NIS2 – Not just for critical functions

To protect society from increasing cyberattacks, the EU’s directive NIS2 will come into effect in 2024, with measures for a high common level of cybersecurity. The directive primarily pertains to providers of critical services, but what many may not have realized is that it indirectly encompasses their subcontractors.

Cyber threats are increasing in scale and becoming more sophisticated, while at the same time, only four out of ten organizations currently have an adequate level of cybersecurity. This is evident from a report on the cybersecurity market by the research company Radar. We all remember the ransomeware attack hitting Coop in 2021. 

Political forces are constantly working on enhancing society’s resilience against cyber threats. The EU Cyber Resilience Act is one example, and another imminent example is the so-called NIS2 directive, which comes into effect in October 2024.

Third party vendors and their cybersecurity work are under scrutiny  

The NIS2 directive primarily applies to providers of essential services for social and economic activities, such as banks, energy companies, healthcare facilities, and transport companies, similar to NIS1 except for a few additions. However, it also encourages organizations outside its direct purview, urging them to fulfill the minimum requirements for attaining a satisfactory level of cybersecurity. Notably, it intensifies the requirements for overseeing and manage third-party suppliers. 

Lovisa Göransson Ording is a cybersecurity consultant at HiQ with expertise in governance, risk management, and compliance. 

– The extension of the directive to encompass the entire chain is inherently logical. In order for your organization to uphold a sufficiently elevated standard of cybersecurity, it is imperative that such standards are also adhered to by your subcontractors. Consequently, the security aspect assumes a considerably more prominent role in the procurement process, says Lovisa Göransson Ording. 

NIS2 – crucial to be a relevant supplier 

With controls on third-party vendors, as many as 20,000 Swedish organizations are directly or indirectly affected, a significant increase from the current approximately 500. 

– Compliance with the stipulations of NIS2 may be imperative for subcontractors seeking relevance with organizations falling under the directive. Specifically, as a procurer of development services for sectors such as finance or energy, it is necessary upon you to guarantee that the developers and their deliveries align with the security requisites mandated by the contracting organization, says Lovisa Göransson Ording. 

“Compliance with the stipulations of NIS2 may be imperative for subcontractors seeking relevance with organizations falling under the directive. Specifically, as a procurer of development services for sectors such as finance or energy, it is necessary upon you to guarantee that the developers and their deliveries align with the security requisites mandated by the contracting organization.”

Lovisa Göransson Ording

What is required of the organizations directly or indirectly affected? 

Half of the organizations in Radar’s report do not believe they will be able to meet the requirements in time before the directive takes effect. Consequently, considerable efforts lie ahead for Swedish companies and organizations. 

– If your organization is covered by NIS2, you should, of course, meet the requirements of NIS2. If you are a subcontractor who wants to be relevant to customers covered by NIS2, there are several paths to take. One way is to certify the organization, for example, with ISO 27000. It is one of the world’s most prominent standards within the field of cybersecurity, and a certification shows that the entire organization is actively and continuously working with cybersecurity, she says. 

Cybersecurity work is not a one-shot 

As security threats continually evolve, the efforts to mitigate these risks must be consistently ongoing. 

Through regular implementation of penetration tests, organizations can consistently identify digital vulnerabilities. This process enables further analysis of how the organization operates. 

– Identifying a technical deficiency or vulnerability might be more straightforward than uncovering organizational shortcomings, yet it is essential to recognize that the technical issue is, invariably, symptomatic of an underlying cause. It may stem from organizational challenges that demand a broader perspective. Organizations who continuously approach such tests with an open mindset often find it significantly easier to meet regulatory requirements and maintain continuous operational security, she concludes. 

“Identifying a technical deficiency or vulnerability might be more straightforward than uncovering organizational shortcomings, yet it is essential to recognize that the technical issue is, invariably, symptomatic of an underlying cause. It may stem from organizational challenges that demand a broader perspective. Organizations who continuously approach such tests with an open mindset often find it significantly easier to meet regulatory requirements and maintain continuous operational security.”

Lovisa Göransson Ording

Tips: How to Approach NIS2 

1. Inform yourself: Familiarize yourself with the NIS2 directive and its requirements to determine if your business is classified as essential or a significant entity. Consider your importance within the sector you operate in or the service you provide, as well as organizational size.

2. Assess the current situation: Conduct an assessment of your organization’s current cybersecurity posture. Examine the components that are already in place and aligned with the NIS2 requirements. Identify areas that may require more extensive work. 

3. Identify and assess critical services: Evaluate and identify critical services and systems within your organization. Ensure that these services and systems are resilient and have the necessary cybersecurity measures in place as defined by NIS2. 

4. Evaluate your suppliers and customers: NIS2 focuses on a high common level of cybersecurity. It is important to ensure that the entire supply chain takes cybersecurity seriously. As an organization, you have various dependencies that influence and are influenced by cybersecurity efforts. These dependencies may encompass suppliers, customers, and even the suppliers and customers of your partners. 

Learn more about how we can help you