When the NIS2 directive is discussed, the focus often lands on technology: security systems, IT infrastructure, incident response. That is not wrong – but it is rarely where the real challenge lies.
In Sweden, the directive is implemented through national cybersecurity legislation. For many organisations, that points to something more fundamental: having control over how work is actually performed – every day.
What NIS2 really changes
At its core, NIS2 is an attempt to raise the floor. More sectors are in scope, requirements are clearer, and responsibility sits closer to the business.
What is often missed is that the requirements are not only about having the right things in place – they must work in practice.
It is no longer enough to:
- have a policy
- have documented procedures
- have training material
What is expected is something else: being able to show that it is used.
Where it starts to get difficult
Most organisations already have some form of structure. There are documents, instructions, checklists. The problem is that they can easily live a life of their own:
- Procedures exist – but are followed differently depending on the person
- Tasks are done – but without clear follow-up
- Knowledge exists – but does not reach the whole organisation
A gap appears between how work is supposed to run and what it looks like day to day. That is the gap NIS2 makes visible.
It is less about IT than you might think
It is easy to read NIS2 as a technical initiative. Yet in many organisations the risk is not in the systems but in execution – in how procedures are interpreted, how tasks are prioritised, and how responsibility is shared. That is where variation appears – and where consequences show up.
From documents to reality
Meeting the requirements is not solved by improving documentation alone. What must change is the link between instruction and action.
In practice that means:
- it must be clear what should be done
- it must be clear who does it
- it must be possible to verify that it was actually done
It sounds simple. Yet this is often where things break down.
Where many organisations get stuck
It is common to assume the answer is more information: more documents, more guidelines, more training. Without structure in execution, that only adds more to manage.
What is missing is not content – it is coherence.
How Todolo fits in
Todolo is not built to replace security systems. It is built to create structure in how work is performed. That helps ensure:
- procedures do not only exist – they are used
- tasks are not only planned – they are followed up
- work does not only happen – it can be shown afterwards
When instructions, tasks, and follow-up are connected, dependence on individuals decreases. It becomes clearer what should happen – and easier to see what actually did.
What changes in practice
When work becomes more structured, something quite concrete happens:
- variation decreases
- onboarding gets easier
- follow-up needs less manual effort
And perhaps most importantly – it becomes possible to answer questions that are otherwise hard:
- Did we do what we were supposed to?
- When was it done?
- By whom?
NIS2 in practice
It is easy to treat NIS2 as a compliance project. In practice, it is just as much about making the business work better. The requirements push for clarity, consistency, and follow-up. For organisations that take it seriously, it is not only about meeting rules – but about working in a more controlled way every day.
A final reflection
Many organisations will focus on the right things – systems, security, technology. Yet what often decides the outcome is simpler: how work is actually performed, day after day. That is where the difference shows – and where the greatest risk, and opportunity, lies.
Would you like a clearer picture of how work is actually performed in your organisation – and where variation exists today? That is often the most valuable place to start.
Contact us if you want to talk about building clearer structure in day-to-day work.
