Everything you need to know about the Digital Security Act (DSA) and NIS2

There are several factors that need to be considered to determine whether a business is covered by NIS2 or not, and if in doubt it is best to contact professionals. If your business identifies with one or more of the points below, you are probably covered by the NIS2 directive:

• Have 50 or more employees.

• Has a turnover of more than 10 million euros.

• Operates in one of the 18 sectors that the NIS Directive has defined as critical or important.

• Is considered an "essential entity".

• Is considered an "important entity".

• Is the sole provider of a service that is important to society or the economy (sole provider).

• Provides services where disruptions may affect public safety, security or public health.

• Provides services where disruptions can result in high systemic risk, for example across national borders.

• Has a critical role at a national or regional level in its sector or in interdependent sectors.

NIS 2 identifies 11 sectors that are critical to societal and economic activities. Companies within these sectors are covered by the directive regardless of size if they provide essential services:

1. Energy - Electricity (utilities, system operators, manufacturers), district heating/district cooling, oil (pipelines, production, storage), gas (supply, system operators), hydrogen (production, storage, transmission)
2. Transportation - Aviation, rail, water (sea, coastal and inland), road
3. Banking - Credit institutions
4. Financial market infrastructures - Operators of trading venues and central counterparties (CCPs)
5. Healthcare - Healthcare providers, EU reference laboratories, research and development of medical products, manufacturers of basic pharmaceutical products and critical medical devices
6. Drinking water - Suppliers and distributors of water for human consumption
7. Wastewater - Enterprises that collect, dispose of or treat urban, domestic or industrial wastewater
8. Digital infrastructure - Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, cloud service providers, data center service providers, CDN providers, trusted services, public electronic communications networks/services
9. ICT service management (B2B) - Managed Service Providers (MSP), Managed Security Service Providers (MSSP)
10. Public administration - Public administration units at central and regional level
11. Space business - Operators of ground-based infrastructure supporting space-based services

1. Postal and courier services: Suppliers of postal and courier services
2. Waste management: Enterprises with waste management as their main activity
3. Chemicals: Production, distribution and handling of chemical substances/products
4. Food: Wholesale distribution and industrial production/processing of food products
5. Manufacturing of certain goods: Manufacture of medical equipment, ICT equipment, electrical equipment, machinery and transportation equipment
6. Digital providers: E-commerce platforms, web search engines, social networking services
7. Research: Research organizations

The NIS directive sets requirements forgovernance, risk management, incident management, supplier management and reporting. Are you unsure if your business meets the requirements? Or would you like guidance on what you need to change to ensure proper compliance? Then it's a good idea to start with a gap analysis.

It will give you answers to what is needed to close the gap between the current situation in your business and the requirements of the NIS Directive.

A smart place to start is to conduct a gap analysis. It will give you answers to what is needed to close the gap between the current situation in your business and the requirements of the NIS directive.

Read more about what a gap analysis is and how we at Netsecurity work with gap analyses here.

NIS2 may not apply to you - but the consequences do :

As security tightens around you, you become the weakest link

Threat actors no longer care about who you are - they care about where it's easiest to get in. As more and more businesses begin to comply with NIS2 and implement the requirements of the Digital Security Act, their level of security will increase significantly. This means that attackers will increasingly turn their attention to those who haven't done their job.

Even if your business is not formally covered by the Digital Security Act (NIS2), the Act sets a new standard for what is considered good digital security. By following the principles and requirements of the Act - such as risk management, emergency preparedness and incident response - you'll strengthen both your business resilience and the trust of your customers and partners. Many larger players will also require suppliers and partners to follow a similar level of security, giving you a stronger position in future tenders and deliveries .

It is advisable to assess whether your suppliers are subject to the law/directive, as suppliers are obliged to set requirements in their supply chain (Article 21 2d) .

Information security standards such as ISO/IEC 27001 can be a good step towards meeting the requirements of the Digital Security Act and NIS 2, but it is important to point out that the standard itself is not sufficient and therefore does not guarantee compliance. Netsecurity's recommendation is to map the relevant information security standard against the legislation. Here you should look at the requirements of the information security standard and compare this with the requirements of the legislation in order to identify gaps and supplement with necessary measures.

If a company wants to certify against an information security standard, compliance with applicable laws and regulatory requirements, such as the Digital Security Act in Norway or the NIS2 Directive, will be necessary, since many standards explicitly include such requirements.

However, it is important to understand that the standards also impose additional requirements beyond the legislation. Laws and directives therefore do not act as a minimum level of certification - it is not enough to simply follow the law to achieve formal certification.

A key principle in both the guidance and legislation relating to the scope of NIS2 is that when a business provides services within a sector covered by the NIS2 Directive, the requirements apply to the whole business, not just the part that provides the service.

This means that if the main entity (e.g. an ASA company registered in Norway or Denmark) is covered by the directive, either as a significant or important entity, the NIS2 requirements must be implemented across the entire organization (based on the company's legal entity, i.e. the VAT number).

NIS2 imposes requirements on all network and information systems that the company uses in its operations or to deliver its services .

This includes:

• All hardware (IT, medical devices, OT/industrial control systems )

• All data

• All suppliers and third-party deliveries

Even if only some of the systems are directly related to the service covered by the directive, the requirements apply to all systems that support the company's operations or service delivery.

For companies with operations outside the EU/EEA, this means that systems and locations outside Europe may also be covered. If an IT system in Asia or a production facility in South America is required to operate or support the delivery of a NIS2 relevant service in the EU, the security of these systems and locations must meet the NIS2 requirements.