NIS, GDPR and the Protective Security Act – what is the difference between them?
In the past years, many laws around IT security, cybersecurity and personal privacy have been introduced. It can be difficult both to know which laws or regulations you must follow, but also what the difference is between the regulations. In this blog post, we will explain a handful of recently introduced security laws and regulations, and what sets them apart from each other. In this way, you can better understand how they affect your business and what actions you need to take!
No one probably missed when GDPR went into force in May 2018. By legislating meaningful rights for the individual, and the corresponding obligations on the organisations who manage the information, the power of the information is transferred to the individual. GDPR (General Data Protection Regulation) brings revolutionary changes in IT systems. It also involves major efforts to adapt all the systems and procedures to the new requirements. This opens up great opportunities for those who deliver services and products in the field of information security. It is no exaggeration to compare the scope of work with the Y2K adaptation.
So, GDPR aims to protect personal integrity and not data that is important for Sweden or the organisation itself.
The Protective Security Act
To strengthen protective security, the Swedish Government proposed a protective security law in 2018 which went into force in April 2019. The law, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for protective security. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
The term Sweden's security refers to both military and civilian activities that may be of importance to Sweden's security. What needs to be protected to prevent threats to Sweden's security may to some extent change over time, but the activities that are important for Sweden's security today all fall into one or more of the following categories:
- Activities that are important for Sweden's external security: This means Sweden's ability to maintain national defence (territorial sovereignty) as well as Sweden's integrity, independence and freedom of action (political independence).
- Activities that are important for Sweden's internal security: This refers to Sweden's ability to maintain and ensure basic structures in the form of the democratic state, the judiciary and a law enforcement capacity at the national level.
- Nationally important activities: This means deliveries, services and functions that are necessary for society's functionality at the national level.
- Activities that are important for Sweden's economy: This refers to the national ability to pay.
- Damage-generating activities: This includes an activity that, if exposed to an antagonistic act, can generate damaging consequences for other security-sensitive activities.
The law applies to activities that are run in both public and private areas and those concerned can seek support and advice from the Security Service and the Armed Forces and other supervisory authorities. New is that businesses with data worth protecting are covered, without being officially classified as secret. This can, for example, be about critical infrastructure and their systems for operation, since these represent a potential vulnerability.
How to work with protective security
The work with protective security needs to begin with an active stance on whether an activity is to some extent sensitive to security. In practice, this means that operators, if the answer is not obvious, need to carry out the first step in the process of a protective security analysis and based on this, they can then decide if they fall under the definition protective security.
The best way to start with following the Protective Security Act is to do a protective security analysis – read our guide on how to do such an analysis!
The NIS Directive
Another regulation, that sometimes gets mixed up with the Protective Security Act, is the NIS Directive. The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy. In Sweden, the law on information security prevails for providers of socially important and digital services. The law is Sweden's way of adopting the NIS directive, since it is a EU directive.
The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes, and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness. Basically, focus lies on the network and information systems that are used.
After the introduction of the NIS Directive, a process was adopted to conduct regular reviews of the directive. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2. Once the new proposal is agreed upon, member states in the EU have 18 months to apply the new NIS 2 Directive.
Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions:
- Higher demands on security and reporting, where a minimum requirement list must be followed
- Security of supply chains and suppliers
- Stricter supervisory measures for national authorities
- Elimination of the distinction between operators of essential services and digital service providers
- Stricter supervisory measures for national authorities, firmer enforcement requirements
- Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued
- Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities
In the new proposal, new sectors have been added based on how vital they are for society and the economy. A wider range of companies within each sector will also be included. In the current NIS Directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure. These sectors will be joined by manufacture of pharmaceutical products including vaccines and of critical medical devices, public administration, and space.
Other important entities that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers. Within each affected sector, all large and medium sized businesses within the EU will have to comply. Smaller businesses can also be affected if deemed necessary due to their profile.
Here are some actions that all companies affected by NIS will have to take:
- Take security measures to protect network security and information systems. This includes risk analysis and information system security policies.
- Requirement to report incidents that affect continuity in the services (prevention, detection, and response to incidents).
- Work with business continuity and crisis management as well as supply chain security. This includes to have policies and procedures for cybersecurity risk management measures.
- The use of cryptography and encryption.
- Supervision by designated supervisory authorities
- Work systematically and risk-based with their information security
The difference between the NIS Directive and the Protective Security Act
These two regulations might seem similar, but they are quite different. But the complex thing is that parts of the same organisation might in some cases have to adopt to one, or sometimes both regulations – but for different reasons. This entirely depends on the nature of the business. See three different scenarios in the illustration below.
The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by protective security are exempt from the NIS Directive.
To fall under the Protective Security Act, you must have activities or process information that falls within the framework of protective security (see the description above). This can apply to networks, information systems and other parts of the business.
If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.
The difference between the NIS directive and GDPR
When first starting to compare the two, it is easy to believe that GDPR and NIS have a large overlap. But the fact is that the differences are greater than the similarities. NIS is about increasing the protection of infrastructure, GDPR on the other hand is about protecting personal data.
There are actors who are affected by both directives, but for these it is usually different departments that are affected. For an electricity company, for example, NIS is more relevant to the delivery and operations organisation, while GDPR is more relevant to customer service and finance functions.
If you are still unsure what kind of protection you need, read our guide!
Do not hesitate to contact us if you have any further questions!