NIS2 – Not Just for Critical Functions

To protect society from increasing cyberattacks, the EU’s directive NIS2 will come into effect in 2024, with measures for a high common level of cybersecurity. The directive primarily pertains to providers of critical services, but what many may not have realized is that it indirectly encompasses their subcontractors.

Cyber threats are increasing in scale and becoming more sophisticated, while at the same time, only four out of ten organizations currently have an adequate level of cybersecurity. This is evident from a report on the cybersecurity market by the research company Radar. We all remember the ransomeware attack hitting Coop in 2021. 

Political forces are constantly working on enhancing society’s resilience against cyber threats. The EU Cyber Resilience Act is one example, and another imminent example is the so-called NIS2 directive, which comes into effect in October 2024.

Third party vendors and their cybersecurity work are under scrutiny  

The NIS2 directive primarily applies to providers of essential services for social and economic activities, such as banks, energy companies, healthcare facilities, and transport companies, similar to NIS1 except for a few additions. However, it also encourages organizations outside its direct purview, urging them to fulfill the minimum requirements for attaining a satisfactory level of cybersecurity. Notably, it intensifies the requirements for overseeing and manage third-party suppliers. 

Lovisa Göransson Ording is a cybersecurity consultant at HiQ with expertise in governance, risk management, and compliance. 

– The extension of the directive to encompass the entire chain is inherently logical. In order for your organization to uphold a sufficiently elevated standard of cybersecurity, it is imperative that such standards are also adhered to by your subcontractors. Consequently, the security aspect assumes a considerably more prominent role in the procurement process, says Lovisa Göransson Ording. 

NIS2 – crucial to be a relevant supplier 

With controls on third-party vendors, as many as 20,000 Swedish organizations are directly or indirectly affected, a significant increase from the current approximately 500. 

“Compliance with the stipulations of NIS2 may be imperative for subcontractors seeking relevance with organizations falling under the directive. Specifically, as a procurer of development services for sectors such as finance or energy, it is necessary upon you to guarantee that the developers and their deliveries align with the security requisites mandated by the contracting organization”, says Lovisa Göransson Ording. 

What is required of the organizations directly or indirectly affected? 

Half of the organizations in Radar’s report do not believe they will be able to meet the requirements in time before the directive takes effect. Consequently, considerable efforts lie ahead for Swedish companies and organizations. 

If your organization is covered by NIS2, you should, of course, meet the requirements of NIS2. If you are a subcontractor who wants to be relevant to customers covered by NIS2, there are several paths to take. One way is to certify the organization, for example, with ISO 27000. It is one of the world’s most prominent standards within the field of cybersecurity, and a certification shows that the entire organization is actively and continuously working with cybersecurity.

Cybersecurity work is not a one-shot 

As security threats continually evolve, the efforts to mitigate these risks must be consistently ongoing. 

Through regular implementation of penetration tests, organizations can consistently identify digital vulnerabilities. This process enables further analysis of how the organization operates. 

– Identifying a technical deficiency or vulnerability might be more straightforward than uncovering organizational shortcomings, yet it is essential to recognize that the technical issue is, invariably, symptomatic of an underlying cause. It may stem from organizational challenges that demand a broader perspective. Organizations who continuously approach such tests with an open mindset often find it significantly easier to meet regulatory requirements and maintain continuous operational security, she concludes. 

Tips: How to Approach NIS2 

1. Inform Yourself

Familiarize yourself with the NIS2 directive and its requirements to determine if your business is classified as essential or a significant entity. Consider your importance within the sector you operate in or the service you provide, as well as organizational size.

2. Assess the current situation

Conduct an assessment of your organization’s current cybersecurity posture. Examine the components that are already in place and aligned with the NIS2 requirements. Identify areas that may require more extensive work. 

3. Identify and assess critical services

Evaluate and identify critical services and systems within your organization. Ensure that these services and systems are resilient and have the necessary cybersecurity measures in place as defined by NIS2. 

4. Evaluate your suppliers and customers

NIS2 focuses on a high common level of cybersecurity. It is important to ensure that the entire supply chain takes cybersecurity seriously. As an organization, you have various dependencies that influence and are influenced by cybersecurity efforts. These dependencies may encompass suppliers, customers, and even the suppliers and customers of your partners. 

Choose nearest region Stockholm Västerås Lund Borlänge Norrköping Helsingborg Karlskrona Örebro Göteborg Malmö Linköping Eskilstuna

Get in touch!

Get in touch!

Choose office or contact HiQ International in Stockholm if you are in doubt.

Contact

Region Stockholm

Contact

Region Stockholm

Mia Pääsuke

Marcom Lead Stockholm

Hi I’m Mia, Marcom Lead in Stockholm. Please get in touch and I’ll connect you with the right person!

mia.paasuke@hiq.se +46 763147920

mia.paasuke@hiq.se +46 763147920

Contact

Region Lund, Helsingborg, Karlskrona and Malmö

Contact

Region Lund, Helsingborg, Karlskrona and Malmö

Peter Axelsson

Head of HiQ South

Hi, I’m Peter, head of Region South. I’m passionate about technology, business and leadership. Would love to get in touch with you!

peter.axelsson@hiq.se +46 72 156 71 75

peter.axelsson@hiq.se +46 72 156 71 75

Contact

Region

Contact

Region

Dan Jonsson

Head of HiQ West

Self-driving vehicles, 6G, connected diapers. After 23 years at HiQ, I’m still full of admiration for what our magical employees achieve with our customers. Get in touch and I’ll tell you more!

dan.jonsson@hiq.se +46 703791229

dan.jonsson@hiq.se +46 703791229

Contact

Region Norrköping and Linköping

Contact

Region Norrköping and Linköping

Paul Martin

Head of HiQ Ace

Hi, I’m Paul. Head of Region ”Ace”. Let’s talk about how we can work together to make a difference; to your business, and to people’s lives.

paul.martin@hiq.se +46 702 516 975

paul.martin@hiq.se +46 702 516 975

Contact

Region Västerås, Borlänge, Örebro and Eskilstuna

Contact

Region Västerås, Borlänge, Örebro and Eskilstuna

Per Gustafsson

Head of HiQ Mälardalen

Together we create the company we always wanted to work for, and our customers wanted to work with! If you also want to work with or for us, you are warmly welcome to contact me!

per.gustafsson@hiq.se +46 703 752 347

per.gustafsson@hiq.se +46 703 752 347

Contact

Region Göteborg

Contact

Region Göteborg

Dan Jonsson

Head of HiQ West

Hi, I’m Dan, Head of HiQ West. Let’s have a chat and explore how we can do magic together.

dan.jonsson@hiq.se +46 703791229

dan.jonsson@hiq.se +46 703791229

Close