Smart Priorities to Succeed with NIS2

woman-stands-in-front-of-building-with-ipad
Written by
Clara Westman
Reading time
4 min

For many businesses, NIS2 is a moment of stress. Requirements are increasing, but resources are not increasing at the same rate. "To succeed, you don't need more hours in the day," says Stratsys security expert Per Gustavsson. The key is smarter priorities, better tools and a clear focus.


The EU directive NIS2 will be incorporated into Swedish legislation in the form of the Cyber Security Act - probably by the end of 2025. The directive imposes new and tougher requirements on governance, responsibility and documentation. In addition, information security work is taking the step into the management rooms.

However, for many CISOs, resources are already stretched. This is not least due to a fragmented IT environment, characterized by many dependencies and unclear mandates between functions. Often, it can be difficult to know how many resources are needed to meet the requirements. At the same time, there is much to do if you succeed in your priorities.

The Main Challenges Linked to NIS2

According to Stratsys security expert and CISO Per Gustavsson, it is rarely the individual control that is the challenge for companies, but the complexity that comes with a large organization. The challenges range from a fragmented system environment to a lack of knowledge.

Per highlights in particular the following challenges related to NIS2:

  • Fragmented IT and systems environment. Large companies are often sitting on a patchwork of technical solutions - old business systems, cloud services, third-party solutions. Creating an overview becomes time-consuming and resource-intensive.
  • Unclear responsibilities in the organization. There is often a lack of clarity about who actually owns the information security issue. It is not uncommon for IT, business and HR to assume that responsibility rests with someone else. The CISO too often becomes the sole messenger and the one who needs to do the job.
  • Ignorance and low support. At management level, there are often few people who can explain what NIS2 means in practice. Until now, even fewer see the financial, legal or strategic implications of the directive. Without the right understanding, it will be difficult to get the resources needed.
  • Limited crisis preparedness. Many organizations are prepared for operational incidents. However, they lack the ability to turn the organization around in the event of a cybersecurity crisis. Several functions need to be able to step forward in such a scenario. Something that requires training and preparation.

Per Gustavsson - Stratsys
Per Gustavsson, CISO at Stratsys

Prioritize with Limited Resources

In reality, it is not possible to achieve everything. Nor is it a desirable strategy, according to Per. With the higher demands that NIS2 places on your organization, the ability to prioritize is put to the test. To succeed with NIS2 without burning out your organization, you need to choose wisely - and focus on what will have the most impact.

So what is the most important thing to prioritize when resources are scarce? According to Per, it comes down to four things:

  1. Start with what is most critical
    Which systems are business-critical? What needs to work for the organization to deliver its mission or continue generating revenue? Start from the core.
  2. Identify the biggest risks
    Not all risks are equal. Use the 80/20 principle - a small part of the risks often accounts for a large part of the impact picture. Make sure to address these first.
  3. Minimize manual work steps
    Manual operations are not only resource-intensive, they are also common sources of errors. Therefore, identify early on where and how you can automate your organization's workflows. This could include incident reporting, reminders and other procedures.
  4. Stay true to your organization's purpose
    NIS2 work must never become an end in itself. It must be rooted in the question of what we are here for - and what it takes to continue to deliver it. The red thread from business value to cybersecurity must be kept alive.

Automate where it Counts

Modern GRC system support not only makes it easier to manage requirements. It also makes it easier to achieve more with fewer resources. So how should you view the role that a system support plays in your work? According to Per, system support should help to shift the focus of the work:

- If we zoom out a little, a good rule of thumb is that the system support helps to shift the emphasis of the work - from reactive to proactive safety management, says Per.

The good system should make it possible to:

  • Get an overview of risks and assets
  • Visualize connections between threats, systems and processes.
  • Automate incident management and reporting.
  • Work structured with risk matrices and gap analysis.
  • Track changes, responsibilities and actions.
  • Create ready-made reports for management, auditors or supervision.

Per also raises the issue of AI functionality:

- A modern system support should also offer AI support. For example, it can suggest risk mitigation measures or analyze trends. AI can summarize complex reports and data collected from different entities, facilitating analysis and follow-up. It can also support deviation management to contribute to a more structured approach.

Management Perspective - from Technology to Business

One of the biggest obstacles to successful work is the lack of management buy-in. This is something that is necessary to comply with NIS2. To succeed, you need to elevate the discussion - from technology to business, Per emphasizes:

- A good piece of advice is to think business risk instead of technology risk. If management doesn't understand how a vulnerability in a maintenance system can knock out revenue streams - then it's your job to communicate that. Show the consequences in business terms, in terms of lost customers, broken contracts, penalties and lost trust.

- Think also about how the message is conveyed. Use the right visualization. Avoid long PDFs. Instead, create clear dashboards for the management team. A simple "red-yellow-green" overview of risk status, action levels and responsibilities provides quick understanding and decision support. Also show how security supports the business. NIS2 is not just a regulatory framework, but a way to build business resilience. Organizations that can cope with crises are stronger. But that requires translating insight into action and putting security at the top of the agenda.

The Price of Inaction

Putting off NIS2 work can be tempting when resources are scarce. But the cost of waiting is often far greater than the initial investment. Without clear procedures for risk management, incident reporting and supplier auditing, vulnerability increases, both technically and commercially.

- It's not just about the risk of penalties from the regulator. The consequences can also include business disruption, loss of customer relationships, loss of board and shareholder confidence. And in the worst case, it can lead to long-term brand damage. In an era where cybersecurity has become a management issue, inaction is no longer a neutral option. It is a strategic risk, says Per.

Navigate Smart, Lead Strong

Succeeding with NIS2 is therefore not about having unlimited resources. It's about focusing where it makes the most difference. You need to deliver trust, structure and governance. And not least, using tools that help you take control.

- The CISO's most important task ahead? To prioritize smartly, automate correctly, and lead the way for the entire organization, Per concludes.

Roadmap for NIS2

  • Identify business-critical assets
  • Conduct risk and gap analysis
  • Update processes and documents
  • Allocate responsibilities and anchor them with management
  • Implement systematic follow-up and automation
mint-gradient-hero-banner_Start_blue-1

Want to read more about how to create a roadmap for NIS2? Then we recommend this article: Get your Organization Ready for NIS2 - a Practical Roadmap