Building resilience through secure communication

Traceability is non-negotiable

NIS2 recognizes that incidents are inevitable. While it does not eliminate all incidents, its risk management measures and incident-reporting obligations effectively require organizations to be able to explain, in detail, what happened and to learn from it. Poor traceability can have serious legal and operational consequences.

Organizations should have robust logging and monitoring in place to reconstruct events and demonstrate accountability. In some cases—especially where national security regulations or sectoral laws apply—relevant data may need to be retained for a decade or more. In addition, in-scope entities are expected to comply with national incident reporting rules, typically with an early warning within 24 hours, a more detailed notification within 72 hours, and a final report within one month to the designated competent authority (thresholds and process are set nationally).

Risk-based, proportional security

There has been debate around NIS2’s lack of prescriptive security controls. But that is also its strength: organizations are expected to understand their own risks and address them proportionally. This means allocating resources where they matter most, rather than applying blanket solutions everywhere.

While the directive sets high-level objectives, it does not prevent Member States—and especially their competent authorities—from introducing more detailed requirements during national transposition and enforcement. This layered approach allows for both EU-wide consistency and national specificity.

Importantly, NIS2 targets “essential” and “important” entities across a broad set of sectors, such as energy, transport, banking, health, digital infrastructure, and public administration. By default, NIS2 applies to medium‑sized and large organizations in listed sectors, with smaller entities included where justified (e.g., if designated due to criticality or sole‑provider status). Supervision is stricter for essential entities than for important entities, and the sanctioning framework allows significant fines. With regard to essential entities, this could mean fines up to €10 million or 2% of global turnover, whichever is higher, and up to €7 million or 1.4%, whichever is higher, for important.

Furthermore, instead of enforcing a fixed checklist, NIS2 outlines ten baseline security areas in Article 21 that every in-scope organization must address, while leaving implementation details to each entity.

These areas include:

1. Policies on risk analysis and information system security
2. Incident handling
3. Business continuity, disaster recovery, and crisis management
4. Supply chain security, including security aspects in supplier relationships
5. Security in acquisition, development, and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of security measures
7. Basic cyber hygiene and cybersecurity training
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
9. Human resources security, access control, and asset management
10. The use of multi-factor or continuous authentication solutions; secured voice, video and text communications; and, where appropriate, secured emergency communication systems

This flexibility allows organizations to tailor their measures to their unique risk landscape, but it also demands a mature approach to risk assessment, prioritization, and documentation. NIS2 also promotes coordinated vulnerability disclosure so that discovered issues are handled and communicated responsibly.

The supplier ripple effect

NIS2 creates a strong business driver: to be a supplier to NIS2-regulated organizations, you must meet their security expectations, including supply-chain security. However, this also brings complexity—customers may interpret and follow up on requirements differently, and you remain accountable for managing risks from your own suppliers that can affect your services.

This ripple effect means that even organizations not directly regulated by NIS2 may need to adapt their practices to remain competitive as suppliers. Effective supplier management and clear contractual requirements will be essential for compliance and continuity.

Measure what matters

NIS2 expects you to have processes in place, and it also expects you to measure how effective those measures are at addressing your risks and improving over time. Regular reviews, audits, testing, and updates to your security posture are necessary to keep pace with evolving threats and supervisory expectations. This ongoing cycle of assessment and enhancement is key to building lasting resilience. Article 21 explicitly requires policies and procedures to assess the effectiveness of your measures, and Article 20 makes management accountable for approving and overseeing them. For example, track multi-factor authentication (MFA) coverage and exceptions, time to deprovision users, remediation timelines for critical vulnerabilities, and incident detection and response times.

CRA raising the bar

The Cyber Resilience Act (CRA) is the EU’s first horizontal regulation mandating cybersecurity for all products with digital elements—from consumer IoT to industrial software. While NIS2 focuses on organizational risk management and reporting, the CRA ensures that the products and components are secure by design and by default.

The CRA applies broadly to products with digital elements placed on the EU market, with certain exclusions where sectoral legislation applies (e.g., medical devices, aviation, and automotive) and for non-commercial open-source development. Non-compliance can lead to fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.

Sectra’s perspective

At Sectra, we believe the path forward is about transparency, partnership, and continuous improvement. We see NIS2 and the CRA not just as regulatory hurdles, but as catalysts for building resilience—through secure communication, robust processes, and a culture of accountability. By embracing these changes, organizations can not only comply with new regulations but also strengthen their ability to withstand and recover from cyber threats.

From a secure communication perspective, Sectra Tiger/E Managed Service is our response to the growing need for secure collaboration in sensitive, but unclassified environments. It combines hardened Samsung Knox devices, dual-environment architecture, and a quantum-resilient VPN in a service model that strengthens national resilience. By separating two secure zones—one for sensitive collaboration and one for everyday tasks—the platform lets users work securely without losing usability or mobility.

The service is hosted by a Swedish organization dedicated to safeguarding the digital backbone of society, and the secure collaboration platform is built with a security-first mindset that combines usability with privacy. Altogether, the service ensures high availability, end-to-end encrypted communication, strong endpoint security, and an infrastructure designed for national resilience and regulatory compliance.

The solution builds on Sectra’s long-standing experience in developing RESTRICTED, SECRET, and TOP SECRET communication systems. While not intended for classified communication, it brings proven security practices and threat analysis methodology into a robust platform designed for sensitive collaboration.