GAWEL
INSIGHT // 26 Cross-Border

Nordic NIS2 Enforcement: A Fragmented Cybersecurity Landscape for Pharma R&D

· · 16 min read ·
Pharma Cybersecurity Regulatory
Abstract: The NIS2 Directive brings pharmaceutical manufacturing and R&D operations explicitly within the scope of EU cybersecurity regulation for the first time. For US pharma companies with research facilities across the Nordic countries, the challenge is not merely compliance with a single directive but navigation of substantively different national positions: Finland enforcing since April 2025 under a standalone Cybersecurity Act, Denmark enforcing since July 2025, Sweden enforcing since January 2026 following late transposition, Norway still operating under the original NIS Directive pending EEA incorporation of NIS2, and Iceland with transposition not expected before 2027. The different timelines, supervisory authorities, and national additions create a fragmented compliance landscape across a region that many US companies manage as a single operational unit.
Plain Language Summary

The EU's NIS2 Directive requires firms in critical sectors, including pharmaceutical manufacturing and R&D, to meet mandatory cybersecurity standards. Each Nordic country has implemented (or, in the case of Norway and Iceland, has yet to implement) NIS2 on its own timeline. The enforcement dates, the supervisory authorities, and the underlying obligations differ. For US pharma firms that operate across multiple Nordic countries, this means building cybersecurity programmes that satisfy several national versions of the same directive at once, with concurrent jurisdiction in each country where the firm has an establishment. The fines are significant: up to EUR 10 million or 2% of group-level global turnover for essential entities, with a lower cap for important entities. The reporting duties are demanding: a 24-hour early warning after a significant incident. Firms that treat "the Nordics" as one compliance zone confront a fragmented regulatory reality.

Table of Contents
  1. Pharma R&D in NIS2 Scope
  2. Five Countries, Divergent Timelines
  3. What NIS2 Requires
  4. Clinical Data and Incident Reporting
  5. Supply Chain Security Obligations
  6. Operationalising Compliance

The Nordic countries (Denmark, Sweden, Finland, Norway, and Iceland) occupy a distinctive position in the European pharmaceutical landscape. Home to Novo Nordisk, AstraZeneca's Swedish operations, Orion Pharma, and the R&D facilities of dozens of US pharma companies, the region combines world-class research infrastructure with population registries and health data systems that are unmatched globally. What the region has not historically required is a unified cybersecurity compliance framework for its pharmaceutical sector. NIS2 changes that, but not in the uniform way the Directive's architects intended.

1. Why Pharma R&D Falls Within Scope

The original NIS Directive (Directive (EU) 2016/1148) applied to operators of essential services and digital service providers, a scope that captured healthcare providers but largely excluded pharmaceutical R&D operations. NIS2 (Directive (EU) 2022/2555) fundamentally expands the sectoral coverage.1Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union [2022] OJ L333/80.

Under NIS2 Annex I (Sectors of High Criticality), Sector 5 (Health) now encompasses not only healthcare providers but also EU reference laboratories, entities carrying out research and development activities of medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2, and entities manufacturing medical devices considered critical during a public health emergency.2NIS2 (n 1), Annex I, Sector 5 (Health): healthcare providers; EU reference laboratories (Reg (EU) 2022/2371, art 15); R&D of medicinal products (Dir 2001/83/EC, art 1(2)); manufacturers of basic pharmaceutical products and preparations (NACE Rev. 2, C div. 21); manufacturers of medical devices critical during a public health emergency. The inclusion of entities conducting R&D of medicinal products (medicinal product as defined in Art. 1(2) of Directive 2001/83/EC) captures a broad range of pharmaceutical operations: any entity performing research or development activities on products intended to be presented as having properties for treating or preventing disease in human beings falls within scope.

For US pharma companies, the scoping question is entity-based, not activity-based: if a subsidiary or branch in a Nordic NIS2 Member State (Denmark, Finland, or Sweden) conducts R&D of medicinal products, the entity is in scope regardless of whether the parent company's cybersecurity posture meets or exceeds NIS2 requirements. A robust NIST Cybersecurity Framework programme at the US parent level does not satisfy that subsidiary's NIS2 obligations; the requirements are different in structure and specificity, and supervisory jurisdiction runs to the Member State in which the entity is established under the chapeau general rule of Art. 26(1) NIS2. Norwegian and Icelandic establishments fall outside NIS2's direct reach and instead face the Norwegian digitalsikkerhetsloven (NIS1) or Icelandic Act 78/2019 obligations described in s 2 below. The main-establishment test in Art. 26(2) NIS2 is reserved for the closed list of digital service providers under Art. 26(1)(b) (DNS providers, TLD registries, domain-registration entities, cloud computing providers, data-centre providers, content-delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, and social networking platforms); it does not apply to pharmaceutical R&D entities. A US pharma group established in more than one Nordic Member State is therefore concurrently under the jurisdiction of each Member State where it has an establishment, with no Art. 26 consolidation option.

The size threshold under Art. 2(1) NIS2, covering medium-sized and large entities as defined by Commission Recommendation 2003/361/EC, appears to filter out smaller operations.3NIS2 (n 1), art 2(1) (medium-sized / large entities under Recommendation 2003/361/EC); art 2(2)(c) and (e) (automatic application to specified below-threshold entities); art 2(5) (Member State option to extend to local public administration and education institutions); art 3(1)(g) + art 44 + Annex III (NIS1-to-NIS2 carry-over). Art. 2(2) NIS2 extends the Directive automatically to specified below-threshold entities, including those whose disruption could have a significant impact on public safety, public security or public health (Art. 2(2)(c) NIS2) and entities critical because of their specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State (Art. 2(2)(e) NIS2). Art. 2(5) NIS2 separately permits Member States to extend application to public administration at local level and to education institutions carrying out critical research activities. The identification criteria are not publicly defined in most jurisdictions, and the exercise varies by Nordic country. A 30-person biotech subsidiary running a single clinical programme may assume it falls below the threshold, only to discover that the national competent authority takes a different view of its criticality. The size analysis also drives the essential-versus-important classification under Art. 3 NIS2: large Annex I entities qualify as essential, while medium-sized ones qualify as important, a distinction that determines the applicable penalty tier under Art. 34 NIS2. Entities of types listed in Annex II (Other Critical Sectors), for example certain manufacturing operations, may also fall within scope. The NIS1-to-NIS2 transitional regime sits in Art. 3(1)(g) NIS2 read with the repeal mechanism of Art. 44 NIS2 and the correlation table in Annex III: where a Member State so provides, entities identified before 16 January 2023 as operators of essential services under the original NIS Directive may be carried forward as essential entities under NIS2.

2. Five Countries, Divergent Implementation Timelines

The NIS2 Directive required Member State transposition by 17 October 2024, with application from 18 October 2024. The Nordic countries did not transpose in unison, and the resulting landscape presents three distinct compliance problems that a company managing "the Nordics" as a single operational region must confront separately.

The first is the timeline fragmentation. Finland enacted a standalone Cybersecurity Act (Kyberturvallisuuslaki 124/2025) that entered force on 8 April 2025, replacing the earlier sectoral cybersecurity regime. Denmark completed transposition with its NIS2 legislation (Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr. 434 af 6 May 2025) entering force on 1 July 2025, approximately eight months after the EU deadline.4Danish NIS 2-loven (LOV nr. 434 af 6 May 2025), in force 1 July 2025; BEK nr. 620 af 2 June 2025 (distributed sector-responsible model); SAMSIK as horizontal coordinator and registration authority; Sundhedsdatastyrelsen sector-responsible for Health; CFCS as CSIRT. Finnish Kyberturvallisuuslaki 124/2025, in force 8 April 2025; Traficom / NCSC-FI central; Fimea supervises pharma R&D, basic pharma manufacturing, and medical devices. Sweden, having missed the EU deadline by approximately fifteen months, enacted Cybersäkerhetslag (2025:1506) and Cybersäkerhetsförordning (2025:1507), both of which entered force on 15 January 2026.5Swedish Cybersäkerhetslag (2025:1506) and Cybersäkerhetsförordning (2025:1507), in force 15 January 2026; MCF (renamed from MSB on 1 January 2026) central authority; Läkemedelsverket and IVO supervise Health sector under § 7 of 2025:1507 (Läkemedelsverket: pharma/devices/IVDs; IVO: healthcare providers); cf. Francovich (Joined Cases C-6/90 and C-9/90) [1991] ECR I-5357. Norway: digitalsikkerhetsloven (in force 1 October 2025) implements Directive (EU) 2016/1148 (NIS1) under a distributed supervisory model (NSM as CSIRT + residual; NVE/NKOM/Finanstilsynet sector regulators); NIS2 EEA incorporation pending. Iceland: Act No. 78/2019 in force; Fjarskiptastofa as coordinating authority hosting CERT-IS; NIS2 targeted for 1 July 2027. Norway and Iceland, as EEA EFTA states, remain on the pre-NIS2 framework: NIS2 has not yet been incorporated into the EEA Agreement. Norway's in-force Lov om digital sikkerhet (digitalsikkerhetsloven, 1 October 2025) is a formal EEA-mandated transposition of Directive (EU) 2016/1148 (the original 2016 NIS Directive, “NIS1”), enacted after the Joint Committee incorporation of NIS1 into Annex XI of the EEA Agreement; a successor act covering NIS2 and the CER Directive is in preparation, with public consultation expected during 2026 and entry into force unlikely before 2027. Iceland's position differs structurally. Iceland's in-force Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructures pre-dates the formal EEA incorporation of NIS1: it was enacted in 2019 as an autonomous Icelandic measure in anticipation of eventual EEA-mandated NIS-Directive alignment, rather than as a post-incorporation transposition under EEA obligation. Substantively, Act 78/2019 aligns with NIS1's risk-management and incident-reporting framework, but its formal legal basis is domestic Icelandic policy rather than an EEA-mandated transposition; full formal NIS-Directive alignment for Iceland will follow the future EEA Joint Committee incorporation of NIS2 plus concurrent Icelandic implementing legislation, with effective application by Icelandic entities not expected before 2027. As of early 2026, a US pharma company operating across the region therefore confronts three substantively different cybersecurity regimes concurrently: NIS2 (Denmark, Finland, Sweden); NIS1 by formal EEA-mandated transposition (Norway); and Iceland's pre-emptive 2019 domestic framework, NIS1-aligned in substance but not anchored in the EEA Agreement (Iceland). The Norway/Iceland distinction matters for which interpretive sources bind national regulators: Norway's NSM is bound by EEA homogeneity obligations on Joint Committee-incorporated NIS1 provisions, whereas Icelandic regulators applying Act 78/2019 derive their interpretive anchor from Icelandic legislative materials.

The second problem is supervisory fragmentation. Each country designates its own competent authorities, and the allocation of supervisory responsibility for pharmaceutical entities differs. Denmark operates a distributed model under bekendtgørelse nr. 620 af 2. juni 2025: Styrelsen for Samfundssikkerhed (SAMSIK) is the horizontal coordinating authority and central registration authority, while sector-responsible supervision over the Health sector (pharmaceutical R&D, basic pharmaceutical manufacturing, medical devices and IVDs) sits with the Danish Health Data Authority (Sundhedsdatastyrelsen); the Center for Cybersikkerhed (CFCS) operates as the national Computer Security Incident Response Team (CSIRT). Sweden's Cybersäkerhetsförordning 2025:1507 designates Myndigheten för civilt försvar (MCF, the agency renamed from MSB on 1 January 2026) as the central coordinating authority, with Läkemedelsverket as the sector-specific supervisor for pharmaceutical entities, medical devices and in vitro diagnostic medical devices (IVDs), and Inspektionen för vård och omsorg (IVO) as supervisor for healthcare providers. Finland operates a decentralised model in which Traficom and the National Cyber Security Centre Finland (NCSC-FI) are the central coordinating authority and CSIRT, while Fimea (Lääkealan turvallisuus- ja kehittämiskeskus / Finnish Medicines Agency) supervises entities engaged in pharmaceutical R&D, manufacturing of basic pharmaceutical products and preparations, and medical devices. Norway's NIS1 supervision is distributed under digitalsikkerhetsloven: Nasjonal sikkerhetsmyndighet (NSM) operates the national CSIRT and EEA single point of contact and acts as residual supervisor for entities outside any designated sector regulator, while sector regulators (NVE for energy, NKOM for electronic communications, Finanstilsynet for finance, and others) supervise within their respective sectors; Iceland's CERT-IS operates within Fjarskiptastofa, which Act No. 78/2019 also designates as the national coordinating authority and EEA single point of contact for the NIS framework. A pharma company operating across the region answers to a different authority in each country, each with its own mandate, interpretive tradition, and enforcement appetite.

The third problem is the residual transitional uncertainty. Sweden's late transposition opened a gap window of approximately fifteen months between the EU application date (18 October 2024) and Swedish entry into force (15 January 2026). The Francovich doctrine establishes Member State liability for failure to timely transpose directives; whether non-compliance with NIS2 obligations during that closed gap window could ground retrospective enforcement action against a private entity, or be relied on in subsequent Member-State-liability proceedings, is contested, with no settled answer in either CJEU jurisprudence or Swedish national law. Norway's NIS2 picture remains live: until the EEA Joint Committee decision and subsequent Norwegian implementing act take effect, Norway operates under NIS1 obligations only, and whether a pan-Nordic pharma group voluntarily adopts NIS2-equivalent measures at its Norwegian establishment is a compliance-strategy question rather than a legal obligation. Iceland's longer transposition timetable extends that uncertainty further.

A US pharma company managing Nordic R&D as a single operational region will discover that 'the Nordics' is not a single compliance jurisdiction. It is five countries under three regimes: NIS2 (Denmark, Finland, Sweden), NIS1 (Norway), and Iceland's pre-EEA domestic framework.

Nordic Cybersecurity: Fragmented Frameworks, Authorities, and Incident Reporting Diagram showing the five Nordic countries operating under three cybersecurity frameworks (NIS2 in Denmark, Finland, and Sweden; NIS1 in Norway; Act 78/2019 in Iceland), each with its own supervisory authorities, and how a single cybersecurity incident at a pharmaceutical R&D site triggers three parallel notification obligations under NIS2, GDPR, and the EU Clinical Trials Regulation. Nordic Cybersecurity: Fragmented Frameworks and Triple Incident Reporting Denmark In force: 1 July 2025 SAMSIK + Sundheds- datastyrelsen NIS2 IN FORCE Finland In force: 8 April 2025 Fimea + Traficom (NCSC-FI) NIS2 IN FORCE Sweden In force: 15 January 2026 MCF (ex-MSB) + Läkemedelsverket / IVO NIS2 IN FORCE Norway / Iceland (EEA EFTA) NO: NIS1 (EEA), Oct 2025 IS: Act 78/2019 (pre-EEA); NIS2 targeted Jul 2027 NIS2 PENDING Cyber Incident at Nordic R&D Site Compromises clinical + personal data 1 incident → 3 parallel notifications NIS2 Early Warning 24 hours to competent authority CSIRT / NATIONAL AUTHORITY Art. 33 GDPR Notification 72 hours to data protection authority SEPARATE AUTHORITY + CONTENT Art. 52 CTR Serious Breach 7 days to regulatory authority SPONSOR + AUTHORITY Penalty Exposure Essential: EUR 10M or 2% group turnover Independent in each Member State Art. 20: management-body liability Art. 32(5): CEO suspension power PER-COUNTRY EXPOSURE Parallel obligation triggered by single incident Concurrent multi-MS jurisdiction under Art. 26(1) NIS2 (DK, FI, SE)
Cybersecurity-framework fragmentation across the Nordic region (NIS2 in DK/FI/SE; NIS1 in NO; Act 78/2019 in IS), with the triple notification burden for incidents at pharmaceutical R&D sites

3. What NIS2 Requires: The Cybersecurity Risk Management Obligations

Art. 21(2) NIS2 imposes ten categories of cybersecurity risk-management measures based on an all-hazards approach to protecting network and information systems and the physical environment of those systems. The categories span risk analysis and information system security policies; incident handling; business continuity, including backup management and disaster recovery, and crisis management; supply chain security, including security-related aspects of relationships with direct suppliers; security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure; policies and procedures to assess the effectiveness of those measures; basic cyber-hygiene practices and cybersecurity training; policies and procedures on cryptography and, where appropriate, encryption; human resources security, access control policies and asset management; and multi-factor or continuous authentication, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.6NIS2 (n 1), art 21(2)(a)–(j) (cybersecurity risk-management measures, all-hazards approach): (a) risk-analysis and information-system-security policies; (b) incident handling; (c) business continuity, incl. backup, disaster recovery, crisis management; (d) supply chain security, incl. direct suppliers; (e) acquisition, development and maintenance of NIS, incl. vulnerability handling; (f) policies to assess effectiveness; (g) basic cyber hygiene and training; (h) cryptography and, where appropriate, encryption; (i) HR security, access-control policies, asset management; (j) MFA / continuous authentication, secured comms. The breadth of the requirements is significant but not, in itself, the compliance problem. Many pharmaceutical companies operate under NIST CSF or ISO 27001 frameworks that appear to cover the same ground. The mapping exercise, aligning an existing NIST CSF programme with NIS2's Art. 21 categories, looks like a straightforward gap analysis. Applied to the specific requirements, it initially appears manageable: NIST CSF's "Respond" function maps to NIS2's incident handling obligation, ISO 27001's Annex A controls cover access management and cryptography, and existing business continuity plans address the resilience requirements.

But the mapping breaks down at precisely the points that matter most for pharmaceutical operations. NIS2's obligations are outcome-based rather than prescriptive: the Directive specifies risk domains without mandating specific technical controls. This means that the adequacy of any particular implementation will be assessed retrospectively by supervisory authorities, potentially with the benefit of hindsight after an incident has occurred. An ISO 27001 certification demonstrates conformity with the ISO standard; it does not demonstrate conformity with NIS2, because NIS2 itself does not reference ISO 27001 as a basis for presumption of conformity. Art. 24 NIS2 lets Member States require essential and important entities to use ICT products, services and processes certified under a European cybersecurity certification scheme adopted under Regulation (EU) 2019/881, and empowers the Commission, by delegated act, to specify which categories of entities must do so; but no such scheme covering the Health sector has been designated as of early 2026. The company that treats its existing certification as proof of NIS2 compliance may discover, during enforcement, that the supervisory authority disagrees, and the burden of demonstrating adequacy falls on the entity, not on the certifier.

The mismatch is sharpest for GxP-computerised systems. Laboratory information management systems (LIMS), electronic data capture (EDC) platforms, and manufacturing execution systems (MES) are simultaneously subject to EU GMP Annex 11 and NIS2, and the two frameworks pull in different directions: GMP Annex 11 focuses on data integrity and system validation, while NIS2 focuses on availability, incident response, and resilience. A system that is fully GMP-validated may nonetheless lack the incident-response procedures and business-continuity capabilities that NIS2 requires, and a system architected for NIS2 resilience may rely on operational patterns (rapid patching, failover to redundant nodes) that GMP-validated environments treat as change-control events requiring revalidation.

4. Clinical Data and the 24-Hour Incident Reporting Obligation

Art. 23 NIS2 imposes a multi-stage incident reporting obligation that is significantly more demanding than most pharmaceutical companies' existing breach notification procedures. A "significant incident" is defined in Art. 23(3) NIS2 as one that has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The definition is disjunctive and forward-looking: both "is capable of causing" and "is capable of affecting" appear in the operative text, so an incident need not have materialised harm to be reportable.

The reporting cadence runs from awareness, not from incident occurrence. Within 24 hours of becoming aware of a significant incident, the entity must submit an early warning to the relevant CSIRT or competent authority; within 72 hours of becoming aware, a full incident notification including an initial assessment of severity and cross-border impact must follow; and a final report is due within one month of the 72-hour notification.7NIS2 (n 1), art 23(1)–(4); art 23(3) (significant-incident definition: disjunctive and forward-looking); art 23(4)(a) (early warning without undue delay and in any event within 24 hours of becoming aware); art 23(4)(b) (incident notification without undue delay and in any event within 72 hours of becoming aware); art 23(4)(d) (final report within one month of the (b) notification).

The 24-hour early warning is the critical operational challenge. The deadline implies a detection-to-notification path that runs through weekends and outside business hours across time zones; whether existing breach-response architectures meet that standard is an entity-specific question. For US-headquartered companies where incident response is centralised at a US security operations centre (SOC), the 24-hour clock starts when the Nordic entity becomes aware, which may not coincide with when the US SOC detects the incident.

The interaction between NIS2 incident reporting and other notification obligations compounds the operational burden. A cybersecurity incident at a Nordic clinical trial site that compromises personal data triggers three parallel notification requirements, each measured from the moment the relevant function within the entity becomes aware: the NIS2 24-hour early warning to the competent authority; the Art. 33 GDPR breach notification to the data protection authority, without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach; and the seven-day "serious breach" notification under Art. 52 of Regulation (EU) 536/2014 (Clinical Trials Regulation) where the sponsor becomes aware of a breach likely to affect, to a significant degree, the safety and rights of a subject or the reliability and robustness of the data generated in the clinical trial. Different authorities, different timelines, different content requirements, for the same underlying incident.

5. Supply Chain Security: The CRO and CDMO Problem

Art. 21(2)(d) NIS2 requires in-scope entities to address supply chain security, including the security-related aspects of relationships with direct suppliers and service providers. For pharmaceutical R&D, this requirement reaches deeply into the outsourced service ecosystem: contract research organisations (CROs) managing clinical trial data, contract development and manufacturing organisations (CDMOs) producing clinical trial material, cloud service providers hosting electronic trial master files, and biostatistics firms processing clinical data.

The supply chain security obligation is not merely a contractual exercise, though it requires contractual provisions. It requires the in-scope entity to assess the cybersecurity posture of its critical suppliers, to monitor that posture on an ongoing basis, and to incorporate cybersecurity risk management into procurement and vendor management decisions. For pharmaceutical companies that have spent years building GxP vendor qualification programmes focused on quality and data integrity, NIS2 adds a cybersecurity dimension that must be integrated into existing vendor governance frameworks.

The practical challenge is that many CROs and CDMOs serving Nordic pharmaceutical operations are themselves small or medium-sized enterprises that may fall below the NIS2 size threshold. They are not directly in scope, but the in-scope pharmaceutical company must nonetheless ensure that the services these SMEs provide meet the cybersecurity standards that NIS2 imposes on the pharmaceutical company itself. This creates a flowdown dynamic: NIS2 obligations that apply to the pharma company must be contractually imposed on suppliers that are not directly regulated, through vendor agreements that may not have been designed to carry cybersecurity obligations of this specificity.

6. Operationalising Compliance Across the Nordics

NIS2 applies at the entity level: each legal entity in scope must independently satisfy the requirements. A US pharma company with separate subsidiaries in Denmark, Sweden, and Finland has three entities in scope, each accountable to a different national competent authority. A single legal entity that operates across multiple NIS2 Member States through branches does not consolidate jurisdiction: the chapeau general rule of Art. 26(1) NIS2 is that an entity falls under the jurisdiction of the Member State in which it is established, and the main-establishment test in Art. 26(2) NIS2 is reserved for the closed list of digital service providers under Art. 26(1)(b) (the DNS, cloud, data-centre, managed-service and online-platform categories enumerated in s 1). A pharmaceutical R&D entity established in more than one Nordic Member State is therefore subject to concurrent jurisdiction in each, with no Art. 26 consolidation option, and the cybersecurity risk-management measures must address the specific threat landscape and operational context of each country in which the entity is established.8NIS2 (n 1), art 26 (jurisdiction): art 26(1) chapeau (general rule: Member State of establishment); art 26(1)(a) (PECS providers: Member State of service provision); art 26(1)(b) (closed list of digital service providers; main-establishment test under art 26(2)); pharmaceutical R&D entities fall under the chapeau general rule and face concurrent jurisdiction in each Member State of establishment.

The penalty framework provides the enforcement backdrop. Administrative fines under NIS2 reach a maximum of at least EUR 10 million or 2% of the total worldwide annual turnover of the undertaking to which the entity belongs, whichever is higher, for essential entities; and a maximum of at least EUR 7 million or 1.4% on the same turnover base for important entities. The fines are gated to infringements of Art. 21 or Art. 23 specifically.9NIS2 (n 1), art 34(4) (essential entities: max of at least EUR 10m or 2% of undertaking-level worldwide turnover, whichever is higher, for arts 21/23 infringements); art 34(5) (important entities: max of at least EUR 7m or 1.4% on the same base and gating). Under Art. 3 NIS2, large pharmaceutical R&D entities classified under Annex I qualify as essential and fall within the higher penalty tier; medium-sized R&D entities qualify as important and fall within the lower tier, subject to the carve- ins under Art. 3(1)(b)–(e) NIS2 by which a medium entity may be elevated to essential status. For a large US pharma company, the 2% threshold applied on group-level worldwide turnover translates to potential exposure in the hundreds of millions, applicable independently in each Nordic NIS2 Member State (Denmark, Finland, Sweden) where an in-scope entity operates. Norwegian establishments sit under digitalsikkerhetsloven's NIS1-based penalty regime and Icelandic establishments under Act 78/2019's penalty regime, both with their own caps and triggers distinct from Art. 34 NIS2.

Beyond financial penalties, Art. 20(1) NIS2 requires management bodies of essential and important entities to approve and oversee the cybersecurity risk-management measures, and provides that members can be held liable for infringements. Art. 20(2) NIS2 requires members of those management bodies to undergo cybersecurity training and obliges Member States to encourage equivalent training for employees. Art. 32(5) NIS2 supplies a further enforcement power, available for essential entities only and only where the measures adopted under Art. 32(4)(a)–(d) and (f) NIS2 have proved ineffective: temporary prohibition of any natural person discharging managerial responsibilities at chief-executive-officer or legal-representative level from exercising managerial functions. The combination transforms NIS2 from an IT governance question into a board-level liability issue. For US pharma companies where the Nordic subsidiary's management board includes parent-company secondees or regional executives, the personal-liability dimension adds urgency to compliance programme design.10NIS2 (n 1), art 20(1) (management-body approval, oversight and liability); art 20(2) (mandatory training for management body members; encouraged for employees); art 32(5) (essential entities only, gated to ineffectiveness of art 32(4)(a)–(d) and (f) measures: temporary prohibition of CEO / legal-representative-level managerial functions).

The Nordic NIS2 landscape is, in essence, a microcosm of a broader European pattern: a harmonising directive that produces national variation in implementation, timing, and enforcement. Whether a particular corporate structure (separate subsidiaries, a single entity with branches, or a hybrid) optimises the compliance burden depends on the entity-level concurrent jurisdiction analysis under Art. 26 NIS2, the supervisory authority allocation in each country, and the company's tolerance for the residual uncertainty that Sweden's closed gap window and the pending Norwegian and Icelandic NIS2 transpositions create. These are not questions that a regional compliance template can answer. They require entity-specific, jurisdiction-specific analysis calibrated to operational footprint and corporate structure, analysis that treats "the Nordics" not as one compliance zone but as a fragmented mosaic spanning three jurisdictions where NIS2 is already in force (Denmark, Finland, Sweden), Norway's EEA-mandated NIS1 transposition, and Iceland's pre-emptive 2019 domestic framework that pre-dates the formal EEA incorporation of NIS1.

REFERENCES

01
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) [2022] OJ L333/80.
02
NIS2 (n 1), Annex I, Sector 5 (Health), listing: healthcare providers; EU reference laboratories (as designated under art 15 of Regulation (EU) 2022/2371 of the European Parliament and of the Council of 23 November 2022 on serious cross-border threats to health [2022] OJ L314/26); entities carrying out research and development activities of medicinal products (medicinal product as defined in art 1(2) of Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use [2001] OJ L311/67); entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2; entities manufacturing medical devices considered critical during a public health emergency.
03
NIS2 (n 1), art 2(1) (scope: entities of a type referred to in Annexes I or II that qualify as medium-sized enterprises or exceed the medium-sized ceilings under Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises [2003] OJ L124/36; medium-sized: fewer than 250 employees and either turnover not exceeding EUR 50 million or balance-sheet total not exceeding EUR 43 million); art 2(2) (automatic application to specified below-threshold entities, including those whose disruption could have a significant impact on public safety, public security or public health under art 2(2)(c) and entities critical because of their specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State, under art 2(2)(e)); art 2(5) (Member State option to extend application to public administration entities at local level and to education institutions carrying out critical research activities); art 3(1)(g) NIS2, read with art 44 and Annex III, governs the carry-over of entities identified before 16 January 2023 as operators of essential services under Directive (EU) 2016/1148.
04
Danish NIS2 transposition: Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr. 434 af 6 May 2025, in force 1 July 2025; bekendtgørelse nr. 620 af 2. juni 2025 (designation of sector-responsible authorities under the distributed Danish supervisory model); Styrelsen for Samfundssikkerhed (SAMSIK) as horizontal coordinating authority and operator of the central registration portal; Sundhedsdatastyrelsen as sector-responsible authority for the Health sector (Annex I Sector 5); Center for Cybersikkerhed (CFCS) as national CSIRT. Finnish NIS2 transposition: Kyberturvallisuuslaki 124/2025, in force 8 April 2025; Traficom (Liikenne- ja viestintävirasto, with NCSC-FI inside) as central coordinating authority and national CSIRT; Fimea (Lääkealan turvallisuus- ja kehittämiskeskus / Finnish Medicines Agency) as sector-specific supervisor for entities engaged in R&D of medicinal products, manufacturing of basic pharmaceutical products and preparations, and medical devices.
05
Swedish NIS2 transposition: Cybersäkerhetslag (2025:1506) and Cybersäkerhetsförordning (2025:1507), both in force 15 January 2026; Myndigheten för civilt försvar (MCF, renamed from Myndigheten för samhällsskydd och beredskap (MSB) with effect from 1 January 2026) designated as central coordinating authority and EU single point of contact (Cybersäkerhetsförordning 2025:1507, § 23); Läkemedelsverket as sector-specific supervisor for the Health sector excluding healthcare providers and for the manufacturing of medical devices and in vitro diagnostic medical devices (§ 7 tillsynsmyndighetstabellen); Inspektionen för vård och omsorg (IVO) as sector-specific supervisor for healthcare providers in the Health sector (same § 7); cf. Joined Cases C-6/90 and C-9/90 Francovich and Bonifaci v Italian Republic [1991] ECR I-5357 (Member State liability for failure to timely transpose directives, relevant to conduct in the 18 October 2024–15 January 2026 transitional window). Norwegian framework: Lov om digital sikkerhet (digitalsikkerhetsloven), in force 1 October 2025, implementing Directive (EU) 2016/1148 (NIS1) following incorporation of that Directive into Annex XI of the EEA Agreement by the EEA Joint Committee in 2023; distributed supervisory model in which NSM operates the national CSIRT, the EEA single point of contact and residual supervision, with sector-specific regulators (NVE for energy, NKOM for electronic communications, Finanstilsynet for finance, and others) supervising within their respective sectors; NIS2 incorporation into the EEA Agreement remains pending, with a successor Norwegian act covering NIS2 and the CER Directive in preparation and entry into force unlikely before 2027. Icelandic framework: Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructures (Lög um öryggi net- og upplýsingakerfa mikilvægra innviða; the Icelandic NIS1 transposition) in force; Fjarskiptastofa (Electronic Communications Office of Iceland) designated as the national coordinating authority and EEA single point of contact under § 13 of the Act, and as supervisory authority for digital service providers under § 11; CERT-IS (Computer Emergency Response Team Iceland) operates the national CSIRT function within Fjarskiptastofa; NIS2 transposition targeted for entry into force on 1 July 2027 (Government Bill expected Q2 2026, parliamentary adoption Q4 2026) pending EEA Joint Committee incorporation.
06
NIS2 (n 1), art 21(2)(a)–(j) (cybersecurity risk-management measures, based on an all-hazards approach to protecting network and information systems and the physical environment of those systems): (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; (g) basic cyber-hygiene practices and cybersecurity training; (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; (i) human resources security, access control policies and asset management; (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
07
NIS2 (n 1), art 23(1)–(4): art 23(1) (obligation to notify significant incidents to CSIRT or competent authority); art 23(3) (significant-incident definition, disjunctive and forward-looking: incident is significant if it (a) has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned or (b) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage); art 23(4)(a) (early warning without undue delay and in any event within 24 hours of becoming aware); art 23(4)(b) (incident notification without undue delay and in any event within 72 hours of becoming aware); art 23(4)(d) (final report within one month after submission of the incident notification under art 23(4)(b)); cf. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data [2016] OJ L119/1 (GDPR), art 33 (72-hour personal data breach notification); Regulation (EU) 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use [2014] OJ L158/1 (CTR), art 52 (seven-day 'serious breach' notification).
08
NIS2 (n 1), art 26 (jurisdiction and territoriality): art 26(1) chapeau (general rule: entities fall under the jurisdiction of the Member State in which they are established); art 26(1)(a) (providers of public electronic communications networks and publicly available electronic communications services: jurisdiction of the Member State in which they provide their services); art 26(1)(b) (closed list of digital service providers: DNS providers, TLD name registries, entities providing domain-name registration services, cloud computing service providers, data-centre service providers, content-delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, and social networking services platforms, subject to the main-establishment test in art 26(2)); art 26(1)(c) (public administration entities: jurisdiction of the Member State that established them, not relevant to private pharmaceutical R&D entities); pharmaceutical R&D entities, not falling within the art 26(1)(a), (b) or (c) carve-outs, are governed by the chapeau general rule and face concurrent jurisdiction in each Member State of establishment, with no consolidating main-establishment forum.
09
NIS2 (n 1), art 34(4) (essential entities: where they infringe arts 21 or 23, administrative fines of a maximum of at least EUR 10,000,000 or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher); art 34(5) (important entities: where they infringe arts 21 or 23, a maximum of at least EUR 7,000,000 or of a maximum of at least 1.4% of the same group-level turnover base, whichever is higher).
10
NIS2 (n 1), art 20(1) (management bodies of essential and important entities must approve and oversee the cybersecurity risk-management measures and may be held liable for infringements); art 20(2) (management body members are required to follow cybersecurity training; Member States shall encourage essential and important entities to offer similar training to their employees on a regular basis); art 32(5) (essential entities only, and only where enforcement measures adopted under art 32(4)(a)–(d) and (f) have proved ineffective: power to request that the relevant bodies, courts or tribunals temporarily prohibit any natural person responsible for discharging managerial responsibilities at chief-executive-officer or legal-representative level from exercising managerial functions; the power does not apply to public administration entities).

RELATED INDUSTRIES

Biotech & PharmaICT & Digital Health

RELATED INSIGHTS

MedTech

Cybersecurity for Connected Medical Devices: NIS2 Implications

12 min read MedTech

Cybersecurity for SaMD: Meeting MDR and Beyond

12 min read

NIS2 compliance for pharmaceutical R&D across the Nordic countries depends on entity structure, operational footprint, supply chain configuration, and the specific national implementation in each country.

Get in Touch