document, don’t perform

Auditors want evidence of operating controls, not glossy policies. Build documentation as a byproduct of the work, not a separate workstream.

If you only do one thing this quarter: rehearse your 24-hour notification flow end-to-end, with the actual people who’ll be on call.

More on Compliance

15 Apr 2026 · Strategy
Charlotte AI: what does agentic SOC mean for you?

A look at how CrowdStrike's agentic SOC changes the economics of 24/7 monitoring for SMBs.

8 Apr 2026 · AI Security
Shadow AI — the risk no one talks about

Recording from our recent webinar on the unsanctioned AI tools your employees already use, and how to handle them without killing productivity.

← Back to all insights
Questions or inquiry? hello@fmcybersecurity.com Contact us →