Click here to sign up
for DBI's newsletter

New EU directive tightens cyber security requirements

Published: 23.06.23

The EU’s new NIS2 Directive has come into force. It tightens the requirements for cyber and information security, and requires a holistic, risk-based approach for companies. Many more companies will now be considered to constitute critical infrastructure due to their role as subcontractors.

Regular cyber attacks are currently underlining the necessity of the EU’s update of the NIS Directive for cyber and information security.

“The original NIS Directive was vaguely formulated, which is why there are major differences in the way it was implemented in the individual Member States. The new NIS2, which came into force in Denmark in January, lays down much stricter requirements and represents a desire to standardise cyber and information security across EU member states,” says Andreas Norstedt, Security Advisor at DBI – the Danish Institute of Fire and Security Technology.

Both NIS and NIS2 are aimed at sectors with critical infrastructure, but with NIS2, the requirement is extended to apply to more sectors as well as subcontractors working for the companies concerned.

“This means, for example, that a company that produces cables for the energy sector must also comply with NIS2,” explains Andreas Norstedt.

Holistic approach

The directive states that companies with more than 50 employees and an annual turnover of 10 million euros or an annual balance sheet of 43 million euros must comply with the requirements, and that the companies’ management teams must approve the safety measures and ensure that they are subject to internal control.

“Many of them will have to get a move on, as the measures must be implemented by October 2024, according to Danish legislation. Most Danish companies have good control over IT security, but one new feature is that NIS2 requires a risk-based approach to cyber and information security. This means that a risk assessment must also be conducted, a contingency plan must be drawn up and the physical environment must be under control. A holistic approach means that an energy company must have a plan to continue to deliver power, whether it’s a cyber attack or a flood in the server room that’s compromising cyber and information security,” explains Andreas Norstedt.

Fines as high as GDPR

In 2025, the relevant supervisory authorities will start monitoring the companies covered by NIS2 to ensure that they are complying with the requirements.

“The supervisory authorities will have far-reaching powers – including access to data, documents and information on areas such as risk assessments and implementation of measures. If it becomes clear that a company is not complying with NIS2, it can result in a large fine. The EU has matched the levels of fines with those for GDPR violations, which can amount to fines of up to 10 million euros or 2% of a company’s global turnover,” says Andreas Norstedt.

About NIS2

The EU’s NIS2 Directive lays down minimum requirements for:

  • Prevention (risk analyses, development of policies and contingency plans)
  • Management of incidents (detection and response)
  • Crisis management and business continuity
  • Supply chain security
  • Security in the procurement, development and maintenance of network and information systems
  • Policy and procedure for assessing the impact of risk management measures
  • “Cyber hygiene” and cyber security training
  • Policy and procedure for encryption
  • Security for human resources, policy for access control and asset management
  • Multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems

Sectors covered by NIS2 according to the Directive:

  • Waste management
  • Digital infrastructure
  • Digital providers
  • Drinking water
  • Energy
  • Finance
  • Financial market infrastructure
  • Research
  • Manufacturing of electronic products, machinery and vehicles
  • Manufacturing, production and distribution of chemicals
  • Information and communication technology
  • Public administration
  • Postal and courier services
  • Production, processing and distribution of food products
  • Aerospace
  • Wastewater
  • Health
  • Transport

Source: NIS2

Read more


Andreas Norstedt
Security Advisor

+45 50 80 78 33