NIS2: But what exactly do I need to do?

Identify yourself with MSB

The title of the NIS1-era MSBFS 2024:4 kind of gives it away: “regulations on notification and identification of providers of socially important services” (föreskrifter om anmälan och identifiering av leverantörer av samhällsviktiga tjänster). Pick a contact person, send their name, email, and phone number to MSB.

If you fall under GDPR – who doesn’t? – and have assigned a Data Protection Officer, then this NIS2 requirement is very similar to GDPR Art. 37(7).

If you are ISO 27001:2022 certified – or are looking to become – this NIS2 requirement falls under the ISO 27001 control called A5.5 Contact With Authorities.

Do information security

Before talking about what measures Swedish NIS2-regulated entities will need to implement, let us zoom out and discuss the minimum security requirements imposed by NIS2.

NIS2 Minimum requirements

Under NIS2, your organization needs to fulfill the following 10 minimum requirements, which are verbatimly reproduced from the text of the regulation:

1. policies on risk analysis and information system security;
2. incident handling;
3. business continuity, such as backup management and disaster recovery, and crisis management;
4. supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
6. policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
7. basic cyber hygiene practices and cybersecurity training;
8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;
9. human resources security, access control policies and asset management;
10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

As you notice, most of these requirements are rather non-prescriptive. By non-prescriptive, I mean that they don’t impose a concrete security measure. Rather, they dictate a process through which your organization should find the right security measures. These non-prescriptive requirements include:

• Do risk management, i.e., identify risks unique to your organization and take appropriate measures to mitigate these risks.
• Have an information security policy;
• Make sure you properly audit your suppliers and that you contractually propagate the right security requirements.

Only the last NIS2 minimum requirement truly prescribes a security measure: “use multi-factor authentication”.

To sum up, the “do security” part of NIS2 very much resembles ISO 27001 controls. NIS2 does not give exact instructions on what you should do. Rather, it puts the burden on the organization to properly identify information security risks, assess them and take appropriate security measures to reduce those risks. This makes a lot of sense, as appropriate security measures will be different both depending on the size of your organization and your industry sector. Measures taken by an energy company supplying 10,000,000 customers are not necessarily appropriate for a healthcare provider with 100 patients.

How will things look like in Sweden?

The section above only focused on NIS2 minimum requirements. However, each EU Member State is free to set their own requirements as high as they seem appropriate. To get an insight on how the Swedish regulatory landscape could look like, we can make predictions based on NIS1-era MSBFS 2018:8 and MSBFS 2020:7. The latter is newer (2020) and applies to the public sector. The former is two years older (2018) and applies to all other sectors.

If reading the NIS2 minimum requirements makes you think of ISO 27001, then you are not alone. NIS1-era MSBFS 2018:8 quite literally says: You must implement an information security management system (ISMS) conforming to ISO 27001 “or similar”. While you can base your ISMS on a different standard, MSBFS 2018:8 sets a high bar for picking another standard: You should document similarities and differences to ISO 27001. You should also assess whether implementing the chosen standard offers a sufficient level of information security.

Let’s just be frank: MSB really wants you to implement ISO 27001. MSBFS 2018:8 seems to point to a few ISO 27001 requirements and controls that MSB considers particularly important, such as:

• Information Security Policy (ISO 27001:2022 Requirement 5.2;
• Risk Management (ISO 27001:2022 Requirement 6.1);
• Information Classification (ISO 27001:2022 Control A5.12);
• Supplier Management (ISO 27001:2022 Control A5.19);
• Network Security (ISO 27001:2022 Control A8.20, A8.21 and A8.22).

Interestingly, MSBFS 2018:8 – which applies to all entities except the public sector – does not feel very prescriptive. You need to work systematically with information security risks and treat them systematically. The exact security measures you take depend on your organization.

In contrast, MSBFS 2020:7 – which applies to public authorities – is a bit more prescriptive. Specifically:

• You must use multi-factor authentication (MFA), think ISO 27001:2022 Control A8.5.
• You must use ntp.se as a clock synchronization source, think ISO 27001:2022 Control A8.17.
• You must use DNSSEC, think ISO 27001:2022 Control A8.21.
• You must separate production from non-production environments, think ISO 27001:2022 Control A8.31.

As we can notice, these are already above the minimum requirements set by NIS2.

To sum up, it seems like most security requirements around NIS2 will be on the level of information security management. Only a handful of security measures are prescribed. However, that doesn’t mean you can just produce a handful of policies and call it a day. NIS2 requires you to discover the right security measures for your organization and actually implement them.

Report incidents to MSB

Finally, you will need to report incidents to MSB. Under NIS1, this had to be done at the following intervals (MSBFS 2018:9 1 kap 3 §):

• Initial report after 6 hours from the start of the incident;
• Interim report after 24 hours;
• Final report after 4 weeks.

Various regulations precisely define what is a report-worthy incident for each industry sector. For example:

• In healthcare, if ambulance service was somehow affected. (MSBFS 2018:9 7 kap. 1 § 2).
• Similarly, if a patient journal system is down for more than 2 hours. (MSBFS 2018:9 7 kap. 1 § 3).
• In the energy sector, if at least 2000 customers or 50% of your customers were affected for at least 2 hours. (MSBFS 2018:9 3 kap. 1 § 1).
• In the transportation sector, if at least 1000 users or a geographical region of at least 10000 km2 were affected for at least 1 hour. (MSBFS 2018:9 4 kap. 1 § 1).

These provisions are likely to be amended to NIS2. At the very least, MSB needs to come up with new definitions of report-worthy incidents for important entities, and for the essential entities which were added in NIS2.

Takeaways

NIS2 is on everyone’s mind and it is natural to worry about the implementation burden that NIS2 would bring on your organization. If you are already ISO 27001 certified, as Elastisys, then compliance with NIS2 is likely to be a “walk in the park”. However, if you are not yet ISO 27001 certified, then it is a good idea to look into it. This is also a good time to review your suppliers. Check both if they are ISO 27001 certified and how they prepare for the upcoming measures under NIS2.

If you want to learn more about how Elastisys Compliant Kubernetes platform is designed with NIS2 in mind, get in touch or learn more here. And if you’re curious in reading more about Elastisys as a ISO 27001 certified vendor, you can dive into that on this page.