In this article, Granite’s expert trio – Teppo Kattilakoski, Janne Viljamaa, and Jukka Mäkitalo – walk through the key requirements of the NIS2 Directive, the EU’s updated legislation designed to strengthen cybersecurity across critical sectors. Our focus on this article is how organisations across the EU can turn these requirements into systematic, manageable, and effective daily practices.
NIS2 obligations are more than legal duties: they offer a strategic opportunity. By addressing them proactively, organisations can build a robust and transparent cybersecurity culture that supports business continuity, risk management, and leadership.
Here, we summarise the main insights from the webinar and show how Granite’s tools can help organisations achieve NIS2 compliance in practice.
1. From Policy to Practice: Granite as a NIS2 Implementation Engine
NIS2 requires critical and important entities to adopt risk management practices, implement appropriate technical and organisational measures, and ensure compliance monitoring. In Finland, this is enforced via the Finnish Cybersecurity Act, particularly its sections 7–9.
As Jukka Mäkitalo noted, the law doesn’t dictate precise methods, but guidance is provided by national authorities such as the Finnish Transport and Communications Agency. Granite’s NIS2 tool consolidates these requirements, national guidelines, and internal practices into one streamlined system.
“The first step is to get a grip on the requirements and begin addressing them. The tool gives us a clear view of what needs to be done and where we stand,” says Jukka Mäkitalo.
The tool enables users to evaluate their compliance, document their organisation’s position, and upload supporting evidence. Named responsibilities and automated reminders ensure progress isn’t left to chance.
2. Executive Accountability: Leadership Cannot Delegate
A core element of NIS2 is the requirement for executive accountability. Top management – CEOs and boards – are legally responsible for ensuring cybersecurity implementation.
“You can’t just write in your policies that the security officer is responsible – leadership is responsible. You can’t outsource that,” reminds Jukka Mäkitalo.
Granite supports leadership with real-time visibility and structured reporting. Management can track compliance, identify gaps, and understand where action is needed. Visual dashboards and ready-to-use reports simplify updates to boards and regulators.
3. Risk Management at the Core of NIS2
Although many organisations approach NIS2 as a compliance checklist, Granite’s experts stress that risk management is the foundation.
Granite’s Information Security Risk tool supports unit- and system-based assessments, including built-in instructions, processes, and control models. This makes risk handling consistent and actionable.
It also enables linking risks directly to NIS2 requirements and controls, creating a network of relationships that clarifies the big picture and supports ongoing development.
4. Supply Chain Risk Under Control
NIS2 mandates oversight of cybersecurity risks across the entire supply chain. Granite’s third-party risk management tool offers:
- Classification and assessment of partners
- Contract data tracking
- Documentation of security requirements
- Management of audits and assessments
“If you have dozens or hundreds of partners, you need a system that brings clarity. Excel is no longer enough,” says Jukka Mäkitalo.
The tool is fully configurable to reflect your organisation’s specific needs in managing supplier risks.
“If you have dozens or hundreds of partners, you need a system that brings clarity. Excel is no longer enough,”
5. Managing Assets and Systems
Granite’s asset inventory tool supports mapping critical operations, information systems, and organisational units. Even smaller organisations often manage a wide variety of assets needing protection.
“If we find a bunch of non-critical systems, there’s no point investing as much in them as in the critical ones,” notes Teppo Kattilakoski.
The tool also enables relationships to be created between assets, vulnerabilities, and risks offering a holistic view of the organisation’s security status.
6. Vulnerability Handling and Response
Granite’s vulnerability management tool gathers internal findings and national alerts (such as those from cybersecurity authorities), and provides clear prioritisation workflows.
“If a vulnerability is detected, the tool provides an immediate action model. There’s no guesswork involved,” says Jukka Mäkitalo.
Built-in guidance ensures vulnerabilities are assessed and remediated quickly.
7. Security Incident Response for the Entire Organisation
NIS2 requires that security incidents be reported, logged, and managed effectively. Granite’s incident management tool allows all employees to report anomalies, and ensures consistent and auditable handling.
Incidents can be linked to existing risks or used to create new ones, reinforcing proactive risk governance.
8. Ensuring Continuity and Crisis Preparedness
NIS2 includes requirements for business continuity and crisis response planning. Granite’s continuity management tool enables:
- Scenario-based planning
- Recovery plans
- Role assignments
- Test documentation
“We’ve listed 150 operations and built 6–7 continuity scenarios in our asset inventory. That helps us find the right priorities,” says Teppo Kattilakoski.
Testing and planning increase organisational resilience and operational recovery capacity.
9. Reporting Without Manual Work
Every Granite tool includes built-in reporting and dashboards, helping organisations report compliance progress to management and authorities with a click. No spreadsheets needed.
Deviations, risks, controls, and development areas can be visualised and shared clearly and effectively.
10. Flexible by Design
A frequently asked question: what if your organisation already has its own risk management model?
“If there’s no process, one is created during implementation. And if there is, Granite can be configured to match it,” explains Teppo Kattilakoski.
Granite adapts to the customer, not the other way around.
Summary
Granite’s tools help organisations:
- Understand and implement NIS2 requirements
- Create an integrated, practical security management process
- Report transparently to both executives and regulators
- Maintain a continuous risk-aware culture
While the Finnish Cybersecurity Act brings these obligations into national law, NIS2 is the driving force behind modern cybersecurity resilience in all EU member states.
And as Granite’s experts emphasise: compliance alone isn’t enough. Cybersecurity should be embedded into strategy and operations, not built in after the fact.
“This isn’t just a compliance tick-in-the-box thing. If you want to run your processes smartly, risk management tools become invaluable,” says Teppo Kattilakoski.
It’s about shifting the mindset – turning cybersecurity into a natural part of organisational culture.
Interested in a Demo?
Granite’s experts would be happy to show how these tools can support your journey to NIS2 compliance. Don’t hesitate to get in touch.
