Choose language

NIS2 compliance is about control: Key takeaways from House of Control’s webinar

For affected organisations, NIS2 changes how cybersecurity, supplier risk, documentation and incident reporting are managed across the business. It is not just an IT responsibility; leadership, legal, procurement, compliance and operations all need to be involved. 

A blonde woman in an orange blouse and a black blazer is in a conversation with her colleague.

In House of Control’s webinar, “NIS2 and your business: What you need to know and do now”, Kathrine Resch-Knudsen, Product Marketing Manager and Compliance Expert, and Emil Johansson, Product Marketing Manager, explained where companies should start. The webinar focused on Sweden, but the takeaways are relevant for any organisation that may be directly or indirectly affected.

“The companies that succeed with NIS2 will turn legal requirements into clear ownership, repeatable processes and real-time visibility. Compliance is no longer a document exercise. It is a management discipline.”

– Kathrine Resch-Knudsen, Product Marketing Manager and Compliance Expert, House of Control

 

Read more: Why contract management is the foundation of NIS2 compliance.

What is NIS2?

NIS2 is the EU’s updated cybersecurity directive. It covers more sectors and introduces stricter expectations for risk management, incident reporting, supplier security and management accountability.

Even organisations that are not directly regulated may be affected through customers, suppliers or partners that require stronger documentation, security maturity and supplier-chain control.

In practice, NIS2 means working systematically across risk analysis, incident handling, business continuity, supply chain security, access control, training, cryptography and secure communication. For business leaders, preparation can no longer wait.

1. Clarify whether you are directly or indirectly affected

Many companies start by asking: “Does NIS2 apply to us?” That is the right place to begin, but direct regulation is only part of the picture.

NIS2 also creates a ripple effect through the supply chain. Customers, suppliers and partners may require NIS2-level documentation even if your organisation is not directly covered. NIS2 does not stop at your company’s legal boundaries; it moves through commercial relationships.

Action point: Determine whether your organisation is directly affected, indirectly affected through customer or supplier requirements, or both.

2. Make leadership ownership clear

NIS2 raises expectations for management. Cybersecurity cannot be treated as a purely technical issue owned by IT. Leadership must understand risk exposure, approve relevant security measures and ensure responsibilities are clearly distributed.

Action point: Assign NIS2 ownership at leadership level and define how IT, legal, procurement, compliance and operations contribute.

Read more: The NIS2 24-hour rule: Handling incident reporting requirements.

3. Get control of your supply chain

Supplier risk is one of the most important parts of NIS2 compliance. Companies need to understand who their critical suppliers are, what they deliver, what access they have and how they may affect business continuity, including important sub-suppliers.

Many organisations struggle here. Supplier data is often spread across contracts, procurement systems, spreadsheets, emails and questionnaires, making the full risk picture hard to see.

The NIS2 readiness report 2026 is based on research conducted by Opinion on behalf of House of Control, with insights from 462 business leaders in Norway, Sweden and Denmark. It highlights the gap between awareness and readiness, and new demands for leadership, documentation and supply-chain control.

The findings confirm this challenge. Among Scandinavian companies affected by NIS2, 46% say they are indirectly affected through customer or supplier requirements, while formalising supplier and subcontractor requirements is one of the key resource-intensive activities.

Action point: Build one overview of suppliers, contracts, services, dependencies and criticality. Start with the suppliers that are most important for business continuity.

For more market data, benchmarks and practical recommendations, download the NIS2 readiness report 2026.

4. Turn documentation into a working process

Many companies already have policies, contracts and supplier information. The problem is that the information is often fragmented. Under NIS2, documentation must be structured, updated and easy to retrieve - including risk assessments, supplier follow-up, security requirements, incident routines and management reporting.

The NIS2 readiness report shows that affected companies in Scandinavia spend an average of 54 hours per month on manual compliance follow-up. Only 15% of affected respondents say they have established systems and procedures for NIS2 work.

Action point: Reduce dependency on spreadsheets and scattered files. Create a structured process for collecting evidence, following up suppliers and documenting decisions.

Want to know more? Watch the on-demand webinar, “NIS2 and your business: What you need to know and do now”. It is in Swedish and Norwegian, with English subtitles.

5. Do not assume ISO 27001 is enough

ISO 27001 is a strong foundation for information security and overlaps with many NIS2 requirements. But ISO 27001 alone is not NIS2 compliance. NIS2 is a legal requirement with supervisory oversight, incident reporting obligations, management accountability and stronger supplier-chain expectations.

Action point: Use ISO 27001 and other frameworks as a starting point, but map them specifically against NIS2 requirements.

6. Prepare for incident reporting before an incident happens

NIS2 introduces clear expectations for reporting significant incidents. The question is not only whether you can detect an incident, but whether you can quickly understand what happened, who must be involved, what must be reported and where the documentation is stored.

Action point: Define who reports, who approves, what information is needed and how leadership is informed.

7. Move from awareness to action

Many companies understand NIS2, but are not operationally ready. House of Control’s NIS2 readiness report 2026 shows high awareness but low readiness: 55% know the directive well or somewhat, while only 45% of affected companies consider themselves prepared.

Action point: Clarify your exposure, map critical suppliers, establish documented processes and reduce manual follow-up.

The main takeaway: NIS2 is about control

NIS2 is often described as a cybersecurity regulation. For business leaders, it is also about control over suppliers, documentation, responsibilities, incident reporting and business-critical risks.

Companies that act early can reduce manual work, respond to customer requirements and build trust. Companies that wait may face pressure from regulators, customers and their own supply chain.

NIS2 readiness starts with visibility. Know where your risks, suppliers and responsibilities are, then move from reactive compliance to proactive control.

To learn more about how House of Control can help simplify NIS2 compliance, explore NIS2 with House of Control.

 

Disclaimer: House of Control is a software company. We do not offer NIS2 compliance consulting services. Thus, following this guidance does not guarantee compliance with all NIS2 legal requirements. The content of this article is based on our own research of the NIS2 requirements and our experience with regulatory compliance, and includes inspiration from various actors offering compliance services. We do not assume any responsibility or liability for any failure to comply with NIS2 requirements or resulting from the use of this guidance.

Related blog posts