Albin Finne, Director and cyber security specialist at Deloitte, highlights the most important considerations for entities that will be covered by the revised NIS directive – for example companies within the energy, transport or healthcare sectors.
A major milestone was reached on 10 November 2022 when the European Parliament adopted NIS2, ending the legislative process. The regulation was approved by the Council of Ministers and published in the EU Official Journal on 27 December 2022 and thereafter entered into force on 16 January 2023. Swedish entities in scope have until 18 October 2024 to meet the requirements.
The current threat and regulatory landscape pressures organizations to establish capabilities to prepare for and manage a cyber crisis effectively and efficiently. During recent years we have noticed that cyber-attacks targeting critical infrastructure have increased worldwide. Additionally, the conversion to remote work during the pandemic opened new vulnerabilities resulting in an increase in individuals who fell for phishing attacks. With the current geopolitical situation, the threat of cyber-attacks has increased further, especially for entities that provide essential or important services that could be targets in hybrid warfare.
NIS2 has the goal of strengthening organizations’ security posture to address emerging cyber threats, and these changes could lead to a significant impact in the ways of working.
Depending on the maturity of your organization and the current state of the market, we see the below activities as focus areas to protect critical infrastructure and maintain compliance with NIS2:
This will result in an enhanced cybersecurity posture of your organization. We believe that with increasing controls from governments and regulators, there is a momentum for companies to pursue their security objectives.
If you are an organization that provides a service which is essential or important for the maintenance of critical societal and/or economic activities, for example an energy company – you may be classified as an "essential entity" or “important entity” according to NIS2. The following sectors are covered by NIS2 (sectors in light green and dark blue covered already in NIS1):
(a) policies on risk analysis and information system security
(b) incident handling
(c) business continuity, such as backup management and disaster recovery, and crisis management
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures
(g) basic cyber hygiene practices and cybersecurity training
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption
(i) human resources security, access control policies and asset management
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Furthermore, management bodies will have a crucial and active role in the supervision and implementation of these measures. What could happen if an essential or important entity is non-compliant?
To effectively manage the evolving cyber risks, your board and senior-level management should define (if not already existing) or enhance your cybersecurity strategy to adapt, evolve and improve your organization’s cyber resilience capabilities. We have identified 3 areas where the key requirements of the NIS2 Directive must be addressed:
Since the start of the COVID-19 pandemic the cybersecurity landscape has evolved rapidly. The European Commission has acknowledged this and proposed a repeal of the EU Network and Information Security directive (NIS Directive) to align and enhance cybersecurity within all member states of the EU. The repeal of the NIS Directive will enter into force 2024 and is expected to impose stronger requirements to a broader scope of actors. The overall purpose of the legislation is to achieve a high common level of cybersecurity across all member states. NIS2 has three general objectives: