Spring til indhold
Licensly

NIS2 for beginners, what is it, really?

By Michal Lampe Sørensen · 6 min read · 18 May 2026

Contents

TL;DR

NIS2 is a new EU cybersecurity law. It requires companies in certain sectors to document that they take security seriously, with policies, MFA, backup, and incident handling. If you break the rules, fines can reach 10 million EUR. The law is already in force. If you have more than 50 employees in a critical sector, or you supply a large customer, you probably need to do something.

What is NIS2, in one sentence?

NIS2 is an EU law that requires companies in specific sectors to protect themselves against cyberattacks and prove they're doing it.

That's it. The rest is detail.

Why is it called NIS2?

The name comes from Network and Information Systems Directive, version 2.

  • NIS1 (2016): First version. Too soft. Covered too few sectors.
  • NIS2 (2024-2025): Stricter requirements. More sectors. Real fines.

In practice: if your company is hit by a cyberattack and you can't document that you had basic security in place, the authorities can fine you. ON TOP of what the attack itself cost you.

Why should we care?

Three concrete reasons:

1

Fines of up to 10 million EUR

For the most critical entities. Less critical ones can still face up to 7 million EUR. These aren't a fraction of revenue, they're real numbers that can sink smaller companies.

2

Management liability is new

NIS2 makes leadership personally liable. If the board or executive team hasn't ensured the company follows the rules, they can be on the hook. Previously you could blame IT, you can't anymore.

3

Your customers require it

Even if you're not directly in scope, large customers will require you to meet NIS2-equivalent standards. If you sell anything to a bank, a municipality, or a large manufacturer, security questions will land in your next contract negotiation.

This isn't theoretical. The supervisory authorities have the resources to enforce, and the legal basis for fines is active.

Are we even in scope?

Let's keep it simple. You are likely in scope if BOTH apply:

A) You operate in one of these sectors

  • Healthcare (clinics, hospitals, laboratories)
  • Banking and finance (primarily under DORA, not NIS2)
  • Energy, water, transport, telecommunications
  • Public administration (municipalities, regions)
  • Digital infrastructure (cloud, datacentres, DNS)
  • Food (production, distribution)
  • Manufacturing (medical devices, electronics, vehicles)
  • Postal and courier services
  • Waste management
  • Research

B) You are above the size threshold

At least 50 employees OR 10 million EUR in annual revenue or balance sheet.

Both A and B? Then you're almost certainly in scope. Read on.

What if we're small?

Under 50 employees in an annex sector → you are formally not in scope.

BUT two exceptions can still pull you in:

  • You are the sole provider of a critical service in Denmark → in scope regardless of size
  • You supply an in-scope customer → the customer requires NIS2-equivalent security in your contract

The practical burden ends up the same, just via contract instead of direct legal obligation.

What do we actually need to do?

NIS2 lists 10 things you need to have in order. Translated into everyday language:

The fundamentals (requirements 1-4)

1

Write down your security policies

Not just "we take security seriously". Concrete documents, approved by leadership, updated regularly.

2

Have a plan for when things go wrong

Who do you call at 3 AM if you're hit by ransomware? It needs to be written down somewhere.

3

Backup that actually works

It is NOT backup if you've never restored from it. Test at least twice a year.

4

Hold your suppliers to a standard

IT suppliers also need to follow security rules. Put it in your contracts.

The practical side (requirements 5-10)

5

Secure development

Do you build software yourself? It needs to be developed securely. Most SMBs don't build their own, so you can skip this.

6

Measure whether security works

Not just "we have antivirus". Run an assessment at least annually. Compliance Manager in Microsoft 365 can help.

7

Train your employees

Phishing is the most common attack vector. Quarterly simulations are best practice.

8

Encrypt your data

On devices (BitLocker) and in transit (TLS / email encryption).

9

Control who has access to what

Former employees should lose access the day after they leave. Access reviews at least every six months.

10

Use MFA on every account

Passwords alone aren't enough in 2026. Conditional Access gives you granular control.

Most important takeaway: NIS2 doesn't require you to be at 100% on everything. What matters is being able to DOCUMENT that you've taken appropriate measures. Paperwork matters as much as technology.

What's the next step?

If you're thinking "OK, we should probably look into this," here's what you do:

Within the next 30 days

  • Check if you're in scope, read the scope guide
  • Get a security overview, do you have MFA on every account? Backup that's been tested? A written policy?
  • Put a leadership meeting in the calendar. NIS2 needs to be anchored in management, not just IT

Within the next 90 days

  • Run a gap analysis, what's missing compared to the requirements?
  • Decide on your Microsoft 365 licence. Business Premium covers about 80% of the requirements for SMBs. Read the licence decision matrix
  • Get a lawyer or compliance consultant to do a formal assessment, cheaper than assuming wrong

Want to go deep?

Our free whitepaper maps all 10 NIS2 requirements to concrete Microsoft 365 features and audit documentation: The full Article 21 mapping.

Don't panic, but don't ignore it either. NIS2 is a gradual process, start with the basics (MFA, backup, policies) and build from there.

Ready to see which Microsoft 365 licence you need?

Our plan overview shows which licences cover the NIS2 capabilities.

See Microsoft 365 plans

Frequently asked questions

When does NIS2 take effect?+

The EU directive was supposed to be transposed into national law by 17 October 2024. The Danish NIS2 law took effect on 1 July 2025, registration deadline was 1 October 2025, and supervision has been active since early 2026. Fines can be issued now, this is no longer something "coming" in the future.

Our company is small, are we really in scope?+

If you have under 50 employees and less than 10 million EUR in revenue, as a rule you are NOT directly in scope. But there are exceptions (e.g. if you're the sole provider of a critical service). Plus: if you supply anything at all to a larger customer that's in scope, they'll require NIS2-equivalent security from you in your contracts. So the practical burden can still hit you.

What's the difference between NIS2 and GDPR?+

GDPR protects personal data and citizens' privacy. NIS2 ensures your IT systems can withstand cyberattacks and keep operations running. They overlap technically, both require strong access controls, for instance, but they're two different regulations enforced by different authorities. GDPR is enforced by the Danish Data Protection Agency (Datatilsynet); NIS2 is enforced sector by sector, coordinated by the Danish Agency for Civil Protection (SAMSIK), with the Centre for Cybersecurity (CFCS) acting as national CSIRT and technical advisor.

Related articles

Conditional Access explained, the most underrated feature in Microsoft 365Microsoft 365 for businesses, the complete guide (2026)