Skip to main content

What is the NIS Directive?

To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.
Learn how!

The NIS Directive, The Directive on security of network and information systems, is a directive, i.e. it is translated into each member state’s national legislation. This means that there may be differences in application.


What is the purpose of the NIS Directive?

The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.



What is the story behind the NIS Directive?

Digitalisation not only creates business opportunities but opens more attack vectors to systems. The number of cyberattacks has increased sharply over the recent years, not only from criminals and script kiddies but also from state-funded forces with great endurance and vast resources. Raising information security within critical infrastructure raises society’s readiness for external disturbances.


What practical effect does the NIS directive have?

The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness. Basically, focus lies on the network and information systems that are used.


New call-to-action


What do operators need to do?

To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.

Cybersecurity entails more than mere technology. In order to create sustainable protection, systematic analysis of assets, threats and risks is required, including also processes and human aspects.

It is neither practical nor economically justifiable to protect all information the same way. Therefore, the first step is to identify information essential to operations. With this basic understanding, necessary measures can be pinpointed and prioritised.


what is the nis directive


To raise cybersecurity of critical infrastructure in general, strict segmentation of industrial control utility systems (ICS/SCADA) has to be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in-between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems at the highest level of security.

To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.


Today in the ever interconnected and digitalisation driven reality, fully air-gaped solutions is no longer a viable alternative. You need to allow information to travel between domains an you need to stay in control. You need Cross Domain Solutions.


How do you follow the NIS Directive?

When you start working with following the NIS directive, you should ask yourself which parts of your business that are central. This of course depends on the business in question. The harsh reality is that no one can protect all parts. Assets, threats, risks and risk appetite must therefore be weighed carefully against each other in order to find a reasonable balance and effective measures. It can also be a good idea to consider which parts are most vulnerable to cyberattacks. In general, data transfer between networks or communication between security domains is most vulnerable. Segmentation and secure data transfer are therefore often crucial for a reliable operation. You should also ask yourself which information is in most need of protection – and if you protect it well enough. The answer lies in the analysis of your assets, threats, risks, and risk appetite. By understanding a potential attacker's ability and resources, you get an idea of how effective protection must be designed. What level of risk is reasonable? Assume the consequences. What can the business not afford to lose? What must absolutely not go wrong?

In Sweden, the law on information security prevails for providers of socially important and digital services. The law is Sweden's way of adopting the NIS directive. These regulations contain a number of points that clarify how to adapt your business:

Systematic and risk based information security work                                                   

The information security work regarding information management in networks and information systems used for socially important services shall not only be adapted to the organisation, but carried out with the help of the standards SS-EN ISO/IEC 27001:2017 and SS-EN ISO/IEC 27002:2017. Once the risks that exist have been identified, the organisation's responsibility for the work with information security must be clarified, all resources that are needed to be able to carry out the work should be ensured, and it must be ensured that the work is adapted and evaluated.

Demands on the information security work 

The goal of the organisation's work with information security must be stated in a policy. You must also have a documented approach to, for example, classifying information, analysing risks and taking reasonable security measures. It is also important to educate employees and ensure that they understand how the work is to be performed and what their role is.

Specifics concerning network and information systems 

It is of course of great importance that the networks and information systems used for socially important services meet the requirements for information security. You must also have solid incident management for the information in these systems and a plan for how incidents are to be handled and how the business should proceed after an incident.




What makes the NIS Directive different from the Protective Security Act?  

The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by security protection are exempt from the NIS Directive.

In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of security protection (see the description above). This can apply to networks, information systems and other parts of the business.

If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.

Potential new directive – NIS 2

Section added in February 2021.

The initial NIS directive included a process to conduct regular review of itself. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2. Once the new proposal is agreed upon, member states in the EU have 18 months to apply the new NIS 2 Directive.

Deficiencies in the NIS Directive

The proposal for NIS 2 contains aspects that meet deficiencies with the original NIS Directive. These deficiencies where found:


  • Business in the EU do not have a sufficient level of cyber resilience (cyber resilience is the resistance to a possible cyberattack, but also the ability to keep capacity up during an attack, and how well you return to your original capacity after an attack)
  • There is inconsistency between member states and sectors concerning cyber resilience  
  • There is not a sufficient understanding among member states about present threats and challenges, as well as not having a joint crisis response 




New additions in NIS 2

Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions: 


  • New sectors (list further down)
  • Higher demands on security and reporting, where a minimum requirement list must be followed
  • Security of supply chains and suppliers 
  • Stricter supervisory measures for national authorities
  • Elimination of the distinction between operators of essential services and digital service providers 
  • Stricter supervisory measures for national authorities, firmer enforcement requirements
  • Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued
  • Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities


Who is affected by NIS 2?

In the new proposal, new sectors have been added based on how vital they are for society and the economy. A wider range of companies within each sector will also be included.

In the current NIS Directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure. These sectors will be joined by manufacture of pharmaceutical products including vaccines and of critical medical devices, public administration, and space.

Other important entities that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers.

Within each affected sector, all large and medium sized businesses within the EU will have to comply. Smaller businesses can also be affected if deemed necessary due to their profile.


Need help?

When you start working with security protection, the first step is to carry out a security protection analysis. Identifying the most important information assets of the business also identifies the measures that need to be taken in order of priority.

To learn more about how to protect your most important information, read more about information security!

Do not hesitate to contact us at Advenica! 

New call-to-action