NIS2

Regulations for increased cyber security within the EU

EU har infört det nya cybersäkerhetsdirektivet NIS2 för att stärka motståndskraften mot cyberattacker och digitala sårbarheter. Direktivet gäller från 16 januari 2023 och ska vara infört i medlemsländernas lagstiftning senast 18 oktober 2024. NIS2 ersätter det tidigare NIS-direktivet från 2016 och innebär utökade krav, fler omfattade sektorer och tydligare samarbete mellan medlemsländer.

Contact us

What is NIS2?

NIS2 (Network and Information Security Directive) is the EU's updated framework for improving the security of networks and information systems in critical sectors. The directive expands the scope compared to the original NIS directive and places higher demands on both public and private actors in a range of sectors, including energy, transport, finance, health and digital infrastructure. NIS2's goal is to improve the ability of these actors to prevent, detect and manage cyber threats and security incidents, thereby protecting the EU's economic and social interests.

Basic provisions

Extended application

NIS2 täcker fler sektorer och aktörer än tidigare. Förutom att inkludera traditionellt kritiska områden som energi och transport, omfattar NIS2 även sektorer som offentliga förvaltningar, rymdindustri och elektroniska kommunikationstjänster. Direktivet delar upp företag i två kategorier: ”väsentliga enheter” och ”viktiga enheter”, där kraven varierar beroende på vilken kategori aktören tillhör. Väsentliga enheter, som exempelvis energileverantörer, står under striktare tillsyn än viktiga enheter, men alla måste följa samma grundläggande säkerhetskrav.

Requirements for risk management and incident management

As with its predecessor NIS, NIS2 requires all covered actors to implement comprehensive security measures to manage risks associated with their network and information systems. Actors must establish processes to identify and manage potential cyber threats and ensure that their systems and data are protected. Incident management is a central part of NIS2, where all actors must be able to detect, report and remedy security incidents within strict time frames.

Reporting of incidents

An important change in NIS2 is the stricter reporting obligation for cyber incidents. Entities must report major security incidents to the relevant authorities within 24 hours of discovery of the incident. This is a significant reinforcement compared to previous requirements and means that faster action can be taken to limit the damage from incidents and the spillover effect within the Union.

Supervision and Sanctions

Under NIS2, member states' responsibilities for supervision and compliance are expanded. Authorities within each country are empowered to carry out inspections and issue administrative sanctions to ensure that companies comply with their obligations. The penalties for non-compliance can be significant, with fines of up to €10 million or 2% of global annual turnover for companies that fail to live up to the requirements.

Riskhantering och säkerhetskontroller enligt NIS2

Risk management system

Every organization covered by NIS2 must develop and implement a comprehensive risk management system for its network and information systems. This includes identifying critical assets and functions and ensuring that their protection is adequate. The requirement also means that the actors must continuously monitor and update their systems to deal with new threats.

Regular security tests

A central part of NIS2 is that actors regularly carry out security tests and vulnerability analyzes of their systems. This includes penetration testing that simulates real cyber attacks to identify and fix weaknesses before they can be exploited by malicious actors.

Dataskydd och krypteringskrav i NIS2

Encryption and data management

NIS2 places great emphasis on protecting data through encryption and other data protection measures. Sensitive data must be encrypted both at rest and in transit, ensuring that even if the data is stolen, it cannot be used without the proper decryption keys. Companies must also implement strong authentication mechanisms, such as multi-factor authentication (MFA), to protect their systems from unauthorized access.

Document Management System (DMS) being setup by IT consultant working on laptop computer in office. Software for archiving, searching and managing corporate files and information

Impact on companies and organizations

NIS2 innebär en betydande förändring för många företag och organisationer inom EU. Förutom att fler sektorer nu omfattas av reglerna, ställs högre krav på riskhantering, incidenthantering och säkerhetstester. Företag som inte tidigare omfattades av NIS måste nu bygga upp strukturer och rutiner för att säkerställa att de uppfyller de nya kraven. Detta kan innebära investeringar i ny teknik, säkerhetspersonal och utbildning. Tredjepartsleverantörer som erbjuder kritiska tjänster till företag inom EU måste också följa NIS2:s säkerhetsstandarder, vilket innebär att företag måste se över sina leverantörsavtal för att säkerställa att de externa aktörerna upprätthåller samma höga säkerhetsnivåer som de själva.

Collaboration and Information Sharing

Every organization covered by NIS2 must develop and implement a comprehensive risk management system for its network and information systems. This includes identifying critical assets and functions and ensuring that their protection is adequate. The requirement also means that the actors must continuously monitor and update their systems to deal with new threats.