NIS2 in Sweden from 2026

NIS2 for your Microsoft 365 environment, clear and straight to the point.

The NIS2 directive is now Swedish law through the Cybersecurity Act, in force from 2026. For many small and medium-sized businesses it feels like the GDPR scramble all over again, the kind that used to run €2.7K-€7K a year in consultancy fees. Here are the ten areas you actually have to handle, and what PIANOLA quietly takes off your plate every day.

Book a walkthrough of your environment Back to PIANOLA

NIS2 areas in Microsoft 365

10 areas

What the directive requires you to handle.

PIANOLA handles continuously

8 of 10

Two areas remain the leadership's own processes (risk decisions, supplier assessment).

Documentation support

10 of 10

Evidence and NIS2 reporting for every area.

The most common misconception

Microsoft secures the platform; you secure the configuration.

SaaS isn't automatically secure. Microsoft 365 gives you the tools. The configuration, identity, and data policies are your responsibility. PIANOLA watches these continuously and documents that you've done the work.

The ten areas

What NIS2 requires, what PIANOLA does, what you do. Honestly split.

Area 1

Secure configuration (shared responsibility)

Microsoft secures the platform. You secure the configuration in your environment. That's where most missteps start.

PIANOLA handles this

Tracks Secure Score continuously and translates it into a clear Risk Index on a 0-100 scale. PIANOLA Baseline brings you up to a standardised starting level in a single step.

You handle this

Decide which baseline level you follow. Document how responsibility is split between leadership, IT, and your partner.

Area 2

Strong identity and access control

MFA, Conditional Access, and the principle of least privilege need to be deliberate, not just switched on.

PIANOLA handles this

Enforces MFA, blocks legacy authentication protocols, flags inactive admin accounts, and reviews Conditional Access exclusions and how strong your sign-in methods actually are.

You handle this

Decide who should hold admin roles. Set up PIM (Privileged Identity Management) if you need time-bound access.

Area 3

Risk analysis

NIS2 demands continuous risk identification. Not an annual report that gathers dust in a folder.

PIANOLA handles this

Risk Index 0-100 updates with every scan, the trend is shown over time, and the three most important actions are surfaced with a clear description of their consequences.

You handle this

Business risk at the strategic level (customer risk, revenue impact, brand risk). That belongs at the leadership table.

Area 4

Incident reporting

Significant incidents must be reported to the supervisory authority within 24 hours under the Cybersecurity Act.

PIANOLA handles this

Every change in the environment is logged with a timestamp. The evidence is ready to attach to an incident report. Every decision and action can be traced back in time.

You handle this

Your own playbooks for different incident types. Contact paths to the supervisory authority. Who calls whom and in what order.

Area 5

Data protection and classification

Sensitive data has to be protected. You need to know where it lives and who can reach it.

PIANOLA handles this

Watches external sharing, OAuth consents to third-party apps, anonymous sharing links, and open SharePoint libraries.

You handle this

Sensitivity labels and DLP policies in Purview if you have that licence. Deciding what counts as sensitive data in your organisation.

Area 6

Logging and traceability

Audit logs are your memory. Without them you can't prove what happened, or didn't, during a supervisory review.

PIANOLA handles this

Verifies that the Unified Audit Log is enabled and has reasonable retention. Flags it when logging doesn't cover what it should.

You handle this

SIEM integration if you need deeper analysis (Microsoft Sentinel or similar). Longer retention than the default when your needs demand it.

Area 7

Technical and organisational safeguards

Phishing protection, malware protection, mail forwarding, backup. The fundamentals that need to be solid.

PIANOLA handles this

Watches Defender for Office, anti-phishing policy, Safe Links, Safe Attachments, mail flow rules, and forwarding.

You handle this

Backup strategy (Microsoft 365 Backup or third party). Endpoint management (Intune or similar). Endpoint protection on computers and servers.

Area 8

Personal accountability for leadership

Board members and CEOs are personally accountable from the moment the law took effect. Many miss that this is exactly what's changed.

PIANOLA handles this

The monthly report is written in plain language, so leadership sees the same numbers as IT. The summary is formatted to be pasted straight into board minutes.

You handle this

Decision minutes. Leadership training in cybersecurity. Documented risk acceptance when leadership has actively chosen not to address a risk.

Area 9

Supply chain

Your suppliers are your risk. Microsoft included, but above all third-party apps inside Microsoft 365.

PIANOLA handles this

Reviews OAuth apps with access to your environment, checks whether the app publisher is verified, and lists external guests along with the permissions they hold.

You handle this

Data Processing Agreements with Microsoft and other cloud vendors. Supplier assessments for your IT vendors.

Area 10

Documentation and audit readiness

Being secure isn't enough. You have to prove it when the supervisory authority calls.

PIANOLA handles this

Evidence and traceability for every finding and action, mapped to the right NIS2 article. The monthly report exports directly to your auditor or insurance company.

You handle this

Nothing extra. That's exactly the point of PIANOLA, the documentation is built into the work, not a separate project.

The supervisory authority will call sooner or later

We'll show you where you stand today, what to take on first, and help you build the documentation the supervisory authority actually wants to see. The walkthrough takes about an hour.

Book a walkthrough