In our previous blog post, we highlighted how NIS2 is both a stick and a carrot when it comes to information security. A stick, because it incentivizes organizations to increase their information security spendings to avoid heavy fines. A carrot, because it empowers organizations to better understand the threat landscape and the effectiveness of various security measures, so as to make better decisions when it comes to security.
I hear you saying: “That sounds cool! So I don’t have to beg my CEO to invest in security? Instead, they will give me a budget and expect to ‘secure up’. Great! But what exactly do I need to do?”
In this post, we’ll illustrate what the NIS2 Directive really means for you who is a CTO or Engineering Manager.
Let’s focus on Sweden
As highlighted in our previous blog post, NIS2 should not be seen as one rule to rule them all – pun intended. Instead, NIS2 is an EU Directive which needs to be implemented in every EU Member State. Also, NIS2 sets minimum requirements, so each EU Member State is free to raise the bar as high as they see fit.
To make this discussion more concrete, let’s focus on Sweden. As of March 2024, the NIS2 Directive is not yet implemented in Sweden, so we can only predict its future by:
- looking at its predecessor, NIS1;
- looking at the proposal SOU 2024:18; and
- looking at the minimum requirements set by NIS2.
As proposed in SOU 2024:18, the agency coordinating NIS2 enforcement will be the Swedish Agency for Civil Contingencies – Myndigheten för samhällsskydd och beredskap (MSB). Swedish law will give MSB rulemaking power (föreskriftsrätt) over essential and important entities. MSB will then publishes these rules, which are named MSBFS 20XX:Y, where MSBFS stands for “Myndigheten för samhällsskydd och beredskaps föreskrifter" followed by a four-digit year and a running number.
While MSB acts as the single point of contact when it comes to NIS1, they don’t enforce the fines. MSB can be seen as the “brain” of NIS1 in Sweden, whereas so-called competent authorities are the “muscles”. In Sweden, these are:
- The Swedish Energy Agency - energy
- Financial Supervisory Authority - banking and financial market infrastructure
- The Inspectorate for Care and Care - the health care sector
- The Swedish Food Agency - delivery and distribution of drinking water
- The Swedish Post and Telecommunications Agency - digital infrastructure and digital services
- The Swedish Transport Agency - transport
As proposed in SOU 2024:18, the enforcement structure will be very similar with NIS2.
As an essential and important entity, you will need to do three things:
- Identify yourself with MSB.
- Do information security.
- Report incidents to MSB.
Let’s dive into each of these into details...
Identify yourself with MSB
The title of the NIS1-era MSBFS 2024:4 kind of gives it away: “regulations on notification and identification of providers of socially important services” (föreskrifter om anmälan och identifiering av leverantörer av samhällsviktiga tjänster). Pick a contact person, send their name, email, and phone number to MSB.
If you fall under GDPR – who doesn’t? – and have assigned a Data Protection Officer, then this NIS2 requirement is very similar to GDPR Art. 37(7).
If you are ISO 27001:2022 certified – or are looking to become – this NIS2 requirement falls under the ISO 27001 control called A5.5 Contact With Authorities.
Do information security
Before talking about what measures Swedish NIS2-regulated entities will need to implement, let us zoom out and discuss the minimum security requirements imposed by NIS2.
NIS2 Minimum requirements
Under NIS2, your organization needs to fulfill the following 10 minimum requirements, which are verbatimly reproduced from the text of the regulation:
1. policies on risk analysis and information system security;
2. incident handling;
3. business continuity, such as backup management and disaster recovery, and crisis management;
4. supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
6. policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
7. basic cyber hygiene practices and cybersecurity training;
8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;
9. human resources security, access control policies and asset management;
10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
As you notice, most of these requirements are rather non-prescriptive. By non-prescriptive, I mean that they don’t impose a concrete security measure. Rather, they dictate a process through which your organization should find the right security measures. These non-prescriptive requirements include:
- Do risk management, i.e., identify risks unique to your organization and take appropriate measures to mitigate these risks.
- Have an information security policy;
- Make sure you properly audit your suppliers and that you contractually propagate the right security requirements.
Only the last NIS2 minimum requirement truly prescribes a security measure: “use multi-factor authentication”.
To sum up, the “do security” part of NIS2 very much resembles ISO 27001 controls. NIS2 does not give exact instructions on what you should do. Rather, it puts the burden on the organization to properly identify information security risks, assess them and take appropriate security measures to reduce those risks. This makes a lot of sense, as appropriate security measures will be different both depending on the size of your organization and your industry sector. Measures taken by an energy company supplying 10,000,000 customers are not necessarily appropriate for a healthcare provider with 100 patients.
How will things look like in Sweden?
The section above only focused on NIS2 minimum requirements. However, each EU Member State is free to set their own requirements as high as they seem appropriate. To get an insight on how the Swedish regulatory landscape could look like, we can make predictions based on NIS1-era MSBFS 2018:8 and MSBFS 2020:7. The latter is newer (2020) and applies to the public sector. The former is two years older (2018) and applies to all other sectors.
If reading the NIS2 minimum requirements makes you think of ISO 27001, then you are not alone. NIS1-era MSBFS 2018:8 quite literally says: You must implement an information security management system (ISMS) conforming to ISO 27001 “or similar”. While you can base your ISMS on a different standard, MSBFS 2018:8 sets a high bar for picking another standard: You should document similarities and differences to ISO 27001. You should also assess whether implementing the chosen standard offers a sufficient level of information security.
Let’s just be frank: MSB really wants you to implement ISO 27001. MSBFS 2018:8 seems to point to a few ISO 27001 requirements and controls that MSB considers particularly important, such as:
- Information Security Policy (ISO 27001:2022 Requirement 5.2;
- Risk Management (ISO 27001:2022 Requirement 6.1);
- Information Classification (ISO 27001:2022 Control A5.12);
- Supplier Management (ISO 27001:2022 Control A5.19);
- Network Security (ISO 27001:2022 Control A8.20, A8.21 and A8.22).
Interestingly, MSBFS 2018:8 – which applies to all entities except the public sector – does not feel very prescriptive. You need to work systematically with information security risks and treat them systematically. The exact security measures you take depend on your organization.
In contrast, MSBFS 2020:7 – which applies to public authorities – is a bit more prescriptive. Specifically:
- You must use multi-factor authentication (MFA), think ISO 27001:2022 Control A8.5.
- You must use ntp.se as a clock synchronization source, think ISO 27001:2022 Control A8.17.
- You must use DNSSEC, think ISO 27001:2022 Control A8.21.
- You must separate production from non-production environments, think ISO 27001:2022 Control A8.31.
As we can notice, these are already above the minimum requirements set by NIS2.
To sum up, it seems like most security requirements around NIS2 will be on the level of information security management. Only a handful of security measures are prescribed. However, that doesn’t mean you can just produce a handful of policies and call it a day. NIS2 requires you to discover the right security measures for your organization and actually implement them.
Report incidents to MSB
Finally, you will need to report incidents to MSB. Under NIS1, this had to be done at the following intervals (MSBFS 2018:9 1 kap 3 §):
- Initial report after 6 hours from the start of the incident;
- Interim report after 24 hours;
- Final report after 4 weeks.
Various regulations precisely define what is a report-worthy incident for each industry sector. For example:
- In healthcare, if ambulance service was somehow affected. (MSBFS 2018:9 7 kap. 1 § 2).
- Similarly, if a patient journal system is down for more than 2 hours. (MSBFS 2018:9 7 kap. 1 § 3).
- In the energy sector, if at least 2000 customers or 50% of your customers were affected for at least 2 hours. (MSBFS 2018:9 3 kap. 1 § 1).
- In the transportation sector, if at least 1000 users or a geographical region of at least 10000 km2 were affected for at least 1 hour. (MSBFS 2018:9 4 kap. 1 § 1).
These provisions are likely to be amended to NIS2. At the very least, MSB needs to come up with new definitions of report-worthy incidents for important entities, and for the essential entities which were added in NIS2.
Takeaways
NIS2 is on everyone’s mind and it is natural to worry about the implementation burden that NIS2 would bring on your organization. If you are already ISO 27001 certified, as Elastisys, then compliance with NIS2 is likely to be a “walk in the park”. However, if you are not yet ISO 27001 certified, then it is a good idea to look into it. This is also a good time to review your suppliers. Check both if they are ISO 27001 certified and how they prepare for the upcoming measures under NIS2.
If you want to learn more about how Elastisys Welkin platform is designed with NIS2 in mind, get in touch or learn more here. And if you’re curious in reading more about Elastisys as a ISO 27001 certified vendor, you can dive into that on this page.
Blog post by Cristian Klein
I’m Cristian, the Compliant Kubernetes product owner at Elastisys. I review data protection regulations and security best practices, to translate those into Kubernetes and Cloud Native solutions. I gathered over 19 years of experience acting variously as an on-call network engineer, consultant, teacher and researcher. You can follow me on LinkedIn, where I post about topics at the intersection of information security and Kubernetes.