Be prepared for the NIS2 Directive
It is high time to prepare for NIS2
There is a lively discussion going on in Sweden concerning the new EU NIS2 Directive on security of networks and information systems and what that directive means in practice. AFRY explains the implications of the directive and helps your company strike a balance between smooth business operations and protecting what’s worth protecting.
Clear and common threats
Just a few years ago, municipal civil preparedness exercises featuring air-strikes or comparable attacks against public infrastructure could fail, as participants were convinced that such scenarios were profoundly unrealistic. Today, with the war in Ukraine constantly on the news, more and more people have become aware of the vulnerability of our security and the risks to which our society is exposed. It is urgent to build up robust cyber security without delay. AFRY has long worked with civil and cyber security across a broad array of sectors and can integrate a security perspective into all products and services offered.
"We’ve all heard about hacker attacks that now occur daily, targeting our agencies, companies, and civil organisations. For the average person, these attacks can mean missing social security benefits, disrupted web payments, or GPS malfunctions. All key activities in society today must be prepared for sabotage and malicious influence," says Filip Enander, Business Unit Manager Cyber Security at AFRY.
The EU's goal is to protect the common market
The purpose of the new NIS2 directive is to protect the EU common market. The EU, with its 27 member states, is today a global leader in digital markets and infrastructure. The threats directed towards the Union increasingly come from hostile state-sponsored actors. This has meant the EU will step up efforts to enhance the quality of European systematic information security and increase the protection of digital structures and systems in both IT and OT. The threats against these structures can, in addition to visible sabotage, involve taking down systems completely or disrupting and distorting their functions so that, for example, measuring devices deliver wrong values.
Swedish companies and organisations need to step up their information security work so that their efforts are commensurate to the EU's standards, and realise that our digital systems are closely intertwined with those of other EU countries, no matter whether those systems support energy transmission, traffic, or cloud-based operations. The NIS directive has already regulated part of this. NIS2 adds an extra layer of protection to the foundation that we have already established nationally in Sweden through the Security Protection Act, which aims to protect the digital systems against national security threats.
The expansion of NIS2 is greater than many realise. Aside from the hefty sanctions awaiting those who ignore the new requirements, the number of businesses that are covered by the directive has become many times larger. Many hundred Swedish companies in the manufacturing sector alone will be affected. Moreover, food production, companies providing material and technology to the space industry, all kinds of digital services and chemical factories must now also comply with the NIS2 Directive
-Mats Karlsson Landré, security advisor at AFRY
It is not unreasonable to guess that insurance companies will soon require that providers of digital services, as well as other organisations that are critically important to the Common Market, have lived up to the directive’s standards to qualify for reimbursement in the event of cyber incidents.
Implementing NIS2 in practice
AFRY is traditionally an engineering company that works inside the customers' operations, and our consultants therefore have an extensive knowledge of customers´ needs. But we also have the expertise to analyse which customers are covered by NIS2, what is necessary to meet the EU requirements, and how the directive relates to the Security Protection Act. AFRY supports organisations across Europe in adapting to the requirements of the NIS2 directive, including its national implementations. In Sweden, the new cybersecurity legislation is expected to enter into force by the end of 2025.
In addition to understanding the operations and the systems used, it is also necessary to understand people, organisations, leadership, and change management. For example, if the organisation has a habit of being transparent, it usually takes a lot of work to add a security focus and teach employees to make privacy assessments on classified data. This often means that processes, leadership, tasks, and organisational culture must be changed to introduce cyber security as a natural part of the organisation's operations.
At AFRY, we have worked on implementing safety culture in listed private companies as well as at municipalities, regions, and government authorities, and we know what is required to change an organisation’s way of working in a lasting way. It requires a delicate mix of law, communication, and sociology besides digital and technical expertise to succeed. We are used to working in mixed teams and using all our skills.
We are experts in critical activities within energy, industry and infrastructure, both from the defence perspective and within civil defence, in Sweden and in many other markets. The most important thing we can offer to clients now is to extract the best working methods to achieve compliance, to define these methods in terms of a process for adopting systematic security procedures, and to fit that process into the customer's existing management system. Our long experience also gives us an understanding of the current regulations, and how NIS2 should be implemented in practice.
- Filip Enander, Business Unit Manager Cyber Security at AFRY.
NIS2 directive - What does it mean, who are included and how will it affect you?
