Be prepared for the NIS2 Directive
It is high time to prepare for NIS2
There is a lively discussion going on in Sweden concerning the new EU NIS2 Directive on security of networks and information systems and what that directive means in practice. AFRY explains the implications of the directive and helps your company strike a balance between smooth business operations and protecting what’s worth protecting.
Clear and common threats
Just a few years ago, municipal civil preparedness exercises featuring air-strikes or comparable attacks against public infrastructure could fail, as participants were convinced that such scenarios were profoundly unrealistic. Today, with the war in Ukraine constantly on the news, more and more people have become aware of the vulnerability of our security and the risks to which our society is exposed. It is urgent to build up robust cyber security without delay. AFRY has long worked with civil and cyber security across a broad array of sectors and can integrate a security perspective into all products and services offered.
"We’ve all heard about hacker attacks that now occur daily, targeting our agencies, companies, and civil organizations. For the average person, these attacks can mean missing social security benefits, disrupted web payments, or GPS malfunctions. All key activities in society today must be prepared for sabotage and malicious influence," says Filip Enander, Business Unit Manager at AFRY Cyber Security.
The EU's goal is to protect the common market
The purpose of the new NIS2 directive is to protect the EU common market. The EU, with its 27 member states, is today a global leader in digital markets and infrastructure. The threats directed towards the Union increasingly come from hostile state-sponsored actors. This has meant that the EU will step up efforts to enhance the quality of European systematic information security and increase the protection of the digital structures and systems in both IT and OT. The threats against these structures can, in addition to visible sabotage, involve taking down systems completely or disrupting and distorting their functions so that, for example, measuring devices deliver wrong values.
Swedish companies and organizations need to step up their information security work so that their efforts are commensurate to the EU's standards and realize that our digital systems are closely intertwined with those of other EU countries, no matter whether those systems support energy transmission, traffic, or cloud-based operations. The NIS directive has already regulated part of this. NIS2 adds an extra layer of protection to the foundation that we have already established nationally in Sweden through the Security Protection Act, which aims to protect the digital systems against national security threats.
The expansion of NIS2 is greater than many realise. Aside from the hefty sanctions awaiting those who ignore the new requirements, the number of businesses that are covered by the directive has become many times larger. Many hundred Swedish companies in the manufacturing sector alone will be affected. Moreover, food production, companies providing material and technology to the space industry, all kinds of digital services and chemical factories must now also comply with the NIS2 Directive
-Mats Karlsson Landré, security advisor at AFRY
It is not unreasonable to guess that insurance companies will soon require that providers of digital services, as well as other organizations that are critically important to the Common Market, have lived up to the directive’s standards to qualify for reimbursement in the event of cyber incidents.
Implementing NIS2 in practice
AFRY is traditionally an engineering company that works inside the customers' operations, and our consultants therefore have an extensive knowledge of customers´ needs. But we also have the expertise to analyse which customers are covered by NIS2, what is necessary to meet the EU requirements, and how the directive relates to the Security Protection Act. Thereby, AFRY supports businesses required to adapt to the national NIS2 -law, which comes into force no later than in October 2024.
"We are today experts in critical activities within energy, industry and critical infrastructures both from the defense perspective and within civil defense, in Sweden and in many other markets. The most important thing we can offer to customers now is to extract the best working methods to achieve compliance, to define these methods in terms of a process for adopting systematic security procedures, and to fit that process into the customer's existing management system. Our long experience also gives us an understanding of the current regulations, and how NIS2 should be implemented in practice," says Johanna Cederström, senior advisor within social security at AFRY.
In addition to understanding the operations and the systems used, it is also necessary to understand people, organisations, leadership, and change management. For example, if the organization has a habit of being transparent, it usually takes a lot of work to add a security focus and teach employees to make privacy assessments on classified data. This often means that processes, leadership, tasks, and organisational culture must be changed to introduce cyber security as a natural part of the organisation's operations.
At AFRY, we have worked on implementing safety culture in listed private companies as well as at municipalities, regions, and government authorities, and we know what is required to change an organization’s way of working in a lasting way. It requires a delicate mix of law, communication, and sociology besides digital and technical expertise to succeed. We are used to working in mixed teams and using all our skills.
- Filip Enander.