As the digital transformation accelerates worldwide, cyber threats targeting critical infrastructure and essential services are also on the rise. It becomes crucial for all EU member countries to fortify their cybersecurity strategies. A central part of this effort involves the transition from the NIS Directive to the NIS2 Directive. This blog post explores the significance of these two directives from an information security point of view.
What is the NIS Directive?
The NIS Directive was adopted in 2016 and was the EU’s first step towards a common and better cybersecurity strategy between member countries. It required all member states and certain businesses to take appropriate and proportionate measures to manage cybersecurity risks. It covered sectors such as energy, transportation, banking, healthcare, and digital service providers, see a more detailed list further in this blog post.
Advancing Towards NIS2: Strengthening and Expanding Regulatory Measures
With the ever expanding and rapidly evolving cyber threat landscape, it was apparent that the NIS Directive could only do so much, and an update was of utmost importance. The EU created the NIS2 Directive with the intent to increase the obligations and coverage compared to the NIS Directive. Some changes that the NIS2 Directive bring to the table is:
- An Expanded Scope: NIS2 will cover more sectors and businesses, meaning that more organizations will now need to comply with these new regulations.
- Enhanced Security Requirements and Incident Reporting: NIS2 strengthens the requirements for security risk management by adding demands on risk analysis. Incident reporting for organizations will also be modified.
- Improved Supervision and Sanctions: The NIS2 Directive is a unified framework for cross-border cooperations between member countries as well as imposing higher penalties for non-compliance. The goal is to ensure consistent implementation between all member countries.
Significance for Sweden
For Swedish authorities and businesses, the transition to the new NIS2 Directive represents an opportunity to improve and strengthen cybersecurity measures.
By improving an ability to prevent, detect, and manage cyber threats, Sweden can protect its national infrastructure but also contribute to the security infrastructure throughout the EU.
What Organizations and Sectors are Covered by NIS2
- Energy
- Transportation
- Banking
- Finance
- Health Care
- Drinking Water
- Sewage Water
- Digital Infrastructure
- Digital Services
- Administration of Information- and Communication Technology Services (IKT) between organizations
- Public Service
- Space
- Postal - and Courier Services
- Waste Management
- Manufacturing, Production, and Distribution of Chemicals
- Production, Processing, and Distribution of Food
- Manufacturing of Medical Products
- Research
Looking to the Future
Implementing this new NIS2 Directive in your organization means ensuring that you are well-prepared. This includes activities such as:
- Assessing existing internal cyber security strategies
- Updating incident management policies
- Securing and strengthening collaboration within and outside the organization
In writing moment, Sweden is still in its early moments on how to adapt the NIS2 Directive. The government is supposed to deliver the final report by September 16th, 2024, and the Directive is set to be conformed on October 18th, 2024.
Do you and your organization need advice on NIS2?
Connect with us at Onevinn.
