NIS2: Is your company compliant?

What's new?

The EU's Network and Information Security Directive entered into force in January 2026. Companies with 50+ employees across 18 sectors are now legally required to implement cybersecurity risk management, incident reporting, and supply chain security. Management is personally liable. Fines reach up to 2% of global annual turnover or €10 million. Most mid-sized companies aren't ready. We help you get there.

What's new?

Book a Free NIS2 Gap Assessment

Book Now

What NIS2 requires from your business

NIS2 is not a suggestion. It's binding law, transposed into national legislation across EU member states. If your organisation has 50 or more employees — or annual turnover exceeding €10 million — and operates in a covered sector, you are obligated to comply.

Here's what the law actually demands:

Risk management measures You must implement technical, operational, and organisational measures to manage cybersecurity risks across your network and information systems. This includes endpoint protection, access control, vulnerability management, and encryption.

Incident detection and reporting You must be able to detect security incidents and report significant ones to your national authority within 24 hours of discovery. A follow-up report is required within 72 hours, and a full incident report within one month.

Business continuity You must have plans and systems in place to maintain operations during and after a cyber incident. This includes backup, disaster recovery, and crisis management procedures.

Supply chain security You must assess and manage cybersecurity risks within your supply chain. Your vendors, contractors, and service providers are part of your attack surface — and NIS2 holds you accountable for them.

Management accountability Senior management must approve cybersecurity risk management measures, oversee their implementation, and undergo cybersecurity training. Executives are personally liable for non-compliance.

Security awareness training Employees must receive regular cybersecurity training. This is not optional — it is a stated requirement of the directive.

Here's what the law actually demands:

Business continuity You must have plans and systems in place to maintain operations during and after a cyber incident. This includes backup, disaster recovery, and crisis management procedures.

Security awareness training Employees must receive regular cybersecurity training. This is not optional — it is a stated requirement of the directive.

Who NIS2 applies to

NIS2 covers 18 sectors, split into two categories:

Essential entities (sectors of high criticality): Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Important entities (other critical sectors): Postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, and digital providers (online marketplaces, search engines, social networking platforms).

The size threshold: Generally, entities with 50+ employees or €10+ million in annual turnover are in scope. Some entities are covered regardless of size — including DNS providers, trust service providers, and public electronic communications networks.

The supply chain effect: Even if your company is below the threshold, you may be required to meet NIS2 standards if you supply goods or services to an entity that is in scope. Enterprise clients are increasingly requiring NIS2-aligned security from their vendors.

NIS2 covers 18 sectors, split into two categories:

The consequences of non-compliance

NIS2 is enforced with teeth.

For essential entities: Administrative fines of up to €10,000,000 or 2% of total global annual turnover — whichever is higher.

For important entities: Administrative fines of up to €7,000,000 or 1.4% of total global annual turnover — whichever is higher.

For management: Executives can be held personally liable. Supervisory authorities can issue reprimands, injunctions, mandatory audits, and in serious cases, temporary prohibition from holding management positions.

For your reputation: Authorities can require you to publicly disclose your non-compliance. In a market built on trust, that disclosure can be more damaging than the fine itself.

NIS2 is enforced with teeth.

For essential entities: Administrative fines of up to €10,000,000 or 2% of total global annual turnover — whichever is higher.

For important entities: Administrative fines of up to €7,000,000 or 1.4% of total global annual turnover — whichever is higher.

For your reputation: Authorities can require you to publicly disclose your non-compliance. In a market built on trust, that disclosure can be more damaging than the fine itself.

How Wira Group helps you comply

We don't sell compliance checklists. We deliver the actual security infrastructure that makes your organisation compliant — and protected.

Risk management measures

XDR, EDR, Email Security, Posture Management — deployed and managed across your environment

Incident detection

24/7 monitoring through our SOC and MDR service, with automated alerting and analyst investigation

Incident reporting

We support you through the full reporting process — 24-hour initial notification, 72-hour follow-up, and final report

Business continuity

Microsoft 365 Backup (email, OneDrive, SharePoint, Teams), RMM for system health, disaster recovery planning

Supply chain security

Security Posture Management assesses your vendor configurations, access policies, and third-party integrations

Management accountability

Monthly security posture reports written for leadership, quarterly business reviews, compliance documentation

Security awareness training

Phishing simulations and interactive training modules through our SAT platform, with monthly reporting

Access control

Enterprise Password Management with SSO integration, role-based access, and audit logging

See exactly where your gaps are

Book a free NIS2 gap assessment

NIS2 for your industry

NIS2 impacts different sectors differently. The threats you face, the data you protect, and the regulatory oversight you answer to are specific to your industry. So is our approach.

NIS2 for Healthcare

The regulatory reality: Healthcare is classified as a sector of high criticality under NIS2. If your organisation provides patient care, diagnostic services, laboratory testing, pharmaceutical distribution, or digital health services — and you have 50+ employees — you are an essential entity under the directive. In addition to NIS2, you are subject to GDPR obligations for patient data and, in Sweden, oversight from IVO.

The threat landscape: Healthcare is the most targeted sector for ransomware globally. Attackers know that patient care cannot stop — which means healthcare organisations are more likely to pay. Patient records are the most valuable data type on the dark web, worth up to 10 times more than credit card numbers. A single compromised Electronic Health Record can be used for identity theft, insurance fraud, and blackmail.

Beyond ransomware, healthcare organisations face credential theft through phishing (targeting administrative staff with access to patient systems), business email compromise (fraudulent invoices from "suppliers"), and insider threats from contractors and temporary staff with excessive access privileges.

What NIS2 specifically requires from healthcare:

Active monitoring and protection of all systems handling patient data
Incident detection and mandatory reporting within 24 hours
Business continuity plans that ensure patient care continues during a cyber incident
Supply chain security assessments covering medical device vendors, software providers, and IT contractors
Regular cybersecurity training for all staff — clinical and administrative
Management accountability with documented risk assessments and executive oversight

How we protect healthcare organisations: We deploy endpoint protection (EDR) across every workstation and server that touches patient data. Email security filters phishing and impersonation attacks before they reach staff. Microsoft 365 backup ensures patient records, referrals, and communications are recoverable even after a ransomware event. Security awareness training reduces the click rate on phishing emails — the number one attack vector in healthcare. And our SOC monitors your environment 24/7, because attacks on hospitals don't wait for business hours.

We also provide the compliance documentation your leadership needs: monthly posture reports, incident response documentation, and NIS2 gap assessments mapped to your specific obligations.

What NIS2 specifically requires from healthcare:

Active monitoring and protection of all systems handling patient data
Incident detection and mandatory reporting within 24 hours
Business continuity plans that ensure patient care continues during a cyber incident
Supply chain security assessments covering medical device vendors, software providers, and IT contractors
Regular cybersecurity training for all staff — clinical and administrative
Management accountability with documented risk assessments and executive oversight

We also provide the compliance documentation your leadership needs: monthly posture reports, incident response documentation, and NIS2 gap assessments mapped to your specific obligations.

Book a free NIS2 gap assessment for your healthcare organisation

Book Now

NIS2 for Financial Services

The regulatory reality: Financial services — including insurance, investment management, wealth management, credit services, fintech, and accounting firms handling financial data — fall under NIS2's essential or important entity classification depending on size and function. You are also subject to GDPR, national financial supervisory authority oversight (Finansinspektionen in Sweden, BaFin in Germany, AFM in the Netherlands), and increasingly the EU's Digital Operational Resilience Act (DORA), which applies to most financial entities from January 2025.

The regulatory burden on financial services is layered and intensifying. NIS2, GDPR, DORA, and national requirements don't operate in isolation — and non-compliance with any of them carries severe consequences.

The threat landscape: Financial services firms are targeted primarily through business email compromise — where an attacker impersonates a colleague, client, or supplier to initiate fraudulent transactions. A single successful BEC attack on a European financial firm averages €40,000–€120,000 in direct losses, before accounting for regulatory fines and client trust erosion.

Credential theft through phishing is the second most common attack. An attacker who gains access to a financial advisor's email has access to client portfolios, transaction records, and personally identifiable financial data — material that triggers GDPR breach notification obligations and regulatory scrutiny.

Ransomware is less common in financial services than in healthcare, but when it hits, the impact is severe: trading platforms locked, client portals inaccessible, regulatory reporting disrupted.

What NIS2 specifically requires from financial firms:

Comprehensive cybersecurity risk management covering all systems that process financial data
Incident detection and reporting within 24 hours
Business continuity and disaster recovery for trading, portfolio management, and client-facing systems
Supply chain security covering fintech integrations, cloud platforms, and third-party data processors
Management accountability with board-level cybersecurity oversight
Regular security awareness training with a focus on BEC and social engineering

How we protect financial services firms: Email security is the first line of defence — we deploy advanced filtering that catches BEC, impersonation attacks, and phishing before they reach your team. Posture management ensures your Microsoft 365 environment, identity policies, and cloud configurations meet regulatory benchmarks. EDR and XDR provide endpoint and cross-environment detection for threats that bypass email. M365 backup protects your client communications and documents from ransomware and accidental deletion. And our SOC provides the 24/7 monitoring capability that regulators increasingly expect.

For firms subject to DORA, our managed services contribute directly to your ICT risk management framework, incident reporting capability, and digital resilience testing requirements.

Ransomware is less common in financial services than in healthcare, but when it hits, the impact is severe: trading platforms locked, client portals inaccessible, regulatory reporting disrupted.

What NIS2 specifically requires from financial firms:

Comprehensive cybersecurity risk management covering all systems that process financial data
Incident detection and reporting within 24 hours
Business continuity and disaster recovery for trading, portfolio management, and client-facing systems
Supply chain security covering fintech integrations, cloud platforms, and third-party data processors
Management accountability with board-level cybersecurity oversight
Regular security awareness training with a focus on BEC and social engineering

For firms subject to DORA, our managed services contribute directly to your ICT risk management framework, incident reporting capability, and digital resilience testing requirements.

Book a free NIS2 gap assessment for your financial services firm

Book Now

NIS2 for NGOs and Non-Profit Organisations

The regulatory reality: Many NGOs are surprised to learn they fall within NIS2's scope. If your organisation has 50+ employees and operates in a sector covered by the directive — public administration, health, education, social services, or digital infrastructure — you are likely classified as an important entity. Even if you're not directly in scope, EU-funded NGOs increasingly face cybersecurity compliance requirements as a condition of their grants.

The regulatory landscape for NGOs is also shaped by GDPR — particularly for organisations handling sensitive beneficiary data, refugee and asylum information, health records, or data related to vulnerable populations.

The threat landscape: NGOs face a unique and severe threat landscape. Unlike commercial businesses, many NGOs are targeted by state-sponsored actors — particularly organisations working in human rights, democracy promotion, press freedom, conflict zones, or political advocacy. These attacks are not opportunistic; they are deliberate, well-funded, and persistent.

Beyond state-sponsored threats, NGOs face the same risks as any mid-sized organisation: phishing, ransomware, credential theft, and insider threats. But the consequences are amplified. A breach of beneficiary data at a refugee services organisation can put lives at risk. A ransomware attack on a humanitarian logistics operation can disrupt aid delivery. A compromised email account at a democracy-promotion NGO can expose activists and sources.

The problem is compounded by chronic underinvestment in IT. Most NGOs allocate their budgets to mission delivery, not infrastructure. The result is that many of the organisations most at risk have the least protection.

What NIS2 specifically requires from NGOs in scope:

Risk management measures proportionate to the organisation's size and exposure
Incident detection and reporting within 24 hours
Business continuity planning for mission-critical systems
Supply chain security covering partner organisations, field offices, and technology vendors
Management accountability — board members and executive directors bear personal responsibility
Staff cybersecurity training, particularly for field workers and remote teams

How we protect NGOs: We understand that NGOs operate with constrained budgets and distributed teams. Our approach is built for that reality.

We deploy endpoint protection across every device — including laptops used by remote and field staff. Email security filters the phishing and impersonation attacks that target administrative and leadership teams. M365 backup ensures that documents, communications, and operational data are recoverable after any incident. Security awareness training is delivered in short, accessible modules that work for non-technical staff across multiple languages.

For NGOs handling highly sensitive data — beneficiary records, source identities, political communications — we implement additional access controls, encryption policies, and monitoring tailored to elevated threat levels.

Our pricing respects the financial reality of non-profit operations. We work with NGOs to find the right level of coverage within their budget constraints — because we believe that organisations doing the most important work shouldn't be the least protected.

What NIS2 specifically requires from NGOs in scope:

Risk management measures proportionate to the organisation's size and exposure
Incident detection and reporting within 24 hours
Business continuity planning for mission-critical systems
Supply chain security covering partner organisations, field offices, and technology vendors
Management accountability — board members and executive directors bear personal responsibility
Staff cybersecurity training, particularly for field workers and remote teams

How we protect NGOs: We understand that NGOs operate with constrained budgets and distributed teams. Our approach is built for that reality.

Book a free NIS2 gap assessment for your organisation

Book Now

NIS2 for IT and Information Security Companies

The regulatory reality: ICT service management (business-to-business) is explicitly listed as a sector of high criticality under NIS2. If your company provides managed IT services, cloud services, software development, data centre operations, systems integration, or any form of B2B technology services — and you have 50+ employees — you are an essential entity under the directive.

This is significant because IT companies are often in a paradoxical position: they help their clients with technology, but their own internal security is frequently underprioritised. NIS2 changes that. Your own house must be in order — not just your clients'.

Additionally, the supply chain provisions of NIS2 mean that your clients (particularly those in regulated sectors) will increasingly require evidence that you, as their IT service provider, meet NIS2 standards. Failure to demonstrate compliance can cost you contracts.

The threat landscape: IT and security companies are high-value targets precisely because of what they have access to. A compromised MSP or IT service provider gives the attacker a gateway into every client environment they manage. This is known as a supply chain attack, and it is one of the most effective and devastating attack vectors in modern cybersecurity.

The SolarWinds and Kaseya incidents demonstrated this at global scale. But supply chain attacks don't only happen to enterprise vendors — mid-sized IT companies are targeted for the same reason, with less visibility and less incident response capability.

Beyond supply chain risk, IT companies face credential theft (often through phishing targeting technical staff), code repository compromise, API key exposure, and intellectual property theft.

What NIS2 specifically requires from IT companies:

Comprehensive risk management covering all internal systems and all client-facing services
Incident detection and mandatory reporting within 24 hours — both for internal incidents and incidents affecting client environments
Business continuity for service delivery
Supply chain security assessments covering your own tooling, cloud providers, and third-party integrations
Management accountability with documented security governance
Regular security awareness training for all staff, including developers and engineers

How we protect IT companies: We understand that IT companies often have technical capability but lack dedicated security operations. Your engineers are building product and supporting clients — not monitoring endpoints or investigating phishing alerts.

We fill that gap. XDR provides cross-environment visibility across your internal infrastructure and client-facing systems. EDR protects every endpoint, including developer workstations with elevated privileges. Email security stops the phishing campaigns that target your administrative and leadership teams. Posture management continuously monitors your Microsoft 365, Azure, and cloud configurations against best-practice benchmarks — ensuring that your security posture never drifts.

For IT companies preparing for client security audits, vendor questionnaires, or ISO 27001 certification, our managed services provide the operational evidence you need: 24/7 monitoring, incident response capability, documented security controls, and regular reporting.

When your client asks "what security do you have in place?" — you'll have a concrete, documented answer.

Beyond supply chain risk, IT companies face credential theft (often through phishing targeting technical staff), code repository compromise, API key exposure, and intellectual property theft.

What NIS2 specifically requires from IT companies:

Comprehensive risk management covering all internal systems and all client-facing services
Incident detection and mandatory reporting within 24 hours — both for internal incidents and incidents affecting client environments
Business continuity for service delivery
Supply chain security assessments covering your own tooling, cloud providers, and third-party integrations
Management accountability with documented security governance
Regular security awareness training for all staff, including developers and engineers

When your client asks "what security do you have in place?" — you'll have a concrete, documented answer.

Book a free NIS2 gap assessment for your IT company

Book Now

Free NIS2 Gap Assessment

NIS2 impacts different sectors differently. The threats you face, the data you protect, and the regulatory oversight you answer to are specific to your industry. So is our approach.

Find out where you stand.
In 30 minutes.

We'll review your current security setup against NIS2 requirements and show you exactly where the gaps are. No sales pitch, no obligations — just a clear picture of your compliance status and a prioritised action plan.

What the assessment covers:

We review your Microsoft 365 Secure Score, identity and access policies (MFA, conditional access, admin accounts), endpoint protection status, email authentication (SPF, DKIM, DMARC), data backup coverage, and security awareness training status. You receive a written summary with findings ranked by severity and clear next steps.

Who this is for:

European companies with 50+ employees in healthcare, financial services, IT and information security, NGOs, and other NIS2-covered sectors. If you're unsure whether you're in scope, the assessment will clarify that too.

What the assessment covers:

Who this is for:

Wira Group is a European Managed Security Services Provider headquartered in Sweden. We protect mid-sized companies across Europe with 24/7 managed cybersecurity — XDR, EDR, MDR, email security, M365 backup, security awareness training, and more. All delivered as a managed service. One partner. Full coverage.

NIS2: Is your company compliant?

What NIS2 requires from your business

Who NIS2 applies to

The consequences of non-compliance

How Wira Group helps you comply

NIS2 for your industry

NIS2 for Healthcare

NIS2 for Financial Services

NIS2 for NGOs and Non-Profit Organisations

NIS2 for IT and Information Security Companies

Free NIS2 Gap Assessment

Find out where you stand.
In 30 minutes.

Find out where your business is exposed.

Find out where your business is exposed.

Find out where your business is exposed.

NIS2: Is your company compliant?

What NIS2 requires from your business

Who NIS2 applies to

The consequences of non-compliance

How Wira Group helps you comply

NIS2 for your industry

NIS2 for Healthcare

NIS2 for Financial Services

NIS2 for NGOs and Non-Profit Organisations

NIS2 for IT and Information Security Companies

Free NIS2 Gap Assessment

Find out where you stand.In 30 minutes.

Find out where your business is exposed.

Find out where your business is exposed.

Find out where your business is exposed.

Find out where you stand.
In 30 minutes.