Navigating the Transition: Understanding NIS2 and Its Implications

In the ever-evolving landscape of cybersecurity regulations, the Network and Information Security Directive (NIS Directive) has been an important first step in the cyber regulatory landscape; paving the way for new cyber regulations being established and guiding organisations in fortifying their digital defences. As businesses strive to adapt to emerging threats and regulatory changes, the introduction of NIS2 marks a significant milestone. Understanding the nuances between NIS1 and NIS2 is crucial for organisations aiming to stay compliant and resilient in the face of cyber risks.

What is NIS2?

NIS2, or the Network and Information Systems 2 Directive, represents the European Union’s updated approach to bolstering cyber security resilience across several sectors. Building upon the foundations laid by its predecessor, NIS1, NIS2 aims to address emerging threats, technological advancements, and the evolving digital landscape.

Important differences with the NIS2 Directive:

  1. Broader scope: NIS2 expands the scope of critical sectors to include not only essential services but also additional sectors like research, education, and manufacturing. This reflects the structure of modern society and the need to protect a wider range of services and activities.
  2. Wider impact: The new requirements will apply to the entire operations and the whole entity that’s affected by NIS2, not only the essential and digital services.
  3. Enhanced cooperation: The Directive emphasises increased cooperation and information sharing among member states, recognising that cybersecurity threats are often cross-border in nature. 
  4. Incident reporting obligations: NIS2 introduces mandatory incident reporting for a broader range of entities, including digital service providers. This ensures that any cybersecurity incident with a significant impact is promptly reported, enabling faster response and mitigation measures.
  5. Increased amount for sanctions: If entity is not compliant with the Directive there will be an increased level of possible sanctions. The current minimum level of administrative fines should remain at SEK 5 000, but the maximum level will be increased substantially.
  1. For essential operators, a maximum of: 
    • 2% of the essential entity’s entire global turnover of the preceding fiscal year, or 
    • EUR 10 000 000 
  2. For important operators, a maximum of: 
    • 1.4% of the entity’s entire global turnover of the preceding fiscal year, or 
    • EUR 7 000 000 
  3. For public sector operators in Sweden, maximum SEK 10 000 000

Who will be affected?

The NIS2 Directive increase the number of sectors that will be impacted from 7 to 18 sectors. Essential sectors with high criticality are:

The requirements will, as a general rule, apply only to private entities that employ at least 50 people or have a minimum annual turnover of EUR 10 million. This means that small enterprises would not be affected. However, certain specifically identified individual operators will be covered by the act regardless of size.

Tips on Navigating the Transition:

As organisations prepare to transition from NIS1 to NIS2 compliance or even start completely fresh, some key considerations as a start:

  1. Assess whether your entity is in scope for the NIS2 Directive and if yes register at relevant supervisory authority.
  2. Measure your maturity level through a GAP analysis to assess your current state.
  3. Ensure that the existing cyber information security framework includes relevant organisational and technical measures, including internal compliance controls.
  4. Identify critical systems and the potential risks that exist, conduct a risk assessment with an action plan.
  5. Raise awareness and provide training to all your employees.
  6. Update your governing documents including your information security policy.
  7. Ensure your incident management and reporting process is clear and efficient and that you are aware of the new NIS2 requirements.
  8. Ensure that third-party vendors and partners adhere to security standards and include contractual obligations for cybersecurity in service-level agreements.

Conclusion

NIS2 represents an important advancement in the European Union’s cyber security regulatory framework, reflecting a proactive and risk-based approach to safeguarding critical digital infrastructures. By achieving compliance with NIS2 and proactively adapting to the evolving regulatory landscape, organisations will enhance their cyber security resilience and effectively manage cyber risks.

Karin Pålshammar

Director, Cyber & Digital Risk

Gustav Jansäter

Manager, Cyber & Digital Risk

Let's connect

Navigating the Transition: Understanding NIS2 and Its Implications Navigating the Transition: Understanding NIS2 and Its Implications
I want an Advisense expert to contact me about:
Navigating the Transition: Understanding NIS2 and Its Implications

By submitting, you consent to our privacy policy

Thank you for connecting with us

An error occurred, please try again later