NIS2 Compliance: Is Your Organization Ready?

Cyber Defense Starts Now

According to Bo Drejer, GRC Manager at Orange Cyberdefense, we are facing an increasing risk closely linked to the unstable geopolitical climate. This means our critical infrastructure is particularly vulnerable to cyberattacks.

“Without the resilience that is a crucial prerequisite for a strong cyber defense, we risk having our most vital networks and systems compromised, and critical data locked, stolen, or leaked by cybercriminals. It is essential that we gain better control over cybersecurity; otherwise, the risk of becoming even more vulnerable to ransomware attacks in the future increases. To minimize risk, we must continuously assess the various threats to the organization and the business. Without an accurate risk picture, you cannot build a robust cybersecurity strategy that includes a solid contingency plan and a roadmap for implementing necessary cybersecurity measures. If this work hasn't already started, then you need to begin now,” urges Bo Drejer.

Delays Create a False Sense of Security

Although the NIS2 Directive has been delayed several times, it is important to understand that the threat does not wait. The latest proposal from the Danish Ministry of Defence suggests that NIS2 legislation will likely take effect on July 1, 2025. According to Bo Drejer, this is a worrying development, as many organizations are waiting for the final law before taking action.

“The risk is that these delays create a false sense of security. The threat from cyberattacks grows every day, and many companies and organizations have yet to begin systematic implementation of the security measures required by NIS2. Waiting is a dangerous strategy,” he warns.

Avoid a Consultant Bottleneck

One of the biggest challenges Bo Drejer highlights is the potential lack of qualified consultants once the NIS2 legislation is in place. He fears that a rushed implementation plan will lead to chaotic conditions for the many companies that have yet to begin preparations.

“We are already seeing a growing need for experts and consultants with experience in NIS2 compliance. If everyone waits until the last minute, we risk not having enough resources available to handle the increased demand. That’s why it’s crucial to start now,” says Bo Drejer.

Risk Management and Reporting Will Be Fundamental

Once NIS2 takes effect, risk management and reporting will be two essential elements for all affected companies and organizations. Bo Drejer emphasizes that everyone subject to NIS2 must ensure their risk management processes are robust and able to meet the heightened demands.

“NIS2 introduces stricter requirements for risk management. You must have control over your supply chains, a solid incident management system, and secure network infrastructure. Reporting to authorities will also be more stringent – companies must be able to report cyber incidents quickly and effectively,” he says.

Management Can No Longer Ignore Cybersecurity

One of the most significant changes with NIS2 is that executive leadership – both management and boards – will be held legally accountable for inadequate cybersecurity. Bo Drejer therefore urges all organizations to prepare for these stricter requirements.

“Cybersecurity is no longer just a technical matter. Management now has a direct responsibility, and ignoring it can be costly. Fines can reach several million euros if requirements aren’t met. That’s why it is essential that executive teams understand their role in ensuring compliance,” Bo Drejer points out.

Risk Assessment: The First Step Toward Compliance

According to Bo Drejer, the first step toward NIS2 compliance is a thorough risk assessment that identifies the vulnerabilities that must be addressed.

“A risk assessment provides the necessary overview and enables a structured approach to strengthening cybersecurity. Without it, you risk operating blindly and overlooking critical vulnerabilities,” he explains.

“At Orange Cyberdefense, we help our clients carry out risk assessments and ensure they become compliant. It’s about protecting business-critical functions so you’re well-prepared to face future threats.”

Get Started!

For Danish companies and public organizations that provide critical infrastructure, it’s not a matter of if but when the cyber threat strikes. Implementing NIS2 compliance is a necessary step toward safeguarding the resilience of our society’s most vital systems. As Bo Drejer concludes:

“The sooner you get started, the better prepared you’ll be to face the cyber threats of the future.”

What You Need to Know

In Denmark, the responsible supervisory authority will be the Center for Cybersecurity. In the event of a serious security incident, they must be notified within 24 hours. You then have 72 hours to submit a more detailed report and one month to provide a comprehensive report.

A new development is that management (executives and board members) in affected companies, organizations, and public authorities will be held legally responsible for ensuring cybersecurity. Fines can reach up to 10 million euros or 2% of annual global turnover if the requirements of the directive are not met.

If you need advice on how your company should approach the NIS2 Directive or the DORA Regulation, contact one of our experts or fill out the form below.