On January 15, 2026, NIS2 will become a reality. The result is not only new requirements, but also an opportunity to strengthen information security, create greater consensus and be better equipped for the future. Here, Stratsys GRC expert Christopher Läns shares concrete steps to prepare your organization.
For many organizations, now is the time to move from theory to practice. With NIS2, many public and private organizations need to be able to demonstrate structured and systematic work with information security. Even actors not directly involved will be affected by customer and supplier requirements.
Involve the whole Organization
Christopher Läns is a GRC expert at Stratsys and has deep experience in risk management, information security and compliance. He knows how important it is to involve the entire organization in the work:
- Information security is not just an IT issue. Information security is a management issue that involves the whole organization, from legal and HR to IT. Taking a holistic view is often the biggest challenge, but it is necessary to meet the new legislation, says Christopher.
Christopher Läns, GRC Expert at Stratsys
Pitfalls - When Theory Meets Practice
Many organizations struggle with information security work becoming fragmented or sporadic. It's something that is all too common, according to Christopher:
- A lack of collaboration. A good information security manager complements their own knowledge by collaborating with others. No one can cover all dimensions alone. That's why the organization needs to build cross-functional teams where IT, HR and legal are represented.
- Lack of leadership. NIS2 relies heavily on management commitment. The law explicitly requires this. When management does not demonstrate in action that the issue is a priority, it becomes difficult for the rest of the organization to take the work seriously. This is about mandates, resources and clear roles - but also about training. Management must themselves have a certain basic competence and be included in the upskilling process.
- Lack of resources and conflicting priorities: information security risks being seen as a support function rather than a core issue. This is despite the fact that the consequences of failures can be very costly.
- Lack of continuity. Dependency on individuals can pose a very real challenge within an organization. For example, when safety officers change or leave, the organization often loses both momentum and documentation.
The common denominator for all these pitfalls is that information security becomes a one-off effort rather than a long-term cultural and organizational change.
Reading tip: Get your organization ready for NIS2 - a practical roadmap
Is your Organization Covered by NIS2?
As an organization, the first and most basic question is to determine whether you are covered by the new legislation. It may sound obvious, but making a correct assessment is of utmost importance.
NIS2 is aimed at many more sectors than before - not only traditional social actors, but also food, manufacturing and digital services, for example.
The rules are primarily aimed at medium and large companies, but can also cover smaller players if their role is particularly significant. The basic rule is that companies with at least 50 employees or SEK 50 million in turnover are covered by the law. NIS2 also takes into account whether the company is part of a group, which means that companies can be affected anyway.
It is also worth mentioning in this context that there is an indirect impact via the supply chain. If an organization is not directly affected, it may have to comply with corresponding customer requirements, for example in the form of supplier agreements.
It is up to each company to ensure that it notifies the responsible supervisory authority, with the MSB having overall responsibility. Therefore, make sure to do a thorough assessment to see how the law affects your company.
Getting Started - Step by Step
To avoid overwhelming the process, Christopher recommends a pragmatic, step-by-step approach:
- Current Situation Analysis / Gap Analysis. Map the information based on the requirements of NIS2 - both internally and from the supply chain. Identify gaps in technology, processes, documentation and responsibilities.
- Train and raise the level of knowledge. Ensure that management, board and key functions understand the implications of the directive. Use industry resources, training and legal analysis, for example via informationssakerhet.se
- Plan and structure. Create an overall plan for the work, preferably in the form of an annual cycle or a similar structure. Document to be able to follow and revise the plan. This way, the entire plan does not have to be redone every year.
- Introduce processes and participation. Appoint a lead person, but involve several parts of the business, such as IT, legal, HR, etc. Ensure that security work does not become too tied to individuals.
- Prioritize risks and act incrementally. Focus on the biggest risks first rather than trying to tackle everything at once. Ensure that periodic audits, testing and improvements are part of the process.
The Journey is the Destination
The NIS2 Directive brings a significant increase in responsibilities and requirements for many organizations. At the same time, the new law provides an opportunity to strengthen security and credibility, both internally and externally.
Christopher concludes by reminding us of some important basic principles:
- With NIS2, you can truly say that the journey is the destination. The solution is about putting long-term structures in place and building the right culture, not about checking off a regulatory box. So make sure you start where you are. Take small steps in the right direction. This is more sustainable and effective than finding the perfect solution. It is also much easier and more fun.
In other words, NIS2 is not the end goal, but the starting point for continuous work. By working in a structured and long-term way, you can not only meet the regulatory requirements, but create a safer, stronger and more resilient organization.
Want to know more about how the Stratsys GRC platform can help your organization with NIS2? Get in touch with us.
%20(1).png?width=600&height=600&name=imaginestratsys_a_woman_standing_outside_an_office_builing_ente_68b8e2c9-0420-480c-81bd-564fe7a586c2%20(2)%20(1).png)
