The NIS Directive, The Directive on security of network and information systems, is a directive, i.e. it is translated into each member state’s national legislation. This means that there may be differences in application.
What is the purpose of the NIS Directive?
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
What is the story behind the NIS Directive?
Digitalisation not only creates business opportunities but opens more attack vectors to systems. The number of cyberattacks has increased sharply over the recent years, not only from criminals and script kiddies but also from state-funded forces with great endurance and vast resources. Raising information security within critical infrastructure raises society’s readiness for external disturbances.
What practical effect does the NIS directive have?
The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness. Basically, focus lies on the network and information systems that are used.
What do operators need to do?
To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.
Cybersecurity entails more than mere technology. In order to create sustainable protection, systematic analysis of assets, threats and risks is required, including also processes and human aspects.
It is neither practical nor economically justifiable to protect all information the same way. Therefore, the first step is to identify information essential to operations. With this basic understanding, necessary measures can be pinpointed and prioritised.
To raise cybersecurity of critical infrastructure in general, strict segmentation of industrial control utility systems (ICS/SCADA) has to be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in-between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems at the highest level of security.
To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.
Today in the ever interconnected and digitalisation driven reality, fully air-gaped solutions is no longer a viable alternative. You need to allow information to travel between domains an you need to stay in control. You need Cross Domain Solutions.
How do you follow the NIS Directive?
When you start working with following the NIS directive, you should ask yourself which parts of your business that are central. This of course depends on the business in question. The harsh reality is that no one can protect all parts. Assets, threats, risks and risk appetite must therefore be weighed carefully against each other in order to find a reasonable balance and effective measures. It can also be a good idea to consider which parts are most vulnerable to cyberattacks. In general, data transfer between networks or communication between security domains is most vulnerable. Segmentation and secure data transfer are therefore often crucial for a reliable operation. You should also ask yourself which information is in most need of protection – and if you protect it well enough. The answer lies in the analysis of your assets, threats, risks, and risk appetite. By understanding a potential attacker's ability and resources, you get an idea of how effective protection must be designed. What level of risk is reasonable? Assume the consequences. What can the business not afford to lose? What must absolutely not go wrong?
All socially important companies now have 6 main obligations regarding information security:
- The organisation has an obligation to notify the supervisory authority that they are affected by the NIS Directive
- The organisation must continuously work in a structured, methodical and risk-based manner with information security according to accepted standardised frameworks (ISO 27000 standard or equivalent)
- Annually analyse the business's risks and draw up action plans. These must then form the basis for choosing the right security measures.
- Take appropriate and proportionate measures to manage risks that threaten security.
- Take appropriate measures to prevent and minimise the effects of incidents affecting networks and information systems.
- Report incidents that have a significant impact on the socially important service, such as outages or a disruption.
The law on information security for suppliers of socially important and digital services
In Sweden, the law on information security prevails for providers of socially important and digital services. The law is Sweden's way of adopting the NIS directive. These regulations contain a number of points that clarify how to adapt your business:
Systematic and risk based information security work
The information security work regarding information management in networks and information systems used for socially important services shall not only be adapted to the organisation, but carried out with the help of the standards SS-EN ISO/IEC 27001:2017 and SS-EN ISO/IEC 27002:2017. Once the risks that exist have been identified, the organisation's responsibility for the work with information security must be clarified, all resources that are needed to be able to carry out the work should be ensured, and it must be ensured that the work is adapted and evaluated.
Demands on the information security work
The goal of the organisation's work with information security must be stated in a policy. You must also have a documented approach to, for example, classifying information, analysing risks and taking reasonable security measures. It is also important to educate employees and ensure that they understand how the work is to be performed and what their role is.
Specifics concerning network and information systems
It is of course of great importance that the networks and information systems used for socially important services meet the requirements for information security. You must also have solid incident management for the information in these systems and a plan for how incidents are to be handled and how the business should proceed after an incident.
What makes the NIS Directive different from the Protective Security Act?
The Protective Security Act applies to the protection of activities or information that may be important for Sweden's security. The NIS Directive sets requirements linked to the networks and information systems on which a business depends in order to deliver socially important or digital services. The same network and information system may be covered by the Protective Security Act, which may also cover other types of activities. Many organisations can thus be affected by both regulations, but the parts covered by security protection are exempt from the NIS Directive.
In order to fall under the Protective Security Act, you must have activities or process information that falls within the framework of security protection (see the description above). This can apply to networks, information systems and other parts of the business.
If you deliver socially important or digital services, you are covered by the NIS Directive. The requirements in the NIS Directive only apply to the networks and information systems on which the delivery of the socially important or digital service depends.
Potential new directive – NIS 2
Section added in February 2021.
The initial NIS directive included a process to conduct regular review of itself. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2. Once the new proposal is agreed upon, member states in the EU have 18 months to apply the new NIS 2 Directive.
Deficiencies in the NIS Directive
The proposal for NIS 2 contains aspects that meet deficiencies with the original NIS Directive. These deficiencies where found:
- Business in the EU do not have a sufficient level of cyber resilience (cyber resilience is the resistance to a possible cyberattack, but also the ability to keep capacity up during an attack, and how well you return to your original capacity after an attack)
- There is inconsistency between member states and sectors concerning cyber resilience
- There is not a sufficient understanding among member states about present threats and challenges, as well as not having a joint crisis response
New additions in NIS 2
Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions:
- Larger scale than NIS, more sectors considered as essential services (list further down)
- Managers are held responsible for securing operations.
- Incident reporting must now be done within 24 hours instead of 72 hours.
- Higher demands on security and reporting, where a minimum requirement list must be followed
- Security of supply chains and suppliers
- Stricter supervisory measures for national authorities
- Elimination of the distinction between operators of essential services and digital service providers
- Stricter supervisory measures for national authorities, firmer enforcement requirements
- Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued. The fine will be up to EUR 10 million or 2% of the business's total worldwide turnover, whichever is higher.
- Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities
The extension of the scope covered by the new rules, by effectively forcing more businesses and sectors to take measures to manage cyber security risk, will help to increase the level of cybersecurity in Europe both medium and long term.
Who is affected by NIS 2?
New sectors have been added based on their importance to society and the economy, and more companies in each sector will be affected. This as a measure to respond to Europe's increased exposure to cyber threats.
In the current NIS directive, there are seven affected sectors: energy, transport, banks, financial market infrastructure, health, water supply and digital infrastructure. In addition to these are newly added sectors: manufacturing of pharmaceutical products including vaccines and critical medical devices, public administration, and space.
Key sectors that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery, motor vehicles and digital suppliers.
All large and medium-sized companies from these sectors within the EU are now affected. Even smaller companies can be affected if it is considered necessary based on the company's profile.
The extension of the scope covered by the new rules, by effectively forcing more businesses and sectors to take measures to manage cyber security risk, will help to increase the level of cyber security in Europe in the medium and long term. Every business affected will now need to have a well-organised incident management, a structured approach to risk management and a cybersecurity officer at management level.
Will you be affected by NIS 2?
With real penalty fees for companies not taking care of their responsibilities (2% of sales or 10M EUR) as well as personal liability for the CEO and regulatory oversight, you really need to make sure you comply with the directive!
So what to do now?
First of all: Find out if you and/or your customers are covered by the directive! For example, if you are a business that provides a service necessary to sustain critical societal and/or economic activities, such as an energy company, you are classified as an "essential service operator". Then start by finding out what requirements that are placed on you and do a gap analysis against the current situation.
Here are some steps that all businesses affected by NIS must take:
- Take security measures to protect network security and information systems. This includes risk analysis and security policies for information systems.
- Requirements to report incidents affecting the continuity of services (prevention, detection and response to incidents).
- Work with business continuity and crisis management as well as supply chain security. This includes having policies and procedures in place for cybersecurity risk management measures.
- Use of cryptography and encryption.
- Supervision by appointed supervisory authorities
- Work systematically and risk-based with your information security
If you have activities that fall under the Protective Security Act, it may be worth monitoring the NIS a little extra in the future. It has been hinted that the special exception making the protective security always violating the NIS Directive will be changed.
With the new NIS Directive, management teams will have a decisive and active role in the monitoring and implementation of these measures. What can happen if an important business does not meet the requirements?
- Fines of up to EUR 10 million or 2% of the total global annual turnover
- Management must take responsibility
- Temporary bans targeting managers
- Appearance of a supervisor
Do not hesitate to contact us at Advenica!