NIS2 Operational legal requirements for companies that are critical to society.

NIS2 companies needs to follow international best practice and establish a Zero Trust approach in IT/OT/Organizational (deny as default, whitelist and only allowed based on actual needs).

Example: Access control needs to be in place for all services, hardening of configuration (applications, services, servers, clients), patching, encryption, key management, documentation on baseline “Know your environment/What’s is normal”, proper logging, redundancy, BCP/DR (should be able to operate when disruption occurs in society) and incident reporting to MSB (Public information) when disruptions or incidents occurs.

Sanctions for not following this requirement could result in sanctions fee based on our global turnover up to 2% and C-management/Board could be banned from working with NIS2 companies.