The purpose of the NIS directive is for providers of essential services to work with risk-based security. This entails, among other things, requirements for both a reporting obligation for incidents as well as continuous work in a structured and methodical manner according to accepted standardized frameworks. Safety assessments and subsequent action plans must also be documented and monitored annually. How is this work progressing in your organisation? Have you started to work for compliance with all the requirements?
The background and purpose of the NIS Directive
Digitisation not only enables business opportunities but also creates more attack vectors for business information and systems. In recent years, the number of cyberattacks have increased substantially, and behind them are not only criminals and hackers, but also state-supported actors who have great endurance and substantial resources.
In response to this development, the EU adopted the NIS Directive (The Security on Network of Information Systems) in 2016, a regulatory framework that translates into national legal requirements in all member states. The purpose of the directive is to establish a security standard in the digital world; a standard that protects the infrastructure that builds our society and our economy.
Which companies are affected by the NIS Directive?
The directive aims to select selected providers of essential services as well as certain providers of digital services to take security measures to deal with potential risks and incidents in their IT infrastructure. If your organisation provides essential services in the sectors of energy, transport, banking, financial market infrastructure, healthcare, water supply or digital infrastructure, then you are likely to be covered by the NIS directive and need to follow its rules.
Has your organisation started the work required by the NIS Directive?
The NIS Directive imposes several requirements on the organisations concerned, including the following:
- The organisation has an obligation to notify the supervisory authority that they are affected by the NIS regulation
- The organisation must continuously work structured and methodically with information security according to accepted standardized frameworks (ISO 27000 standard or equivalent)
- The organisation must take appropriate security measures
- The organisation shall document and annually follow up Security analyzes and subsequent action plans
- The organisation has a reporting obligation in the event of incidents
How is this work progressing in your organisation? Do you know how to go about conducting security assessments and choosing appropriate security measures?
We can help you comply with the NIS Directive
Advenica has a long experience with analyzing the security of solutions and products with the specific purpose of identifying the necessary countermeasures and measures to ensure stability. We can help you ensure that the data and critical information you own and manage is well protected.
When you start working with security protection, the first step is to carry out a security protection analysis. Identifying the most important information assets of the business also identifies the measures that need to be taken in order of priority. A good way to do this is by using our risk and security analysis.
With the business in focus, this analysis gives you a comprehensive picture of digital business flows with the aim of realizing the value chain's potential and identifying opportunities for cost savings. This while ensuring protection against unauthorized access to systems and information, as well as law and regulatory compliance.
The analysis gives you an overview of cyber security in the company's business context. You get suggestions on approaches and priority areas to work on to reach full digital potential - today and tomorrow. In this way you can ensure that you comply with the requirements regarding security analyzes and security measures in the NIS Directive.
Interested in a risk and security analysis? Contact us here.