Two people talkning

NIS2: Key changes in cyber security

NIS2: Key changes in cyber security

The EU with its 27 member states is currently the global leader in digital security, i.e., the protection of digital structures and systems against hostile attacks. An increasing number of IT incidents are taking place, threatening society's essential and important operations. Such incidents may entirely disable IT systems, distort built-in functions without the knowledge of the system owners, or might otherwise seriously disrupt normal operations.

Consequently, the EU must protect the Common Market, which is increasingly dependent on a high level of digital maturity. By implementing NIS2 and a series of other directives, the capability of the member states to resist cyber threats is increased.

Sectors that are marked by a high degree of automation and digitization, particularly operational technology (OT) in the manufacturing industry, will be greatly affected by the NIS2 directive. Companies must start taking cyber security hygiene requirements into account throughout all product and service life cycles.

Companies must implement many new routines and processes to maintain a high level of security. AFRY has extensive experience with implementing a management system for systematic security procedures and can support all parts of the organizational change process.

How to prepare your business according to NIS2

  1. Does NIS2 apply to your business? Assess according to directive entity rules
  2. Identify and analyse cyber security threats and vulnerabilities

  3. Map your business, supply chain and collaboration with others

  4. Design a strategy to address discovered vulnerabilities and create a cyber hygiene management system
  5. Train everyone in the business - create a culture of security

The NIS2 directive expands a list of industries and public services already cataloged in the first NIS directive appendices. These industries and services are divided into two classes - essential and important entities. The two classes demand essentially the same kind of cyber security, but they differ when it comes to supervision and sanctions. For important entities, any supervision must be justified in advance by an incident, suspicion of incident, deficiency, or non-conformity. For essential entities, however, regulators may conduct proactive unannounced ad-hoc inspections, regardless of any previous incidents or suspicions. Regulators also have a range of sanctions at their disposal.

The NIS2 Directive expands supervision

National cyber incident reporting to the European Commission and to the EU Cyber Security Agency ENISA will become more extensive after NIS2 than it was before. Supervisory possibilities will also be expanded. Supervision of the essential entities will, according to the NIS2, be proactive, which means that the supervisory authority can carry out supervisory inspections without any previous incident report or any suspicion of deviations. Supervision of important entities will be more reactive and will be based on a reason determined prior to inspection.

New functions of societal importance that are covered by NIS2 Arrow pointing right
  • Mail and courier handling
  • Waste management

  • Food

  • Medical equipment

  • Digital marketplaces

  • Search engines

  • Community administration

  • MSP and MSSP

  • Chemicals

  • Social networks

  • Space services

  • Drainage

Functions of societal importance that are already covered by NIS1 and now by NIS2 Arrow pointing right
  • Energy (District heating, cooling, electricity, oil, gas, hydrogen)

  • Gas, incl. biogas and hydrogen

  • Transport

  • Banking and Finance

  • Health care, incl. lab and research

  • Drinking water

  • Digital infrastructure

Functions that are critical (Essential Entities) Arrow pointing right
  • Energy (district heating, cooling, electricity, oil, gas, hydrogen)

  • Transport (air, rail, shipping, roads)

  • Banking and Financial market infrastructure (payment services, etc.)

  • Drinking water and sewage

  • Digital infrastructure

  • Community administration (public administration)

  • Space services

Important Entities Arrow pointing right
  • Mail handling

  • Food production and distribution

  • Medical equipment

  • Digital marketplaces

  • Search engines

  • MSP and MSSP

  • Chemicals

  • Health care incl. lab and research

  • Gas incl. biogas and hydrogen

  • Social networks (digital)

Cyber Security

Read more about how you can prepare for the NIS2 directive

Read more about what we offer regarding the NIS2-directive

For more information, please contact:

Filip Enander - Business Unit Manager Cyber Security

Filip Enander

Business Unit Manager Cyber Security

Contact Filip Enander

For sales enquiries, please complete this form. For all other enquiries, please visit our office and contacts page here.
Mats Karlsson Landré - Senior OT Security Advisor

Mats Karlsson Landré

Senior OT Security Advisor

Contact Mats Karlsson Landré

For sales enquiries, please complete this form. For all other enquiries, please visit our office and contacts page here.