# How Nordic SMBs prepare for NIS2

> Practical compliance steps for the new EU directive, what to do this quarter, and what can wait.

Source: https://fmcybersecurity.com/en/insights/compliance/nis2-prep/
Locale: English
Other locale: https://fmcybersecurity.com/insights/compliance/slik-forbereder-norske-smber-seg-pa-nis2/

## Metadata

- Date: 2026-04-22
- Author: johan-vorgaard
- Topic: compliance
- Format: guide

NIS2 widens the scope of "essential" and "important" entities and tightens incident-reporting timelines. Most Nordic SMBs we talk to are unsure whether they're in scope. Here's a practical sequence.

## 1. Confirm scope first

Before you spend a single hour on controls, confirm whether the directive applies to your sector and headcount. The criteria changed; many businesses that scoped out of NIS1 are inside NIS2.

## 2. Map current state to Annex I

Annex I is your control library. Run a gap analysis. Most ISO 27001-aligned organisations are 60-70% of the way there.

## 3. Get the incident playbook right

The 24-hour early-warning obligation is the operational change with real teeth. If your IR runbook still measures in days, fix that first.

## 4. Document, don't perform

Auditors want evidence of *operating* controls, not glossy policies. Build documentation as a byproduct of the work, not a separate workstream.

> If you only do one thing this quarter: rehearse your 24-hour notification flow end-to-end, with the actual people who'll be on call.

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt