NIS2 is not about paragraphs but about capability

NIS2 is no longer something on the distant horizon. The directive is already in force in Sweden and is reshaping how organisations need to work with governance, risk management and reporting in their day-to-day operations.

At the same time, there is a clear gap between understanding the requirements on paper and actually building the capabilities needed. Where NIS2 sets out what must be in place, the practical question becomes how technology, processes and people are combined into a security operation that functions around the clock.

When that piece of the puzzle falls into place, NIS2 becomes less of a legal exercise and more of an engine for operational cyber resilience.

From IT challenge to business-critical issue

In a short space of time, cyber security has moved from being seen as a technical support function to becoming one of the most business-critical issues at leadership level. Cyber is no longer just an IT problem but a strategic matter that affects trust, business and relationships across the entire value chain.

NIS2 reinforces this development. The directive’s requirements emphasise the responsibility of the leadership to understand, approve and follow up on cyber security measures. It is not just about delegating security to IT, but about making cyber security an integrated part of governance, risk and compliance. For many organisations, this is exactly where the real challenge begins. Policies and documents can often be put in place relatively quickly, but turning them into a living operational capability demands more.

SOC as a practical bridge between requirements and day-to-day operations

A modern Security Operations Centre, SOC, is in practice the bridge that connects NIS2 requirements with day-to-day operations. An SOC is not a single product, but a way of orchestrating how threats are detected, analysed and handled.

Rather than starting with the technology stack, it is more effective to begin with three fundamental questions. What level of detection and response is required, based on the organisation’s risk profile and interpretation of NIS2. What resources already exist in-house in terms of time, competence and processes. And which parts need to be strengthened through collaboration with an external partner to close the gap between requirements and actual capability.

A key insight is that a genuine SOC capability in most cases only starts once the organisation has centralised logging and visibility across the entire environment, not just in individual endpoints. It is at that level that incident handling becomes systematic, traceable and possible to measure against the requirements for continuous monitoring and management in NIS2.

For many organisations, the next strategic question is how the SOC should be organised. Experience shows that it is rarely economically viable for organisations below a certain size to build their own 24/7 SOC with all the necessary expertise, particularly if they want to reach a higher level of maturity.

Nordic and European collaborations therefore gain an important role. By combining local advisory and technical competence with established European cyber defence capabilities, it becomes possible to reduce both risk and complexity through managed security services.

Start where you are – but build for maturity

A common reason why SOC initiatives drag on is that the ambition is too high from the outset. If the starting point is a large platform project with lengthy implementation plans, everything risks getting stuck in pre-studies and requirement lists, while the threat landscape continues to evolve.

There are other paths. In one concrete customer case, a large organisation had left an attractive offer from a global supplier in a drawer for a year. The need was obvious, but the time and resources required to deliver a major project were missing. By radically simplifying the set-up, the solution could be designed so that the customer only needed to set aside a few hours and still get an initial set of use cases into production.

This way of working points to a more sustainable model for NIS2-related security. A model where you start with the most important log sources and the most relevant scenarios, and choose a platform and a partner that can grow with your maturity. The focus shifts from designing the perfect end state to creating early value, establishing measurability and building from there.

Expectation management thus becomes a key issue. The organisation needs a shared answer to why it is investing in an SOC, what level of ambition is realistic initially, what internal effort is required during implementation and how the ongoing collaboration with a partner should work.

Awareness as an operational security capability

Many organisations already work with security training and phishing simulations. The key question is which purpose dominates. Is the programme mainly about fulfilling formal training requirements, or is it actively used to strengthen operational security capability.

In practice, most technical security solutions today are very good at generating logs that can strengthen a SIEM or SOC. The resource that is often overlooked is the employees themselves. Many forget that reports submitted by attentive users can become a highly valuable log source, provided they are captured and handled in the right way.

An effective awareness programme therefore needs to be seen as part of the incident chain rather than a standalone training initiative. Employees must have simple tools for reporting suspicious emails. There must be a function that quickly analyses and provides feedback, both to determine whether something is a real threat and to maintain the motivation to keep reporting. The organisation also needs to use reported phishing as input to strengthen detection rules and share concrete lessons back into the business.

When awareness is connected to the SOC in this way, a two-way flow emerges. The SOC strengthens its situational picture through human signals. Employees are strengthened in their role through rapid and clear feedback. In several Nordic environments, specialised phishing set-ups are used, where user reports are analysed, fed back and, when necessary, escalated to the security function or an external SOC partner.

The result is that awareness is no longer about producing polished training reports, but about building a concrete capability to see and handle attackers where many attacks in fact begin – in the inbox.

Test, exercise and make the value visible

To know whether your detection capability really holds up, you need more than dashboards. Organisations need to regularly test both the technical safeguards and the human processes. Penetration tests provide answers to where the layers of defence are weak and how attackers can get in. Practical exercises of incident flows show how quickly and how well-coordinated the organisation acts when something actually happens.

A positive side-effect of structured testing is that it becomes easier to demonstrate internally what the security investments actually deliver. When a CIO can show how an SOC detected and handled incidents in connection with a test, confidence in the work and the willingness to continue developing capability both increase. In the same way, the many everyday incidents that are stopped become proof that the organisation is not operating in ignorance, but handling threats at an early stage.

When tests, exercises and day-to-day incidents are woven into a continuous improvement cycle, NIS2 compliance becomes a natural consequence of how the organisation works, rather than a separate project.

European control and data sovereignty

Alongside the technical and procedural requirements of NIS2, another dimension is rapidly growing in importance. Questions about where data is stored, who has technical and legal control and which jurisdiction applies are becoming increasingly critical as geopolitical tensions rise and regulatory frameworks evolve.

Here, the choice of technology stack and partner is crucial. By building SOC and MDR solutions on European technology and with SOC operations based within the EU, it is possible to combine strong detection capability with robust data sovereignty. For organisations in sensitive sectors, solutions can also be deployed entirely on the customer’s premises, where the organisation itself owns the platform and the provider operates it as a managed service.

This offers the flexibility to meet both formal requirements and internal data policies, while taking advantage of the combined expertise of specialised SOC teams.

From compliance to continuous cyber capability

Ultimately, the most important shift in NIS2 work is about a change in perspective. Instead of seeing the directive as a checklist of obligations, it can be viewed as a framework for what a modern cyber capability should look like.

An SOC that ties together logging, monitoring, incident response and awareness.
Leadership that follows up on real capabilities rather than just documents.
A way of working where tests, incidents and lessons learnt are used to continuously develop detection and response capability.

With the right combination of technical solutions, clear governance and long-term partnerships, organisations can move from viewing NIS2 as a compliance problem to using the directive as a lever for building a robust, practical and sustainable cyber capability in day-to-day operations.

Ready to turn NIS2 requirements into practical cyber resilience? Let’s talk.


Join the team

Läs fler artiklar här

insight AI Won’t Just Predict Heatwaves – It Will Change How We Manage Them
insight Energy Crisis Hits Hard – Can AI Software Save Swedish Aviation and Agriculture?
insight The AI Fraud Paradox: When Banks’ AI Rush Creates New Security Gaps
insight From silos to collaboration – how we reclaim the lead in public sector digitalisation
insight From vehicles to transport systems: electrification is forcing heavy transport to rethink
insight Legacy Isn’t Your Problem. Complexity Is.
insight Frontend Trends and Design Patterns to Watch in 2026
insight When software becomes the business – why market proximity matters
insight New Cybersecurity Act: What You Need to Consider Now
insight When Business Logic is Built in Code – A Conversation with HiQ’s CEO on Agilpodden
insight Software Development in the Public Sector 2025: Digital Transformation, Data Modernisation and Collaboration in Practice
insight Cybersecurity in the Public Sector 2025: Offensive and Defensive Strategies
insight The EU’s AI Reset Is the Right Path to Safeguard Europe’s Responsible Competitiveness
insight Public Sector 2025: AI as a Force, Compass and Catalyst
insight When AI Meets Cybersecurity: From Risk to Opportunity
insight Atlassian Rovo: AI as the Hub of Future Collaboration
insight Part 2: Social Engineering and Cyber Threats: The Return of the Human Factor
insight Part 3: Platformisation and Digital Resilience: Business Strategy on Cloud Terms
insight Part 1: AI and the Competence Shift: Ready for the Next Big Leap?
insight Windows 10 Support Ends – How It Affects Businesses and What You Need to Do Now
insight Meet Laura Vantellini, HiQ’s new Managing Director in Germany 
insight Digitalization, AI and the Future of Sweden – A Conversation with Minister for Civil Affairs Erik Slottner
insight Customer data is the new gold – and hackers are already digging
insight Quantum Computers and Cybersecurity – From Future Threat to Strategic Reality
insight New Report Shows How We Use ChatGPT: Like Buying an iPhone and Only Using the Flashlight
insight From Crisis to Insight: Building a More Secure Digital Public Sector
insight The Cyber Landscape 2020–2025: From Pandemic Shock to AI-Driven Threats
insight AI sets a new standard for banks’ fraud prevention
insight When Nature Strikes: How AI Can Protect the Energy System from the Next Crisis
insight AI makes Jira the developer’s new assistant
insight Only Five Percent Succeed with AI – How to Avoid Being Among the Losers
insight From Frozen Firmware to Adaptive Intelligence: Embedded Software Is Changing the Game
insight Edge AI: Intelligence Moving into the Systems
insight Digital Resilience – The Next Competitive Advantage
insight From Docker to Kubernetes – The Story of How We Build the Next Generation of Digital Ecosystems
insight The 11 Hottest AI Agents of 2025 – and How They’re Already Transforming Business
insight AI Experiences from a Developer’s Everyday Life – How to Use AI for Coding
insight From Data to Agency: Navigating the AI Maturity Path to Agentic Systems
insight What Does “Developer Experience” Really Mean – and Why Should the Business Side Care?
insight The Future of Development: What State of Software 2025 Reveals About Tomorrow’s Tech Roles
insight From Model Year to Always Up-to-Date – How Software Is Redefining the Car’s Lifecycle
insight AI in the Power Grid – From Vision to Real-World Application
insight Efficiency Without Shortcuts – How to Get More Out of Every Step in the Development Cycle
insight Interview with Ashkan Fardost: Why We Must Understand Technology as Something Deeply Human
insight Towards a Data-Driven Future: Falu Energi & Vatten’s Strategic Journey
insight Confident in Swedish – A Language Initiative that Builds Courage and Connection
insight Java on Cloud Terms – Best Practices for AWS, Azure, and GCP
insight Building a Tech Industry Where Everyone Feels at Home
insight Spring Boot, Quarkus or Micronaut? Your Guide Through the Java Framework Jungle
insight AI – The Manufacturing Industry’s Shield Against the New Reality of Trade Tariffs?
insight How to Build Change-Resilient Teams – with Annika R Malmberg on Tech Royale
insight Vibecoding vs. DevOps: The Future of Software Development in the AI Era?  
insight From Threads to Thousands – How Virtual Threads Are Transforming Java Development
insight How Companies Can Implement the POUR Principles in Their Digital Strategy Ahead of the EAA
insight Everything You Need to Know About Digital Accessibility Before June 2025
insight How Young Professionals Can Prepare for the Future of DevOps
insight Why CxOs Should Care About the Future of DevOps
insight The Trends Shaping DevOps in 2025
insight “We Must Prepare for an Increasingly Complex Threat Landscape”
insight DeepSeek and the AI Arms Race – What Does It Mean for Sweden?
insight Unlearning for DevOps Teams: A Key Skill for the Future
insight DevOps and AI: Building Systems That Learn and Adapt
insight Insights on Leadership and Partnerships in Tech with Simona Bamerlind
insight How to Lead a Tech-Forward Organization – Insights from Ledarlabbet
insight Understanding CRA: A Path to Competitive Advantage
insight Figma’s Dev Mode: A Hands-on Guide
insight Exploring AI, Cybersecurity, and the Future of Intelligence with Staffan Truvé
insight How to Avoid Common AI Project Pitfalls
insight Cybersecurity in Focus This October: How We Can Create a Safer Digital Society
insight Understanding PSD3 and PSR: Why They Matter and What You Need to Know
insight Open Banking and the API Economy: Drivers of New Innovation in Finance
insight The Swedish Financial Infrastructure from a Tech Perspective
insight Five Keys to IT and Tech-Driven Innovation – Insights from Radar Talk
insight The Rise of Autonomous Vehicles: Revolutionizing Transportation
insight AI and Sustainability: Opportunities, Challenges, and the Way Forward
insight AI – From Data to Business Decisions 
insight How HiQ Helps You and Your Business
insight What Happens if Your Software Fails?
insight Skip Projects & Pi in Software Development
insight Four Expert Tips on Business Value with GAI
insight How well do we really understand children’s digital preferences?
insight Mastering Industrial IoT
insight NIS2 – Not Just for Critical Functions
insight Navigating the AI Revolution
insight Unlocking Your Data Goldmine
insight AI Adoption in Nordic Energy and Manufacturing
insight Emerging AI Infrastructure
insight The Nordic AI Race