What is the NIS and NIS2 directive?

(The Directive on security of network and information systems) The purpose of the NIS directive is to heighten the security levels for critical infrastructure in the European Union.

The NIS Directive affects each company and organization differently, there is no one-size-fits-all solution to meet the requirements and stay efficient. It can be hard to assess whether or not the NIS Directive affects your company at all. We have helped governments, organizations and companies with challenges like this for 16 years and can be of use in many ways. It can seem complicated to determine what this means for you; what are you obliged to do or not to do? If you are unsure about this we suggest that you book a demo with us where we make an assessment together. Based on your situation we reason together and specify what you need to do to meet the new requirements and most importantly to secure what's valuable in your possession.

It means that it can be incorporated differently in every member state to functionally harmonize with local legislation. In Sweden, the NIS-directive came into force on august the first in 2018 though The information security law.

The NIS-directive was created to protect european citizens by heightening security around critical infrastructure within the member states. Specifically by improving information security related to critical infrastructure.

The number of hacker attacks from criminal organizations and nation states has increased significantly. Attacks are more sophisticated and so are the motifs. Hackers are not just in it for money, elections and national security is also at stake. Cyberwar is a fact. There is good reason to prevent and prepare for attacks to keep critical infrastructure intact. The NIS and NIS2 directive is ultimately meant to serve european citizens.

Energy, health care, transport, finance, water supply and digital infrastructure are considered critical according to the NIS directive. Companies and organizations within these sectors are obligated to secure their information according to the NIS directive.

The NIS directive means generally stricter security requirements around information security. Concerned entities must consider people, process and technology when securing information. They need to classify information and systems. These entities must also prepare for the eventualities that an attack may lead to and specify action plans to increase resilience. Continuous knowledge gathering by incident reporting is mandatory with the purpose of always becoming more prepared. Companies and organizations are expected to direct their NIS-related actions towards network and information-systems.

The NIS directive is a useful place from which to start making valuable cybersecurity improvements. Best practice in this case may be to first create an overview of the organization as a whole and then extract potential and useful changes in order to improve information security. Some processes are crucial for core functionality, some individuals have access and responsibilities that make them targets for extortion and some parts of the technical infrastructure are more vulnerable than others. This is properly complemented by an external assessment of the external cybersecurity landscape, specifically what kind of attacks that are common and what kind of attacks that may become common in the future. Information transfer between security domains and/or networks are, for example, one of the most exposed and vulnerable situations in cybersecurity today. Implementation of data diodes, countersign and encryption are three actions that will make a significant difference for many organizations in the coming years. Separate domains for different security levels is a good idea that can be implemented when one has specified what information is more important than the other. A clear information hierarchy is necessary to maintain efficiency and security.

The NIS directive includes continuous review to ensure incremental improvements and adaptations to meet the change rate of the digital world. This has resulted in NIS 2.

• European companies do not have sufficient ability to defend themselves against cyber attacks
• European companies do not have sufficient ability to stay operational during a cyberattack
• European companies do not have sufficient ability to return to normal functionality after a cyberattack
• Some sectors and states are significantly stronger than others, the European digital landscape has obvious weaknesses
• The cyber threat awareness among EU member states is low
• There are no common crisis management practices regarding cyberattacks within the EU

The NIS directive has been extended to further enhance security. Here are some of the most important add ons:

• New sectors have been added
• Increased minimum security and reporting requirements
• Stricter supervisory measures for nation authorities
• Stricter compliance requirements for nation authorities
• Administrative fines has been made possible
• Increased cooperation and increased information sharing between Member States' authorities

NIS2 covers more sectors and more companies and organizations within each sector. The original NIS-directive considers energy, healthcare, transport, finance, water supply and digital infrastructure as critical for a functional society. With NIS2, public administration, pharmaceutical production, critical medicine technology and space has been added to the list.

The NIS2-directive also affects sectors in the periphery of critical infrastructure, these include; waste disposal, chemicals, post service, food, motor vehicles, production of medical machines, computers and electronics, machine equipment and digital suppliers

The majority of affected entities are medium and large enterprises within the above mentioned sectors but some small companies may also be affected depending on their profile.

The NIS Directive affects each company and organization differently, there is no one-size-fits-all solution to meet the requirements and stay efficient. It can be hard to assess whether or not the NIS Directive affects your company at all. We have helped governments, organizations and companies with challenges like this for 16 years and can be of use in many ways. It can seem complicated to determine what this means for you; what are you obliged to do or not to do? If you are unsure about this we suggest that you book a demo with us where we make an assessment together. Based on your situation we reason together and specify what you need to do to meet the new requirements and most importantly to secure what's valuable in your possession.