What point g actually says
NIS2 Article 21.2 lists ten areas (a to j) that risk management measures must cover. Point g concerns fundamental cyber hygiene practices and cybersecurity training. It's important to read this alongside Article 21.1: the measures must be proportionate and reduce the impact of incidents. In other words, point g requires that everyday human behaviour becomes part of risk reduction, rather than a vulnerability to blame when things go wrong (European Union, 2022).
A matter of clarity: NIS2 does not specify exactly which steps constitute 'hygiene'
This can be confusing. The directive doesn't list specific hygiene routines you must have. This is deliberate. NIS2 is based on proportionality and risk. However, the EU's cybersecurity agency ENISA has produced technical guidance that clarifies what risk management measures often mean in practice, including training, access control, patching, logging, and recovery as a baseline (ENISA, 2025).
Swedish implementation: why this is now on the management table
In Sweden, NIS2 is implemented through the Cybersecurity Act (2025:1506), which came into force on 15 January 2026 (Swedish Parliament, 2025a). The Swedish Civil Contingencies Agency explains that the law tightens requirements and covers more organisations, including clearer demands for risk analyses and security measures (Swedish Civil Contingencies Agency, 2026). This makes cyber hygiene more than just a campaign. It becomes part of how operations demonstrate compliance and capability.
What cyber hygiene means in everyday life
I prefer to keep cyber hygiene practical. It's not 'everything we should do'. It's the few behaviours and routines that, if followed, eliminate a large share of the most common and costly mistakes.
In the kitchen, hygiene means doing the right things every day: clean hands, correct temperature, clean surfaces. In the digital world, the equivalent is often: strong logins, updated systems, and a habit of spotting anomalies early. It's not glamorous. It's about operation and trust.
The uncomfortable point: cyber hygiene is collective, not a hobby
I want to be clear here. Cyber hygiene is carried out by individuals, but it's not an individual project. It's an organisational capability. If you expect people to be perfect in a system that's stressful, unclear, and full of exceptions, you're building in failures. NIS2 therefore shifts the focus from 'the human as the weak link' to the organisation as the responsible environment. Point g is, in its quiet way, a requirement that the organisation makes it easy to do the right thing.
Three things that are usually the real baseline
I stick to three things, to avoid turning hygiene into a list no one can manage. This is not 'all NIS2 requirements'. It's a way to make point g alive and measurable.
· Make secure choices the easiest option.
· Measure compliance in operations.
· Train briefly and frequently.
Making secure choices the easiest means reducing friction around correct behaviour. If multi-factor authentication is hardest for the busiest users, it will be bypassed. Measuring compliance in operations means tracking coverage and anomalies, not just sending reminders. Training briefly and frequently means education becomes routine, not an annual lecture that no one remembers when it matters.
Final thought
Article 21.2 g isn't the flashiest point in NIS2. It's worse than that. It's everyday. And that's why it works.
Security that lasts over time isn't built only in architecture and contracts. It's built in habits. Like kitchen hygiene: no one applauds when it works. But everyone notices when it doesn't.
References
ENISA. (2025). Technical implementation guidance on cybersecurity risk management measures (Version 1.0). European Union Agency for Cybersecurity.
European Union. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union, L 333.
Swedish Civil Contingencies Agency. (2026). This is the Cybersecurity Act (NIS2). https://www.mcf.se/
Swedish Parliament. (2025a). Cybersecurity Act (2025:1506). Swedish Code of Statutes.
