How to avoid sanctions from NIS 2
On Thursday 10 November, the proposal for NIS 2 was adopted and the directive has now been published. In Sweden, thousands of organisations can be directly affected by the requirements. In addition, NIS 2 means that there will be a risk of large fines if you do not meet the requirements. So how do you make sure that your organisation will not be hit by the sanctions? In our blog, we give you the tips you need!
What is the NIS Directive?
The directive aims to speed up action and raise EU member states' level of protection in relation to critical infrastructure. In short, information security for socially important services must increase. The NIS Directive entered into force on 1 August 2018 in Sweden through the Act on Information Security for Providers of Socially Important and Digital Services.
Read more about the NIS Directive here!
What is new with NIS 2?
The original NIS Directive contained a process for regular review of its own content. This has led to a proposed directive for countries in the EU on measures for a high common level of cybersecurity - this is called NIS 2.
NIS 2 contains aspects that address deficiencies in the original NIS Directive. Based on these shortcomings, new additions have been made, resulting in the new proposal NIS 2. These are the most prominent additions:
- Larger scale than NIS, more sectors considered essential services (list further down)
- Managers are held responsible for securing operations
- Incident reporting must now be done within 24 hours instead of 72 hours
- Higher security and reporting requirements, where a list of minimum requirements must be met
- Security for supply chains and suppliers
- Stricter supervisory measures for national authorities
- The distinction between "operators of essential services" and "digital service providers" has been removed
- Stricter regulatory measures for national authorities, stricter compliance requirements
- Harmonise sanctioning systems between Member States and enable administrative fines. The fine will be up to EUR 10 million or 2% of the company's total turnover worldwide
- The Cooperation Group gets a bigger role, as well as increased information sharing and cooperation between member states' authorities
Sectors affected by NIS 2
In the current NIS Directive, there are seven affected sectors: energy, transport, banks, financial market infrastructure, health, water supply and digital infrastructure. In addition to these are newly added sectors: manufacturing of pharmaceutical products including vaccines and critical medical devices, public administration, and space.
New sectors have been added based on their importance to society and the economy, and more companies in each sector will be affected. This as a measure to respond to Europe's increased exposure to cyber threats.
Key sectors that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery, motor vehicles, and digital suppliers.
All large and medium-sized companies from these sectors within the EU are now affected. Even smaller companies can be affected if it is considered necessary based on the company's profile.
The extension of the scope covered by the new rules, by effectively forcing more businesses and sectors to take measures to manage cybersecurity risk, will help to increase the level of cybersecurity in Europe in the medium and long term.
What can happen if I do not follow NIS 2?
What can happen if an important organisation does not meet the requirements is the following:
- Fines of up to EUR 10 million or 2% of the total global annual turnover
- Management must take responsibility
- Temporary bans targeting managers
- Appearance of a supervisor
How do I avoid being hit by the NIS 2 sanctions?
So what to do now?
1. First of all: Find out if you and/or your customers are covered by the directive. For example, if you are a business that provides a service necessary to sustain critical societal and/or economic activities, such as an energy company, you are classified as an "essential service operator". Then start by finding out what requirements are placed on you and do a gap analysis of the current situation.
2. Appoint a cybersecurity officer at management level. Since it is the management that will be held responsible in the event of an inspection, it is important that the responsibility is placed at this level.
3. Work systematically and risk-based with information security. Read more here!
4. Take security measures to protect network security and information systems. This includes risk analysis and security policies for information systems. Read more here!
5. Make sure to implement a well-organised incident management. That is, a system to be able to report incidents that affect the continuity of services (prevention, detection, and response to incidents.
6. Work with a structured approach to risk management. You need to work in a structured way with business continuity and crisis management as well as supply chain security. This includes having policies and procedures in place for cybersecurity risk management measures.
7. Introduce policies and procedures regarding cryptography and, where appropriate, encryption.
8. Prepare for supervision by your sector's designated supervisory authority.
Do you need help? Do not hesitate to contact us at Advenica!