When traveling across Iceland, I couldn’t help but notice how deeply interconnected even the most remote communities have become. From cloud-connected fishing operations to digitally run geothermal plants, the reliance on digital infrastructure is unmistakable. As Iceland gears up to implement the Network and Information Security 2 Directive (NIS2), ensuring the resilience of these digital systems isn’t just important — it’s essential for national stability and growth. In this article, we dive into the NIS2 directive’s implications for Iceland, how its transposition is shaping up, and what organizations must know to stay ahead.
Key take-aways for NIS2 Iceland implementation
Iceland’s journey toward integrating the NIS2 directive (Network and Information Security 2 Directive) is marked by its unique status as a European Economic Area (EEA) member. The directive’s obligations won’t formally apply until the EEA Joint Committee incorporates it into Annex XI of the EEA Agreement, which is expected in autumn 2025. Unlike many EU member states drafting entirely new legislation, Iceland plans to amend its existing Cyber-Security Act 78/2019 (known locally as Öryggi net- og upplýsingakerfa mikilvægra innviða).
The scope is set to expand dramatically. From around 350 critical infrastructure operators today, Iceland anticipates 3,000 to 4,000 entities will fall under NIS2 regulations, including medium-sized manufacturers and all municipalities with populations of at least 50,000.
Before exploring the broader impact, here’s an overview of Iceland’s NIS2 directive status:
| Theme | Status |
| Transposition Status | EEA decision expected autumn 2025 |
| Domestic Legislation | Amendment to Cyber-Security Act 78/2019 |
| Indicative Timetable | New Act enters into force 1 July 2027 |
| Expected Scope | 3,000–4,000 entities |
| Supervisory Bodies | CERT-IS, ECOI, sector regulators |
With the legal foundation gradually being laid, organizations must prepare for significant operational and compliance shifts.
Timelines and important deadlines for compliance
The Ministry of Higher Education, Science and Innovation (MHÍN) has outlined a precise roadmap for transposing the NIS2 directive. Unlike other directives that see faster turnarounds, Iceland’s alignment process carefully matches its EEA obligations with domestic legislative cycles.
Here’s how the timeline is shaping up for Iceland NIS2 implementation:
| Date | Milestone |
| Autumn 2025 | EEA Joint Committee decision |
| December 2025 | Consultation draft published in Samráðsgátt portal |
| Q2 2026 | Government Bill tabled in Althingi |
| Q4 2026 | Parliamentary adoption |
| 1 July 2027 | New Act enters into force; registration portal opens |
| 1 October 2027 | Self-registration deadline |
| 1 July 2028 | Compliance deadline for essential entities |
| 1 October 2028 | Compliance deadline for important entities |
This phased approach provides organizations some breathing room but also underlines the necessity to start preparations now.
PRO TIP
Don’t wait for the July 2027 enforcement date—schedule internal cyber budgeting by Q1 2026. This ensures you can fund upgrades, external audits, or new hires in time to meet the October 2028 compliance deadline.
How Iceland is implementing the NIS2 directive
Instead of creating an entirely new legislative framework, Iceland intends to amend its existing Cyber-Security Act 78/2019. The updated legislation will mirror NIS2’s structure closely, mapping risk-management duties to Icelandic cyber standards (Grunnkröfur um netöryggi) and aligning incident reporting obligations with the new directive.
Key changes anticipated in the amendment include the introduction of tighter reporting timelines, expanded supervisory powers, and the broadening of scope to include industries like cloud services, manufacturing, and public administration. Entities will have to report incidents within 24 hours, update within 72 hours, and submit a full report within 30 days via a new portal managed by the Electronic Communications Office (ECOI).
You can follow updates through the Samráðsgátt portal where drafts and consultations are published.
PRO TIP
Use the Grunnkröfur um netöryggi (Baseline Cybersecurity Requirements) as your starting point. These national standards will be harmonized with NIS2 and are ideal for structuring internal audits or board reporting today.
Sanctions under the updated NIS2 framework
Compliance isn’t just a best practice—it’s a necessity backed by serious consequences. The sanctions under the Iceland NIS2 directive framework will be substantial. Essential entities face fines of up to €10 million or 2% of global turnover, while important entities could be fined up to €7 million or 1.4%.
Moreover, supervisory authorities will have powers to impose daily penalties of up to ISK 10 million, publicly name non-compliant entities, and even ban directors. Public sector organizations like ministries and municipalities won’t face monetary fines but will be subject to corrective measures.
| Entity Class | Fine Ceiling | Other Penalties |
| Essential Entity | €10 million / 2% turnover | Daily penalties, director bans |
| Important Entity | €7 million / 1.4% turnover | Public naming |
| Public Sector | No monetary fines | Corrective orders only |
Given the weight of these sanctions, proactive compliance planning is not optional.
PRO TIP
Pre-authorize incident response templates with your legal and communications teams. This reduces risk of late filings and protects your public reputation when a breach occurs—especially with public naming on the table.
Impact on industries
Iceland’s NIS2 implementation will reshape obligations across multiple sectors, dramatically expanding regulatory oversight and introducing stringent operational requirements.
| Sector | Impact |
| Manufacturing | New obligations for medium-sized manufacturers, including supply chain audits and segmentation of OT/IT systems |
| Energy and Utilities | Expanded to cover LNG, hydrogen, district heating; requires 24/7 monitoring and SBOM (Software Bill of Materials) exchanges |
| Healthcare | Coverage expands from around 15 to more than 60 providers; mandates ISO 27001 governance and quarterly backup drills |
| Digital Infrastructure | Cloud services, DNS providers always categorized as essential; must maintain zero-trust frameworks |
| Finance | Merging of NIS2 and DORA (Digital Operational Resilience Act) compliance cycles; cumulative fines possible |
| Public Administration | Large municipalities become essential entities but avoid fines if non-compliant |
The expected impact reveals just how broad the reach of the new directive will be, touching nearly every sector linked to critical or essential services.
PRO TIP
If your sector was previously exempt, build a compliance roadmap with “quick wins”—like asset inventory or MFA rollouts—to start gaining momentum now, before audits become mandatory.
What companies should know and do now
With Iceland’s NIS2 transposition still in progress, organizations have a vital window to prepare strategically. Monitoring updates via the Samráðsgátt portal and beginning preliminary self-assessments are key first steps. The Electronic Communications Office will provide an eligibility tool to help organizations determine if they are classified as “essential” or “important” entities.
Companies should also:
- Gather registry data such as Kennitala (company ID), ÍSAT codes (sector identifiers), and designate cyber contact persons.
- Initiate an Article 21 gap analysis to benchmark current cyber practices against NIS2 requirements.
- Educate leadership teams on the strategic importance of cybersecurity, securing budget allocations for upcoming audits and upgrades.
How CyberUpgrade powers NIS2 readiness in Iceland
As Iceland’s fishing fleets and geothermal plants prepare for NIS2’s stricter reporting deadlines and risk-management duties, you don’t have to build compliance processes from scratch. CyberUpgrade connects directly to your existing workflows—whether you’re monitoring cloud-connected harpoon systems or remote steam turbines—and automates up to 80% of evidence-gathering and reporting tasks so your team can focus on operations rather than paperwork.
Our Slack and Teams chatbot guides employees through real-time checks against both Grunnkröfur um netöryggi and NIS2 standards, capturing every audit trail in a centralized, regulator-ready repository. By eliminating bottlenecks and accelerating approvals, audits become virtually effortless.
Built-in vulnerability scanning, penetration testing, and continuous monitoring give you full visibility into emerging threats—so you can spot gaps before they can disrupt critical services. And with our EU-based CISO-as-a-Service, you gain strategic leadership at every NIS2 milestone—from early gap analyses and policy setup to pre-authorized incident response and ongoing risk workflows—helping you avoid fines of up to €10 million or daily penalties, save over €60K annually, and strengthen your security culture. Let CyberUpgrade handle the complexity of NIS2 compliance so you can keep Iceland’s digital backbone strong and your business growth on track.
Are you ready for Iceland’s cybersecurity transformation?
As the summer of 2027 edges closer, organizations across Iceland must acknowledge that cybersecurity resilience is no longer a luxury—it is mandated. While the government’s measured, phased approach gives businesses time to adapt, the complexity and depth of the new requirements will demand focused preparation.
Building resilience now ensures that when the NIS2 directive finally becomes binding, organizations won’t just be compliant—they’ll be cyber-ready for the future.
