What is the NIS2 Directive?
NIS is an abbreviation of “Network and Information Systems Security Directive”. The NIS directive sets requirements for information security in public IT systems within the EU to protect networks and information systems that are crucial to the functioning of society by introducing measures to manage risks and incidents.
The Directive has a clear risk focus and enhances the requirements for cybersecurity for vital societal functions and relevant activities and employs sanctions for the failure to meet such requirements.
In order to live up to NIS2, extensive work on IT and information security is required. Most requirements are met by working with a management system towards a certification in information security (ISO 27001). For small and medium-sized companies and organizations, a certification according to SSF 1101 Cybersecurity BAS is a good basis for the requirements imposed by the introduction of the NIS2 directive.
Examples of security measures required by NIS2
Set forth below is a list of some of the security measures required:
- Authentication
- Authorisation and access control
- Cyber hygiene and cybersecurity training
- Incident management
- Continuity planning and crisis management
- Encryption policy and processes
- Risk management and security policy
- Risk management policy and processes
- Secure supply chains
- Secure network and information systems (acquisition, development, maintenance, vulnerability and secrecy)
Examples of industries affected by NIS2
The NIS2 Directive covers various sectors and industries which are deemed to be important to society’s critical infrastructure and digital network and information services. These industries are often critical to economic and social functions and national security. Examples of such industries include:
- The energy sector, including electricity production, distribution and networks;
- The transportation sector, including air traffic, railways, shipping and road traffic;
- The banking and financial sector, including payment services and securities trading;
- The health care sector in which computer systems are used for patient journals and medical services;
- Digital service providers, including cloud services, e-commerce and social media platforms;
- Water provision and sewerage management;
- Public administration and governmental authorities in which critical IT systems are used to support governmental functions and services provided to citizens;
- Food and agricultural sector, particularly as regards food security and food distribution;
- Chemical industry and other industries involving potentially dangerous processes;
- Digital services for the public such as e-mail services, search engines and digital platforms for communication.
These industries and sectors are covered by the NIS2 Directive in order to ensure that their digital infrastructure for network and information systems is protected against cyber threats. The Directive imposes requirements regarding the ability to resist any disruptions and ensure that attacks can be handled efficiently in order to protect social functions and security.
What you must do if you are covered by the NIS2 Directive.
Operations covered by the NIS2 Directive must employ different measures in order to fulfil the requirements of the Directive. Here are some of the most important ones:
1. Identify critical assets, services and infrastructure: The operation must identify which of its services and infrastructures are critical to society.
2. Secure the supply chain: Categorise and verify systematically the cybersecurity abilities and cyber hygiene of suppliers for the duration of an agreement.
3. Conduct risk assessments: Risk assessments must be carried out in order to identify and evaluate potential cyber risks to critical services and the infrastructure.
4. Prepare incident management plans: Plan management and recovery from incidents and cyberattacks which may affect critical services. The plan must also be rehearsed and tested for efficiency.
5. Implement security measures: The operation must implement suitable technical and organisational security measures in order to protect the digital infrastructure and information systems.
6. Incident reporting: In the event of a serious incident which affects critical services, the operation must report the event to competent authorities in accordance with the NIS2 Directive’s reporting requirements. An initial report must be able to be provided within 24 hours.
7. Cooperation with other actors: Cooperation with other operations and public authorities may be required to manage shared cybersecurity challenges and incidents.
8. Personnel training: It is important to train personnel in respect of cybersecurity issues in order to increase awareness and the ability to prevent and manage cyber threats.
By implementing these measures, operations affected by the NIS2 Directive may contribute to increasing national cybersecurity abilities and protect the digital infrastructure and our society’s critical services from cyber threats and attacks.
SSF 1101 Cyber Security BAS is adapted for small and medium-sized companies and organizations. Certifying yourself according to the SSF 1101 Cyber Security BAS standard creates a good basis for the requirements that the introduction of the NIS2 directive places on a large number of companies to demonstrate basic cyber security, not least linked to cyber hygiene in the supply chain.
Right now we are in the process of becoming accredited for ISO 27001 and are looking for companies or organizations that want to be certified. Contact SBSC for more information.
