What are NIS2 and the cybersecurity law?

NIS was first enacted in August 2018 with the aim of establishing and maintaining a high level of security among critical networks and actors within the EU. Since then, the threat landscape has changed and cybersecurity requirements have increased, which resulted in NIS2 in December 2022 – an updated directive with stricter requirements for security testing, risk and incident management, and reporting.

When the NIS directive came into effect in 2018, it covered providers of critical services including actors within energy, transport, banking, financial market infrastructure, healthcare, drinking water supply, and digital infrastructure. It also covered digital services which included actors within internet-based marketplaces, internet-based search engines, and cloud services.

How does NIS2 differ from previous regulations

Since then, the pace of digitalisation has increased, creating more attack surfaces and a more developed threat landscape – a development that resulted in the revised NIS2 directive. Member States were tasked with implementing NIS2 into national law by 17 October 2024. Here in Sweden, the rules and supervision will be introduced sector by sector in 2025–2026.

This involved a new categorisation of the sectors included in the directive. Instead of the division into critical and digital services, the sectors are divided into essential and important entities. Mainly, medium-sized and large companies are included, but smaller ones may also be affected if they are critical. More sectors have been added, meaning that NIS2 now covers, in addition to the previously mentioned areas, actors within:

• Sewage management
• Waste management
• ·Chemical industry
• District heating, district cooling, and hydrogen
• Food
• Public administration
• Manufacturing industry
• Postal services
• Space activities

Are you affected? Organisations should evaluate for themselves whether they are covered by NIS2. Read more at MCF

What requirements does NIS2 entail?

NIS2 entails risk and incident management as well as active work, both technical and organisational, to prevent cybersecurity incidents within the organisation. The following requirements are important to be aware of:

• Risk analysis. Investigate which security threats and risks are connected to your organisation and what measures must be in place to manage these. One way is through mapping your IT and possibly OT/ICS environment including systems, integrations, data and supply chain. Also perform a gap analysis against NIS2 and a prioritised roadmap.
• Incident management. Establish a plan detailing the procedures that apply in the event of a cybersecurity incident, how your services should be restored, and how the incident is to be reported. Cybersecurity training is required throughout the organisation from the shop floor to the boardroom, so all employees know how to act upon signs of intrusion. Complement this with BCP/DR, regular exercises, and clear escalation paths/contacts.
• Security measures. Ensure that both technical and organisational security measures are in place to protect your environment, network, and information systems. Nordlo can assist you with, among other things, security testing, SOC, IAM, MFA, EDR, patch management, network segmentation, etc.
• Incident reporting. If a serious security incident occurs, it must be reported to the relevant sector authority. There are a few deadlines to keep track of: early warning within 24 hours, detailed report within 72 hours, and final report within 1 month. The types of incidents to be reported differ between actors. Read more at MCF.
• Supplier security. Implement the right security solutions throughout the entire supply chain from your organisation to suppliers and service providers. Include requirements in procurement and contracts relating to due diligence, metrics, audits.
• Collaboration. NIS2 strengthens cooperation between national cybersecurity authorities and other service providers to exchange information about threats and vulnerabilities. Participate in information sharing via CSIRT and industry forums; use established frameworks, e.g. ISO 27001, NIST/CIS, for coordination between countries.
• Management responsibility and sanctions. Management must approve and monitor risk management and allocate resources. Deficiencies may lead to sanctions and increased supervision. Management can be held personally responsible for shortcomings.

To summarise, the revised directive means stricter requirements for risk and incident management, security testing, coordination, and reporting. This includes minimum requirements for security measures, increased and more specific reporting obligations, as well as enhanced remedies and sanctions to ensure compliance with the directive. In addition, NIS2 aims for better collaboration and information sharing between authorities, member states, and actors.

What happens if the requirements are not met?

From the time the directive was approved in December 2022, EU Member States have 21 months, until October 2024, to incorporate the directive into national legislation. The consequences differ between countries and penalties are imposed in the Member State where the main establishment is located. If, after legislation, the requirements are not complied with in Sweden, sanctions can be up to 10 million euros, or 2% of your total global annual turnover for essential entities. For important entities, corresponding sanctions are up to 7 million euros or 1.4% of turnover.

Failure to report serious security incidents can also lead to penalties and sanctions. If your organisation is among those covered by NIS2, it is important that you can present evidence that rules and frameworks are followed and that management responsibility can be scrutinised. We can help you create a structured security approach and protection for your organisation.

Read more about our security services