In October, only a few months from now, NIS 2 will become law and authorities will be able to perform audits to see if organisations are compliant. Our advice is to start preparing now, even if it is not yet established exactly what NIS 2 will mean for your country’s legislation. In this blog post, we will make clear what the NIS 2 directive entails, things to consider when starting to prepare for the upcoming law, and how to strengthen your information security.
What is new with NIS 2?
The original NIS Directive contained a process for regular review of its own content. This has led to a proposed directive for countries in the EU on measures for a high common level of cybersecurity – this is called NIS 2.
NIS 2 contains aspects that address deficiencies in the original NIS Directive. Based on these shortcomings, new additions have been made, resulting in the new proposal NIS 2. These are the most prominent additions:
- Larger scale than NIS, more sectors considered essential services
- Managers are held responsible for securing operations
- Incident reporting must now be done within 24 hours instead of 72 hours
- Higher security and reporting requirements, where a list of minimum requirements must be met
- Security for supply chains and suppliers
- Stricter supervisory measures for national authorities
- The distinction between “operators of essential services” and “digital service providers” has been removed
- Stricter regulatory measures for national authorities, stricter compliance requirements
- Harmonise sanctioning systems between Member States and enable administrative fines. The fine will be up to EUR 10 million or 2% of the company’s total turnover worldwide
- The Cooperation Group gets a bigger role, as well as increased information sharing and cooperation between member states’ authorities
Do not wait – start strengthening your information security now!
In late February 2024, it will be made clear what specific demands the new law will pose on organisations in Sweden. However, it is always better to be prepared and to have started working with information security before this date – you will not have enough time until October to start on square one in the end of February. And to look to consultants for help at this time might both be difficult and expensive.
Luckily, there is much to do and to prepare before the clarifications on NIS 2 arrive in late February. Here are eight pieces of advice to get you on the right track with your information security!
1. Realise that information security means more than technology
Today, a great deal of information is managed in IT systems, often making information security equivalent to IT security. But, people and processes have to be included, and all parts are equally important to succeed. Systematic and continuous work based on assets, threats and risks is vital for creating sustainable protection.
2. Information security work has to be linked to your organisation´s risk management
All security work has to be based on how risks are managed in the environment where you operate. Information security-related risks have to be treated the same way as other risks.
3. Ensure that management takes its responsibility
The responsibility for security work always lies with management, as only management can decide not to do something about security risks. Given how the rate of cyberattacks are accelerating, a decision not to invest in information security means that both the organisation and its management take a huge financial risk.
4. Review procedures and processes
Information security encompasses the entire organisation´s operations and all information, regardless if it is in computers or on a piece of paper. Start mapping out routines and processes, who has access to information and systems, and the state of your security thinking.
5. Ensure the right resources
Information security work must be conducted systematically and continuously to ensure an adequate level of information security in an organisation. For successful information security work, you have to have management´s commitment and the right resources.
6. Start with an analysis
Systematic information security work should always be adapted to the specific circumstances of an organisation. A recommendation is to start with an analysis of both the outside world and your operations. Based on the results, it is also possible to decide which security measures that have to be implemented.
7. Develop a security policy (this helps you to maintain information security)
Regulatory documents such as a security policy are the formal framework for your information security work. In these, you have to specify what should be available, what should be done, as well as how it should be done.
8. Get help from those with in-depth information security knowledge
Getting started with systematic information security work on your own can feel a little overwhelming. If possible, get help from those with extensive knowledge about information security.
Read more about information security!
Start working with network segmentation
An important part of improving your information security is to work with network segmentation. Network segmentation in data networks means dividing a data network into subnetworks, where each is a network segment. The benefits of such splitting are mainly to improve security and performance.
Here are five steps that you can use as a starting point when you start planning your segmentation project:
- Create a zone model
- Define what should be segmented
- Perform a security analysis of included systems
- Arrange the systems according to the zone model
- Implement, test and put into operation
Read more about how to do this in our White Paper and in our guide!
Prepare for audits
The best way to get through an audit is to prepare. Of course, by strengthening your information security and making sure that you fulfil the requirements of NIS 2, but also in terms of documentation.
To prepare for an audit can take a long time, so to have documented what your organisation has done to protect your information will save you a lot of time and stress if you are the subject of an audit. During an audit, one method is to review documents, so make sure that you have documented everything you need for an audit and that it is up to date. Persistent cybersecurity solutions reduce the burden of continuously updating the documentation.
Even though it has not been established what NIS 2 will mean for your country’s legislation yet, start documenting how you work with information security now! It will become easier to alter this later than to start from scratch in late February.
Do you have any questions, or do you need help strengthening your information security? Do not hesitate to contact us!
Read more about the NIS Directive and NIS 2!