What Are NIS and NIS2?
The NIS Directive was introduced by the EU in 2016 as (EU) 2016/1148 to define requirements for the security of “Network and Information Systems” in organizations that deliver critical services to society. Examples of critical services include energy, water, healthcare, transportation, and electronic communication.
Each member state in the EU converted this directive into its own legislation. In Sweden this became ”Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster”.
What’s commonly called ”NIS2” is an updated directive that the EU enacted last year as (EU) 2022/2555. This directive is currently in the process of being implemented into Swedish legislation, with a target date of Q3 2024. The updated legislation reflects new trends in the evolving cybersecurity threat landscape and works to standardize the implementation of the directive across the member states.
One other significant change between the two directives is an expansion in the types of organizations that will be considered “in scope,” and this is the primary source of much of the conversations that are taking place today as there are many organizations that will fall under NIS2 which are not currently part of NIS.
What’s Required by NIS?
The requirements for an organization vary somewhat between the different sectors. In general, both generations of the directive lean heavily on existing standards and frameworks for cybersecurity, such as ISO and NIST:
- Establish a systematic method for continually improving the organization’s cybersecurity.
- Perform risk assessments regularly and have a clearly defined process for managing measures to mitigate identified risks.
- Implement standard protection measures for the organization’s network and information systems.
- Implement strong mechanisms for detecting events and well-defined processes for managing incidents.
- Prepare policies and procedures to document requirements and processes.
Two Tracks of NIS2
The discussions about a regulation such as NIS2, which is known in general but not in the country-specific implementation, often get muddled because we mix up the legal properties of the regulation with the cybersecurity aspects. In general, we know much less about the former than the latter.
There are several things we won’t know about NIS2 until the local legislation is enacted:
In some cases, the new legislation will be able to use structures that were developed for NIS, but there will be some changes as well. If nothing else, there are brand-new industry sectors that will require oversight and possibly brand-new government agencies to perform oversight.
We have a much better idea of what the technical requirements will be. In part because we have an existing NIS regulation, and we have lists of requirements that the directive passes on to each member state’s legislation.
This may include:
Truesec's NIS2 Program
To help your company leverage Truesec’s many capabilities, we're proud to launch the NIS2 Program. Some of the deliverables from this program will include:
- Continuous monitoring of legislative developments both in NIS2 but also in adjoining and sometimes overlapping legislations (such as DORA, CSA, and CRA).
- Scoping support for organizations.
- Implementation support for the NIS2 regulation.
- Information and education about security measures.
- Technical support from Truesec’s wide range of technical and compliance services.
What Should You Do Today?
We get this question a lot, and it’s tricky to answer, given that the regulation is being built as we speak.
Every indication is that the NIS2 legislation will continue to stay very close to existing standards and frameworks, specifically ISO and NIST. With this in mind, our answer at this time is:
- Pick a framework or standard to align your cybersecurity efforts with, and
- Perform an assessment or gap analysis against this framework/standard.
The benefits of this is manifold. For one, you’ll find out if you currently have gaps in your cybersecurity practice and establish processes for evaluating mitigating measures and activities to close these gaps.
As we get more information about the developing legislation, you’ll then only need to tweak the process rather than invent a brand new one.
How Can Truesec Help?
Truesec has resources that can help with all aspects of this regulation. We’ll document these services more closely in another publication, but some of the ways we can support an organization include:
- Legal and compliance analysis of scope.
- Vulnerability discovery as input to an educated risk assessment.
- Risk analysis.
- Comprehensive detection mechanisms for both IT and OT environments.
- NIST assessments.
- Advanced management methods for all types of incidents.
- Threat analysis.
- ISO Gap analysis.
- Writing policies and procedures.
- Improved access control and modern authentication mechanisms.
- Secure IT infrastructure.
- Third-party analysis.
- Directed education for management and board.
Our team of specialists in IT Strategy and Cyber Law will help you navigate the new requirements as they mature and become law.
We now have a permanent landing page on our website, Understand and Comply With NIS2 - Join Our NIS2 Program - Truesec, that will be continually updated as we learn more about the legislation and develop additional support.
You can contact us through the landing page if you need guidance, and we’ll take it from there.