When traveling across Iceland, I couldn’t help but notice how deeply interconnected even the most remote communities have become. From cloud-connected fishing operations to digitally run geothermal plants, the reliance on digital infrastructure is unmistakable. As Iceland gears up to implement the Network and Information Security 2 Directive (NIS2), ensuring the resilience of these digital systems isn’t just important — it’s essential for national stability and growth. In this article, we dive into the NIS2 directive’s implications for Iceland, how its transposition is shaping up, and what organizations must know to stay ahead.
Key take-aways for NIS2 iceland implementation
Iceland’s journey toward integrating the NIS2 directive (Network and Information Security 2 Directive) is marked by its unique status as a European Economic Area (EEA) member. The directive’s obligations won’t formally apply until the EEA Joint Committee incorporates it into Annex XI of the EEA Agreement, which is expected in autumn 2025. Unlike many EU member states drafting entirely new legislation, Iceland plans to amend its existing Cyber-Security Act 78/2019 (known locally as Öryggi net- og upplýsingakerfa mikilvægra innviða).
The scope is set to expand dramatically. From around 350 critical infrastructure operators today, Iceland anticipates 3,000 to 4,000 entities will fall under NIS2 regulations, including medium-sized manufacturers and all municipalities with populations of at least 50,000.
Before exploring the broader impact, here’s an overview of Iceland’s NIS2 directive status:
Current standing of NIS2 iceland implementation
| Theme | Status |
| Transposition Status | EEA decision expected autumn 2025 |
| Domestic Legislation | Amendment to Cyber-Security Act 78/2019 |
| Indicative Timetable | New Act enters into force 1 July 2027 |
| Expected Scope | 3,000–4,000 entities |
| Supervisory Bodies | CERT-IS, ECOI, sector regulators |
With the legal foundation gradually being laid, organizations must prepare for significant operational and compliance shifts.
Timelines and important deadlines for compliance
The Ministry of Higher Education, Science and Innovation (MHÍN) has outlined a precise roadmap for transposing the NIS2 directive. Unlike other directives that see faster turnarounds, Iceland’s alignment process carefully matches its EEA obligations with domestic legislative cycles.
Here’s how the timeline is shaping up for iceland NIS2 implementation:
Projected timeline for NIS2 Iceland transposition
| Date | Milestone |
| Autumn 2025 | EEA Joint Committee decision |
| December 2025 | Consultation draft published in Samráðsgátt portal |
| Q2 2026 | Government Bill tabled in Althingi |
| Q4 2026 | Parliamentary adoption |
| 1 July 2027 | New Act enters into force; registration portal opens |
| 1 October 2027 | Self-registration deadline |
| 1 July 2028 | Compliance deadline for essential entities |
| 1 October 2028 | Compliance deadline for important entities |
This phased approach provides organizations some breathing room but also underlines the necessity to start preparations now.
How Iceland is implementing the NIS2 directive
Instead of creating an entirely new legislative framework, Iceland intends to amend its existing Cyber-Security Act 78/2019. The updated legislation will mirror NIS2’s structure closely, mapping risk-management duties to Icelandic cyber standards (Grunnkröfur um netöryggi) and aligning incident reporting obligations with the new directive.
Key changes anticipated in the amendment include the introduction of tighter reporting timelines, expanded supervisory powers, and the broadening of scope to include industries like cloud services, manufacturing, and public administration. Entities will have to report incidents within 24 hours, update within 72 hours, and submit a full report within 30 days via a new portal managed by the Electronic Communications Office (ECOI).
You can follow updates through the Samráðsgátt portal where drafts and consultations are published.
Sanctions under the updated NIS2 framework
Compliance isn’t just a best practice—it’s a necessity backed by serious consequences. The sanctions under the Iceland NIS2 directive framework will be substantial. Essential entities face fines of up to €10 million or 2% of global turnover, while important entities could be fined up to €7 million or 1.4%.
Moreover, supervisory authorities will have powers to impose daily penalties of up to ISK 10 million, publicly name non-compliant entities, and even ban directors. Public sector organizations like ministries and municipalities won’t face monetary fines but will be subject to corrective measures.
Sanctions for non-compliance under NIS2 iceland regulations
| Entity Class | Fine Ceiling | Other Penalties |
| Essential Entity | €10 million / 2% turnover | Daily penalties, director bans |
| Important Entity | €7 million / 1.4% turnover | Public naming |
| Public Sector | No monetary fines | Corrective orders only |
Given the weight of these sanctions, proactive compliance planning is not optional.
Impact on industries
Iceland’s NIS2 implementation will reshape obligations across multiple sectors, dramatically expanding regulatory oversight and introducing stringent operational requirements.
Sector-specific impacts from NIS2 iceland directive
| Sector | Impact |
| Manufacturing | New obligations for medium-sized manufacturers, including supply chain audits and segmentation of OT/IT systems |
| Energy and Utilities | Expanded to cover LNG, hydrogen, district heating; requires 24/7 monitoring and SBOM (Software Bill of Materials) exchanges |
| Healthcare | Coverage expands from around 15 to more than 60 providers; mandates ISO 27001 governance and quarterly backup drills |
| Digital Infrastructure | Cloud services, DNS providers always categorized as essential; must maintain zero-trust frameworks |
| Finance | Merging of NIS2 and DORA (Digital Operational Resilience Act) compliance cycles; cumulative fines possible |
| Public Administration | Large municipalities become essential entities but avoid fines if non-compliant |
The expected impact reveals just how broad the reach of the new directive will be, touching nearly every sector linked to critical or essential services.
What companies should know and do now
With Iceland’s NIS2 transposition still in progress, organizations have a vital window to prepare strategically. Monitoring updates via the Samráðsgátt portal and beginning preliminary self-assessments are key first steps. The Electronic Communications Office will provide an eligibility tool to help organizations determine if they are classified as “essential” or “important” entities.
Companies should also:
- Gather registry data such as Kennitala (company ID), ÍSAT codes (sector identifiers), and designate cyber contact persons.
- Initiate an Article 21 gap analysis to benchmark current cyber practices against NIS2 requirements.
- Educate leadership teams on the strategic importance of cybersecurity, securing budget allocations for upcoming audits and upgrades.
Are you ready for Iceland’s cybersecurity transformation?
As the summer of 2027 edges closer, organizations across Iceland must acknowledge that cybersecurity resilience is no longer a luxury—it is mandated. While the government’s measured, phased approach gives businesses time to adapt, the complexity and depth of the new requirements will demand focused preparation.
Building resilience now ensures that when the NIS2 directive finally becomes binding, organizations won’t just be compliant—they’ll be cyber-ready for the future.
