For the complete documentation index, see /llms.txt. Markdown version of this page: /en/insights/compliance/nis2-checklist-for-norwegian-smb-leaders.md.
EN / NB Contact us →
EN / NB

Consulting

MDR / SOC

Vulnerability Management

Identity

Compliance

AI Security

CrowdStrike

Aikido

Tenable

Idira (CyberArk)

Browse

Series

Events & resources

About us

Company info

Contact

Partners

Compliance ↗

NIS2 checklist for Norwegian SMB leaders

A leader-facing NIS2 checklist for Norwegian SMBs, the scope self-test, who owns what, the reporting clock, what to budget, and the board questions to ask.

7 min read By Maximilian Sharoyan
NIS2 Checklist, FM CyberSecurity branded cover

Here is the NIS2 checklist a Norwegian SMB leader can act on, the decisions only you can make, not the engineering work that follows them.

NIS2 is the EU’s main cybersecurity law for important parts of the economy, Directive (EU) 2022/2555. It is not Norwegian law yet. Norway is in the EEA, so the rule has to be folded into the EEA agreement and then written into a new Norwegian act, and that work is in progress. No Norwegian start date has been set, so treat any specific date you see online as unconfirmed. The law Norway already has, the digitalsikkerhetsloven, in force since 1 October 2025, carries the older NIS1 directive, not NIS2.

The timing is pending, the work is not. The supply-chain pressure is already here, and the items below take months, so start now. For what NIS2 is and who it covers, read our explainer on NIS2 in Norway. This checklist is the next layer down: the leader-level decisions.

NIS2 Checklist, FM CyberSecurity

1. Run the scope self-test

Write down whether NIS2 reaches you, by sector and by size. Two numbers decide it. You are caught if you operate in a covered sector and hit the medium-enterprise line: 50 or more employees, or more than 10 million euro in turnover or balance sheet total. A few sectors are in regardless of size, so check the sector lists, do not stop at headcount.

Even below that line, a covered customer can push NIS2 duties onto you through the contract (Article 21). So record two answers: are we in direct scope, and which of our customers will pass duties down to us.

2. Decide essential or important, and what it changes

Sort yourself into the right bucket, because it sets how a regulator watches you. Essential entities cover energy, transport, banking, health, water, and digital infrastructure. Important entities cover the next tier: manufacturing, food, chemicals, waste, postal, and digital providers like cloud.

The split mostly changes supervision. Essential entities get checked in advance, important entities get checked after an incident. Both meet the same security and reporting duties, so do not read “important” as “lighter work.”

3. Put the board on the hook in writing

Get the board to formally own cybersecurity risk and minute it (Article 20). NIS2 makes the management body approve and oversee the security measures, and it requires board members to take cybersecurity training so they can judge the risks themselves.

Write a one-page board paper that names the risk owner, points to your risk-management plan, and sets a board training date. Approve it in a minuted meeting that names Article 20. “We leave that to IT” is the answer that fails here.

4. Build the risk-management baseline

Stand up the ten minimum security measures NIS2 lists, or map them to what you already run (Article 21). The list covers risk policies, incident handling, backup and business continuity, supply-chain security, secure development, multi-factor sign-in, encryption, and staff training.

If you run an ISO 27001 system, most of these already exist. Run a gap analysis: the NIS2 measure on one side, your current control on the other. Mark each in place, partial, or missing. The gaps become the work plan, and you can reuse the ISO 27001 work you have done.

5. Get supplier oversight in order

Write down how you manage the security risk from your suppliers, because NIS2 names supply chain as its own measure (Article 21). This is the same duty your covered customers are pushing onto you, so the work cuts both ways.

List your top suppliers by how critical they are to your service. Tag each one, then check the contract for security duties, breach-notification timing, and the right to ask for proof. Cloud platforms and any supplier touching customer data come first.

6. Rebuild the incident clock

Rewrite your incident plan around three deadlines, because NIS2 reporting is measured in hours, not days (Article 23). When a serious incident is confirmed, a covered entity owes:

  • An early warning within 24 hours of becoming aware of it.
  • A full notification within 72 hours, with a first assessment.
  • A final report within one month of that notification.

The 24-hour clock is the operational change with teeth, per the directive’s reporting obligations. Name who decides an incident counts as serious enough to report, and rehearse the flow end-to-end with the people who will be on call at three in the morning. If your runbook still counts in days, fix it this week.

7. Name one owner per duty

Give every obligation a single internal owner and put it in a short scope memo. Scope, board paper, risk baseline, supplier review, and incident plan each need a name against them, not a committee.

The memo is the decision record. It says whether NIS2 reaches you, who owns each duty, and the dates they are due. An auditor, or a customer’s questionnaire, asks for exactly this first.

8. Budget the work honestly

Set a budget across three lines: internal people-time, any tooling you are missing, and outside advisory or audit help. Most of the cost for an SMB is people-time to write, implement, and evidence the measures, not new software.

Plan the spend over two to three quarters, not one. In typical reviews the technical basics are already in place and the missing pieces are documentation and the incident flow, which take longer to build than to buy.

9. Ask the board these questions this quarter

Bring four questions to the next board meeting, and get a yes or no on each:

  • Are we in direct scope, and which customers will pass NIS2 duties to us through contracts?
  • Who owns each NIS2 duty, by name, with a date?
  • Can we send a 24-hour early warning today, with the people we have on call?
  • What is the budget, across people-time, tooling, and outside help?

Four answers, written down, are the whole leader-level decision. Everything operational follows from them.

Next action

Talk to our compliance practice for a NIS2 readiness review: a scope conclusion you can defend, a gap list against the Article 21 measures, and a rehearsed 24-hour reporting flow. We work alongside your team so the result is one you can run on your own.

FAQ

Are we in scope of NIS2 as an SMB?

You are likely in direct scope if you operate in a covered sector and have 50 or more employees or more than 10 million euro in turnover or balance sheet, per the size thresholds. A few sectors are in regardless of size. Below that line, a covered customer can still pass NIS2 duties to you through your contract (Article 21), so confirm against the sector lists in Directive (EU) 2022/2555 and write the conclusion down.

When does NIS2 apply in Norway?

No date is set. Norway is in the EEA, so NIS2 has to be incorporated into the EEA agreement and then written into a new Norwegian law before it applies here, and that process is in progress. Treat any specific Norwegian date you see online as unconfirmed until the government announces one. The supply-chain pressure does not wait for the date, so prepare now.

How fast must we report an incident?

Three deadlines under Article 23: an early warning within 24 hours of becoming aware of a serious incident, a full notification within 72 hours with a first assessment, and a final report within one month of that notification, per the directive’s reporting obligations. If the incident is still open at one month, you send a progress report instead and the final report follows once it is resolved.

Can we reuse our ISO 27001 work for NIS2?

Yes, a large share carries over. The Article 21 measures (risk management, incident handling, supply-chain security, business continuity, leadership accountability) are the same things an ISO 27001 system already produces with evidence. Map your existing controls against the NIS2 measures and most of the security work is done. What remains is mostly the specific incident-reporting clock and the board’s named accountability.

What does the board have to do

Own it in writing. NIS2 makes the management body approve and oversee the security measures and take cybersecurity training (Article 20). In practice the board names a risk owner, approves the risk-management plan in a minuted meeting, sets a training date, and re-approves at least once a year and after any serious incident.

How is NIS2 different from the digitalsikkerhetsloven?

The digitalsikkerhetsloven, in force since 1 October 2025, carries the older NIS1 directive, not NIS2. It is not the Norwegian version of NIS2. The government has said NIS2 will arrive through a separate, broader law later, so the current act is a related predecessor rather than the same rule.

More on Compliance

5 Jun 2026 · Compliance
What the EU Cyber Resilience Act is, and who it covers

The CRA is an EU law that ties cybersecurity rules to CE marking, so a product with digital elements cannot enter the EU market without it.

3 Jun 2026 · Compliance
What ISO 27001 Lead Implementer certification means for your project

An ISO 27001 Lead Implementer builds your ISMS; a Lead Auditor checks it. Hire the wrong role and your certification project stalls.

11 May 2026 · Compliance
From compliance burden to competitive advantage

How leadership teams move from compliance uncertainty to documented control, evidence that holds up under investor, customer, or regulatory due diligence.

← Back to all insights
Questions or inquiry? [email protected] Contact us →