Article | 30 May 2024

Strengthen your cybersecurity – a checklist for NIS2

Responsive image

From time to time, we hear about large-scale cyberattacks on IT providers that disrupt medical record systems, cash register systems and payroll systems. These attacks can have serious consequences for individuals, the affected company and society at large. Cybersecurity is therefore something that all companies should work on continuously. If the company is covered by the rules of NIS2, there are also several requirements for how the work should be conducted. Some companies have not yet intensified their information security work due to NIS2. If your company is one of them, we advise you to start that work as soon as possible, and continue reading this artice.

What is NIS2?

In the light of the pace of digitalisation, the increase in cyber threats and the need for a more coherent cybersecurity approach across the EU, the NIS2 Directive has been adopted. It can be seen as a continuation of the previous NIS Directive from 2016, but compared to its predecessor, NIS2 has an expanded scope, contains more extensive requirements and entails more sanctions and higher penalties in the event that a company violates the requirements. The directive is to be implemented in October 2024, but the Swedish law looks set to be delayed until January 2025. In light of the requirements, it is high time to start preparing your organisation for NIS2 now. Taking on such a project may seem insurmountable, but our checklist will help you get started.

NIS2 checklist

  1. Check if your organisation falls under NIS2

As mentioned in the introduction, NIS2 covers more actors than the NIS Directive. It also distinguishes between highly critical and other critical sectors. The highly critical sectors include, for example, energy, transport, banking/finance, healthcare, water/wastewater and public administration. The latter category includes e.g. postal/courier services, waste management, chemicals, food and digital providers. If you belong to one of these sectors, you are subject to the NIS2 requirements provided that you employ at least 50 people or have a turnover of more than €10 million. In exceptional cases, other activities may also be subject to the rules, for example if a disruption to your business could have a significant impact on public security. The category to which you belong mainly affects the size of the penalty and whether the supervision is proactive or reactive, but the requirements are the same.

  1. Check if you are compliant

NIS2 requires you to take technical and organisational measures that are proportionate to risk. You therefore need to carry out an inventory and gap analysis to identify if there are gaps in your existing security measures. Examples of measures to implement or improve are:

  • Incident management process: establish processes and procedures to manage and report security incidents (significant incidents should be reported to the supervisory authority in three steps: warning within 24 hours, incident notification within 72 hours (24 hours for trusted services) and final report within one month).
  • Purchasing procedure: ensure that security aspects are taken into account in the purchase, development and maintenance of IT systems and software.
  • Use of cryptography: use cryptographic methods to protect sensitive information during storage and transmission.
  • Staff management: ensure that staff do not pose a security risk, including background checks and security training.
  • Access control procedure: implement systems and process to control and restrict access to sensitive information and system resources.
  • Communication solutions: use secure communication channels to protect information transmitted electronically.
  • Authentication solutions: ensure that only authorised users can access systems and data, including strong authentication and multi-factor authentication.
  1. Addressing identified shortcomings

If in the previous step you identified shortcomings in your information security work, these must be remedied or at least the risks of the identified shortcomings must be mitigated. If you have not taken any measures at all, it may be relevant for you to do so.

  1. Map and risk assess your suppliers

NIS2 does not only impose requirements on your organisation. It also requires your supply chain to fulfil the requirements. Therefore, map the suppliers you use to evaluate how well they fulfil the requirements of NIS2 and what risks are associated with them. Note that you may need to renegotiate or amend existing contracts to provide instructions to your suppliers and to demonstrate compliance.

  1. Train your organisation

One of the requirements of NIS2 is that the company’s management and employees should be trained in information security/cybersecurity. It is important that they know the procedures in place and are aware of their responsibilities to protect company assets. Have ongoing training to ensure that management and staff are kept up to date.

  1. Follow up, document and budget

Please note that NIS2 requirements are not one-off. Working with information security is a continuous endeavour that requires you to regularly monitor and review the effectiveness of your measures and processes to identify areas for improvement, for example based on incident reports and changing threat scenarios. You must also ensure that you document your processes, procedures and other measures to demonstrate compliance. Therefore, make sure there is room in your budget to do this effectively. Think of it as an investment to protect your business against cyber-attacks, other cybercrime and of course to avoid sanctions.

When might you need to contact us at Setterwalls?

At Setterwalls, we have extensive experience of running and assisting in major compliance projects and if you want help structuring your information security work, we are happy to help. For example, we can provide a clearer account of the requirements that follow from the various regulations, provide guidance on what measures you need to take, assist you in your gap analysis / inventory of measures taken and review your routines and processes to see if there are opportunities for improvement.

Do not hesitate to contact us!

 

The content is a general statement of an informative nature and is not legal advice to be used as a basis for assessment in an individual case.

Contact:

Elin Holm, Karolina Jivebäck Pap

  • This field is for validation purposes and should be left unchanged.

Do you want to get in touch with us?

Please fill out the form and we will contact you as soon as possible.

Related news

Part II: The relationship between the GDPR and the AI Act

Article | 28 January 2025

Part II: The relationship between the GDPR and the AI Act

Read more
Part III: Key Considerations for the Life Sciences Sector

Article | 23 January 2025

Part III: Key Considerations for the Life Sciences Sector

Read more
Navigating the EU AI Act, Part I: The “AI Act Roadmap”

Article | 23 January 2025

Navigating the EU AI Act, Part I: The “AI Act Roadmap”

Read more
Load more