From compliance to crisis: Cybersecurity checklist

The political worldview is unstable, threat actors are more sophisticated, and governments across Europe are introducing increasingly stringent requirements for digital security. In recent years, the EU has adopted a considerable number of new regulations in this area that are implemented or being implemented under the national laws. This gives companies specific legal obligations – and legal consequences in the event of non-compliance.

More than ever, time is of essence and high values are at stake. External assistance may be required - from preventive compliance work and contingency planning, to handling actual security incidents.

The most important effort is made before something goes wrong. A solid legal foundation reduces risk, ensures compliance with applicable regulations, and gives the business a good starting point if something should nevertheless occur.

Checklist:

• Gap analysis: We review the company's current practices against current and upcoming regulatory requirements and identify specific improvement points.
• Preparation and review of internal policies, procedures, and governing documents.
• Review and negotiation of supplier agreements, data processing agreements, and other contracts with relevance to information security.
• Advice on the responsibilities of the board and management – including what good "cyber governance" means in practice.
   

Examples of sector-specific conditions:

Financial sector: DORA (Digital Operational Resilience Act) came into force in the EU in January 2025 and applies directly to financial institutions. The regulations set out detailed requirements for ICT risk management, testing of systems, reporting of ICT incidents and contractual relationships with technology suppliers. We assist companies working within this sector in establishing the legal framework required under DORA.

Critical infrastructure and critical services: The Network and Information Security Directive 2 (NIS2) introduces significantly expanded requirements compared to the original NIS Directive. Far more sectors and businesses are now covered – including energy, transport, health, water, and digital infrastructure. Fines for non-compliance can amount to up to €10 million or 2% of global turnover. We assist in mapping whether your business is covered, and if so, what specific obligations it entails.

Manufacturing and industry: The Cyber Resilience Act (CRA) targets manufacturers and suppliers of products with digital elements – that is, products that contain software or can be networked. The regulations set requirements for safety throughout the product's life cycle. We assist in assessing the requirements that apply to your company's products and value chain.

Tech and SaaS companies: The intersection of GDPR, NIS2 and CRA is complex for businesses that provide digital services. We assist in navigating this regulatory landscape and integrating legal requirements into product development and service delivery.

Businesses that are well prepared handle incidents faster, limit the extent of damage and avoid the negative legal consequences. Emergency preparedness work is no longer voluntary – it is a regulatory requirement under NIS2 and DORA, among others.

Checklist:

• Preparation of incident response plans with a legal perspective: who is notified, in what order and within what deadlines?
• Mapping of notification obligations in the event of security incidents – vis-à-vis supervisory authorities, customers and other third parties.
• Participating in tabletop exercises in collaboration with technical partners, where the business practices dealing with a cyber-attack from start to finish.
• Review of insurance coverage for cyber risks and identification of any coverage gaps.
   

Examples of sector-specific conditions:

Financial sector: DORA sets specific requirements for testing digital operational resilience, including penetration testing and scenario-based exercises. Deadlines for reporting ICT-related incidents are tight. We assist in establishing processes that ensure compliance.

Healthcare: Businesses in the healthcare sector handle particularly sensitive personal data and are subject to strict requirements under both NIS2 and GDPR. A safety incident in the health sector can also have direct consequences for patient safety. We assist in designing contingency plans that take these considerations into account.

Public sector: Central and local government agencies are increasingly targets of cyber-attacks, not least considering the geopolitical situation. We assist in mapping the regulations that apply and designing appropriate emergency preparedness structures.

When a security incident occurs, time is the most valuable resource. Quick and correct decisions in the first hours are essential to limit damage, meet legal obligations and safeguard the interests of the business.

Checklist:

• Immediate legal assistance from the moment an incident is discovered – including an assessment of scope, liability, and immediate action.
• Handling of notification obligations to the applicable data protection authorities, the national security authorities, the financial supervisory authorities, and other relevant authorities. For example, GDPR breaches must be notified to the applicable authority within 72 hours, for NIS2 several deadlines are applicable (24 hours for early warning, 72 hours for initial assessment, and 1 month for final report).
• Communication to customers, partners, and the media – legal quality assurance of all external communication.
• Legal action against perpetrators, responsible third parties, or insurance companies.
• Assistance afterwards: review of the course of events, assessments of responsibility and measures to prevent recurrence.
   

Examples sector-specific conditions:

Financial sector: As mentioned, DORA requires detailed reporting of ICT incidents with noticeably short deadlines. The regulations also set requirements for the content of the reports and for follow-up vis-à-vis supervisory authorities. Errors or delays in reporting can in themselves trigger sanctions.

Companies with listed securities: A security incident may constitute inside information and trigger information obligations under stock exchange law pursuant to the Market Abuse Regulation (MAR). We assist in assessing and managing these obligations in parallel with other crisis management.

All sectors – supply chains: Many security incidents occur at suppliers and spread from there. We assist in clarifying responsibilities in the supply chain and safeguarding the company's claims vis-à-vis third parties.

Cybersecurity is no longer solely a technical issue – it's a legal, strategic, and managerial issue. We have the expertise to assist your business across the entire spectrum: from preventive work and compliance, via contingency planning, to handling actual crises.

Our core cyber security team is:

• Inge Brodersen
• Jeppe Songe-Møller
• Eva Jarbekk
• Luca Tosoni
• Trygve Karlstad
   

Feel free to contact us for a conversation about what we can do for your business!