The NIS2 clock is ticking in the EU. Where will compliance take us in the Nordics?
With the October deadline to comply with the EU’s NIS2 directive rapidly approaching, Telenor explores the directive’s expanded scope and its impact on critical infrastructure and important entities, highlighting the challenges and opportunities for organisations across the Nordics.
A bit of history: the evolution from NIS1 to NIS2
NIS1, which stands for “Network and Information Systems” was the first EU-wide sector-specific legislation on cyber-security, adopted in July 2016. This marked a significant step forward, as it was designed to enhance the level of cyber-security across the EU. However, as the digital landscape evolved, so too did the complexity and frequency of cyber threats. This necessitated a more robust framework, leading to the adoption of the NIS2 directive in December 2022.
NIS2 builds upon the foundation laid by NIS1 and aims to address the shortcomings of the original directive. NIS1 focused mainly on the security of network and information systems across critical sectors such as energy, transport, digital infrastructure, and health.
However, the flexibility given to member states in the implementation of this directive led to varying levels of cyber-security across the EU. This inconsistency, coupled with the rapid advancement of cyber threats, underscored the need for a more comprehensive approach. NIS2 is the EU’s answer, a next step in their attempts to standardise cyber-security measures, enhance co-operation among members states, and broaden the scope of the directive to include more sectors and types of organisations.
For Telenor and the broader telecommunications industry, the provisions within the European Electronic Communications Code (EECC), which were issued prior to NIS1, will be replaced with the requirements in NIS2 once the directive is in effect.
The EU’s response to a changing threat landscape Since the inception of NIS1 in 2016, Telenor and others have borne witness to a dramatically changing cyber threat landscape.
The EU has recognised this change and saw the need to address the increased frequency and sophistication of these attacks, which are targeting a broader range of sectors and critical infrastructure. Cybercriminals today are actively exploiting the increasing digitalisation and interconnectivity across society, which exposes new vulnerabilities and potential targets for attack. High-profile incidents such as ransomware attacks on healthcare facilities and supply chain breaches have put a global spotlight on the need for more resilient cyber-security frameworks in organisations of all types and sizes.
What is NIS2?
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cyber-security in the EU. Businesses identified by the Member States as operators of essential services in sectors ranging from energy, health, and drinking water to digital infrastructure and ICT management will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive. The deadline to comply with the directive in the EU is 17 October 2024.
Source: Directive on measures for a high common level of cyber-security across the Union (NIS2 Directive) | Shaping Europe’s digital future (europa.eu)
As the EU’s strategic response to these growing challenges, NIS2 is a solid step in what is likely to be evolving legislation on this topic. With NIS2’s expanded scope and stricter requirements, the directive is intended to mitigate risks and build cyber resilience across the continent and a broader range of industries.
The updated directive recognises the interconnected nature of today’s digital infrastructure and the potential cascading effects of cyber incidents, which has led to NIS2’s emphasis of more comprehensive and coordinated cyber-security measures across more organisations and sectors, including those that were not previously in scope with NIS1.
NIS2 is a response to the growing digital interconnectedness across companies and industries, recognising that a cyber incident in one sector can have cascading effects on others. For example, a disruption in the telecommunications industry may severely affect the power and utilities sector, impacting emergency operations and coordination capabilities between agencies and organisations, as cited in the recently released EU Cybersecurity Risk Evaluation and Scenarios for Telecommunications and Electricity. This report specifically mentions a scenario in which power outages can lead to widespread disruptions in data centres, the telecommunications industry, and other critical sectors. This interdependency reinforces the need for comprehensive and coordinated cyber-security measures, as outlined in the NIS2 directive.
NIS2 is a response to the growing digital interconnectedness across companies and industries, recognising that a cyber incident in one sector can have cascading effects on others.
Key intentions behind the NIS2 directive
Another key reason for NIS2 is to address the inconsistencies in the implementation of NIS1 across the EU. The varying degrees of compliance and the different national approaches under NIS1 have created gaps in the overall cyber-security posture of the EU.
By introducing NIS2, the EU seeks to harmonise cyber-security requirements and ensure greater consistency across the region.
NIS2 also broadens the scope to include more sectors and types of entities. This is a crucial change to the directive, as it recognises the critical role that various industries play in the functioning of society and the economy. NIS2 includes digital service providers, public administration, and others that also play a role in protecting critical infrastructure and services.
Key measures in the NIS2 directive
The following key measures within the directive collectively aim to harmonise and strengthen cyber-security across the EU, to a greater extent than in NIS1:
Expanded scope and uniform criteria (identifying ‘essential’ and ‘important’ entities and reducing discrepancies in implementation)
Standardised security requirements
Stricter incident reporting
Strengthened co-operation and enforcement (through ENISA and the Cooperation Group)
Mandatory peer reviews
Focus on supply chain security
Enhanced information sharing
NIS2: Who is impacted and what is required?
NIS2 expands the list of sectors and entities that are considered essential for the functioning of society and the economy. The directive categorises entities into two main groups: essential and important.
Essential entities include critical sectors such as energy, digital infrastructure, transport, banking, financial market infrastructures, health, and drinking water.
The rationale behind including these sectors is to ensure the smooth operation of essential services in the face of growing cyber threats. Disruptions to these services could have severe consequences for public safety, economic stability, and national security.
Important entities include some digital services like online marketplaces and search engines, as well as public administration, space, and food production and distribution.
By implementing robust security measures across these sectors, the EU aims to protect critical infrastructure and essential services from cyber threats and build greater resilience overall.
What does NIS2 require of you?
The NIS2 directive outlines requirements for essential and important organisations in the EU to enhance their cyber-security posture. This includes the following:
1. Risk management measures: Organisations are required to implement ‘appropriate and proportionate’ technical and organisational measures to manage risks posed to the security of network and information systems. This includes conducting risk assessments, developing incident response plans, and regular testing of security measures
2. Incident reporting: Organisations are required to provide early warning of significant incidents to the relevant national authority within 24 hours of becoming aware of the incident and a notification within 72 hours. This is to ensure a timely response to mitigate the impact of the incident and support better information sharing
3. Supply chain security: Organisations must address cyber-security risks in their supply chains to ensure that their vendors adhere to robust security standards. Given the increasing reliance on third party services, this is an especially key development in NIS2 to minimise the potential for supply chain attacks
Supply chain risks are particularly relevant for the telecommunications and electricity sectors, which rely on a complex network of suppliers and may be based outside of the EU. These dependencies can create vulnerabilities if the suppliers are not under adequate legal restraints, potentially leading to espionage and disruptions to critical services
4. Co-operation and information sharing: NIS2 supports enhanced co-operation and information sharing between organisations and countries, and their respective national authorities. This greater regional collaboration is intended to boost the overall resilience of the EU and its level of cyber-security
Reasons to support NIS2 compliance
The NIS2 directive imposes significant penalties for non-compliance, including fines and other administrative sanctions. Penalties for non-compliance carry fines up to EUR 10 million or 2% of the company’s annual revenue (whichever is higher). In addition, NIS2 allows authorities within EU Member States to hold organisational leaders personally liable if gross negligence is proven following a cyber incident. To avoid such penalties, the directive requires member states to establish ‘effective, proportionate, and dissuasive penalties’ for non-compliance, to ensure that entities follow through with their obligations.
Compliance with NIS2 can also enhance an organisation’s reputation and trustworthiness. As many companies have unfortunately learned in recent years, cyber-security incidents can severely impact reputation and stakeholder trust. Through comprehensive risk management practices, incident response planning, and the supply chain security measures required in NIS2, organisations are asked to continually maintain and improve their overall cyber resilience – which ultimately can serve as a competitive advantage.
Norway and NIS2
Though not an EU member, Norway is a part of the European Economic Area (EEA) as a means of accessing the European market. As such, the country typically adopts EU regulations and directives into local law. To align with the cybersecurity standards in NIS1, Norway introduced its digital security law (Digitalsikkerhetsloven) to improve the security of critical infrastructure and services. Currently Norway is working to align with the NIS2 directive by introducing more stringent cybersecurity requirements to a broader range of organisations.
The road to NIS2 compliance in the Nordics: a legal perspective
The NIS2 deadline is around the corner, and Nordic organisations face a challenging road to compliance. Johanna Linder and Henrik Lindstrand, partners at Cederquist, a prominent Swedish law firm, share the legal perspective on NIS2 compliance and its implications for Nordic organisations.
Key NIS2 concerns among Cederquist’s Nordic clients
According to Johanna Linder and Henrik Lindstrand, there has been a significant increase in client inquiries regarding NIS2 compliance – and the type of legal advice requested varies quite a bit.
Companies already compliant with NIS1 have a relatively straightforward path ahead and may simply seek assistance to update internal policies or supplier contracts. In the ’new’ sectors now included in NIS2 directive, many organisations are seeking confirmation on whether they are subject to it, and, if so, how to organise their compliance work.
Lindstrand noted, ”Many companies that were not subject to NIS1 are now trying to understand if they need to comply with NIS2, in the light of sector descriptions, thresholds, and cross-border aspects. If the conclusion is that they do, many face a long ‘to do list’.”
The challenge is further compounded by the fact that many member states have yet to implement the necessary legal acts to transpose the directive, creating uncertainty and delays. In Sweden, for example, the Swedish implementing act is expected to be adopted and come into force on 1 January 2025, but detailed national regulations from supervisory authorities are still pending.
How does NIS2 impact Nordic organisations?
The transition to NIS2 will significantly impact Nordic organisations, particularly those not previously covered under NIS1. Many companies are more or less starting from scratch with their information security work and will need to take extensive steps to meet the new requirements.
As Linder explained, ”Many organisations need to do the basics first, that is to make an inventory of all digital assets used, classify their data, and identify security needs based on risk assessments to ensure confidentiality, integrity and availability. Only after this work is complete is it possible to implement security measures that are not yet in place and adopt policies and processes for risk and crisis management, as well as business continuity.”
A key aspect of NIS2 is the emphasis on documenting security measures and assessments. Lindstrand emphasised, ”Even if security measures are in place, documenting the security measures and the assessments you have made is critical under NIS2.”
While NIS1 required organisations to work systematically with information security, NIS2 specifies more detailed requirements, necessitating governance and procedures to be revisited.
Additionally, new obligations under NIS2 include stricter notification requirements, increased liability for management, higher fines, and enhanced supply chain and business continuity requirements. This also means that service providers who are not directly subject to NIS2 may need to implement additional measures to comply with contractual obligations imposed by their customers under NIS2.
A perspective on the EU’s intent with NIS2
The EU’s motivation behind NIS2 is clear: to address the growing dependence on digital services and infrastructure and the increasing cyber threats. Linder and Lindstrand pointed out that the EU recognises the vulnerability of society to these threats, prompting a wave of national regulations aimed at enhancing cyber-security. The overarching goal is to harmonise rules across the EU and ensure a high level of cyber-security across all member states.
In Sweden, the focus is on ensuring a minimum level of information security throughout organisations. As Lindstrand noted, ”In general, we haven’t seen that the draft Swedish Implementing Act goes beyond NIS2, just a few nuances. Other countries may tweak sanctions and liability, but the general framework shall remain consistent.”
Draw on previous compliance work to achieve NIS2 compliance
Compliance with NIS2 can be more readily facilitated by companies that have already established a structured compliance organisation and processes, e.g. in relation to the General Data Protection Regulation (GDPR). These organisations can build on the existing compliance frameworks.
However, Linder and Lindstrand acknowledge that smaller companies may struggle due to a lack of resources and expertise, particularly within IT and information security and legal. They emphasised the importance of viewing compliance as an investment, not just a regulatory requirement. ”This is something that will be a business advantage or market advantage. We can expect further regulations within the field from the EU in the future,” Linder explained.
Advice for organisations
For organisations that are in the early stages of their NIS2 compliance work, the first step is to set necessary roles, adopt a structured methodology, and develop a plan for the compliance work.
Lindstrand stresses the importance of a coordinated approach, stating, ”In light of all new regulations that are coming or expected to come from the EU within cyber-security, data and AI, set a general method and structure for compliance implementation and maintenance to avoid reinventing the wheel multiple times. Communicate how the compliance work will be done and align across functions and departments as compliance involves large parts of the business.”
This holistic approach ensures that all legal frameworks are considered, and digital assets are managed in an integrated and efficient manner.
While the path to NIS2 compliance is challenging, it also presents an opportunity for Nordic organisations to enhance their cybersecurity posture and gain a competitive edge. Linder and Lindstrand’s legal perspective on this directive underlines the importance of preparation, structured methodology, and viewing compliance as a strategic investment for the future.
From compliance to risk management: Building stronger cyber defences in the Nordics
To understand the shift from compliance to robust risk management under NIS2, Telenor spoke with Tomomi Aoyama, PhD, Senior Director of Strategy and Product at Omny, an industrial cyber-security company. Aoyama provides insights into the differences between compliance and risk management, the challenges faced by organisations, and the broader implications for cyber-security across the Nordics.
Compliance vs. risk management
Aoyama emphasises that while NIS2 mandates compliance, it transcends simple checkbox exercises, urging organisations to adopt comprehensive risk management practises. She explains, ”NIS2 is asking for compliance to regulation but at the same time, it is not asking to check boxes. It is asking organisations to ensure the effectiveness of cyber risk management. The challenge in the organisation is that regulatory compliance is often led by GRC (Governance, Risk, and Compliance), while risk mitigation measures might be implemented by other departments. Risk management needs to have more organisational muscle to run.”
The directive’s multi-layered approach requires a systemic understanding of dependencies and risks from the EU level down to individual organisations. Aoyama explains that NIS2 is designed to facilitate a co-ordinated EU-wide cyber-security posture.
”For the EU to understand dependencies and risk as a whole, they need to understand how each country is running risk management, how it is reported, and the incidents faced.”
This requires robust reporting and feedback mechanisms to provide a comprehensive risk picture across the EU.
Enhancing cyber defence in the Nordics
A key aspect of NIS2 is its impact on executive accountability for cyber risks. Aoyama hopes that this will lead to more active discussions about cyber risk at the executive level.
”One of NIS2’s big asks is for senior leadership in organisations, including boards and executives, to be accountable for cyber risk. It used to be the CISO’s responsibility, but now it’s the CEO and Board who must ensure they are running the programme,” she explains. This shift could foster a broader understanding of cyber risk as a critical business issue rather than just a technical concern.
Challenges and opportunities
When asked about the major blockers and opportunities presented by NIS2, Aoyama points to the detailed regulatory requirements and the challenges posed by supply chain issues. She explains, ”There are some elements that will be challenging related to upcoming regulations, particularly around supply chain issues, which are not very detailed in the NIS2 document itself. We will see how each country interprets that in their context.”
Despite these challenges, Aoyama views the integration of NIS2 into broader cyber-security programmes as a significant opportunity. She believes that NIS2 can drive a cultural shift within organisations, promoting shared responsibility for cyber-security across all levels.
The main challenge for cyber professionals in organisations is to start engaging with internal stakeholders and not see NIS2 as another GDPR. It’s more about engaging with leaders and relevant departments, such as supplier management, to ensure NIS2 is integrated into their cyber programme,” she notes.
Future perspective and synergy with other cyber regulations
Looking ahead, Aoyama sees NIS2 and the EU’s Cyber Resilience Act (CRA) as complementary regulations that together will strengthen cyber-security across Europe.
”NIS2 is towards the critical infrastructure operators, while CRA is towards the product suppliers – any products with digital elements. They are trying to capture the whole ecosystem, including digital product suppliers, distributors, and users, with these two regulations,” she explains.
The integration of these regulations is designed to ensure comprehensive coverage of cyber-security responsibilities across different layers of the digital supply chain. This holistic approach aims to enhance overall cyber resilience and provide consumers with more secure product choices.
Omny’s advice for Nordic organisations
For Nordic organisations, Aoyama advises leveraging commonly used cybersecurity frameworks, such as ISO 27000 or IEC 62443, to streamline compliance efforts. She acknowledges the challenges faced by SMEs in meeting NIS2 requirements but highlights the importance of viewing compliance as an investment. ”It’s crucial for organisations of all sizes to recognise this as an investment – not only regulatory, but also a performance driver in the business, to ensure that you can provide services to a broader group of companies,” she explains.
Aoyama also underscores the need for ongoing dialogue between policymakers and practitioners to bridge gaps in expertise and ensure feasible implementation of cyber-security measures. ”It’s important to really talk to asset owners about what is feasible to deploy and what could be a blocker to innovation,” she adds.
What becomes evident through this interview is that NIS2 is more than a regulatory burden; it is a catalyst for a strategic shift in how organisations approach cyber-security. By fostering a culture of risk management and shared responsibility, NIS2 aims to build stronger, more resilient cyber defences across the Nordics and hopefully, well beyond.
What is the EU’s Cyber Resilience Act?
The Cyber Resilience Act (CRA) is the EU’s new cyber-security rules to ensure safer hardware and software. It aims to safeguard consumers and businesses buying or using products or software that contain a digital component. The Act introduces mandatory cyber-security requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.
Source: EU Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)
NIS2 is a response to the growing digital interconnectedness across companies and industries, recognising that a cyber incident in one sector can have cascading effects on others.
The potential of NIS2 to shape the future of digital security in Europe
The NIS2 directive marks a pivotal evolution in the EU’s approach to cyber-security, with potential long-term effects on Europe’s digital security landscape. By enforcing more stringent and standardised requirements across all member states, NIS2 aims to align countries with varying levels of cyber-security maturity towards a unified goal. This harmonisation will surely lead to a more resilient critical infrastructure across Europe, as more sectors adopt robust cyber-security measures to counter increasingly sophisticated cyber threats.
One of the potentially more transformative aspects of NIS2 is its emphasis on securing supply chains. The EU recognises supply chain security as a critical issue, especially given the increased frequency of supply chain attacks, as well as how supply chain dependencies can lead to increased vulnerabilities for critical infrastructure and services. The NIS2 focus on the supply chain could lead to widespread improvements in security practices across Europe, making digital products and services more secure and reducing the risk of supply chain attacks. In the long term, this could also prompt a shift in how businesses select and manage their suppliers, prioritising cyber-security as a critical factor.
The directive’s stringent requirements may also act as a catalyst for innovation in cyber-security technologies. As organisations strive to meet NIS2’s demands, there is likely to be increased investment in advanced solutions such as AI-driven threat detection, automated incident response, and secure communication channels. This push for compliance may lead to a future where European companies are not just consumers of cyber-security solutions but also leaders in creating them.
If NIS2 successfully reduces the incidence of cyber-attacks within the EU, other regions may look to Europe as a model for their cyber-security policies, potentially leading to the globalisation of NIS2-inspired regulations. In this way, Europe could emerge as a global leader in cyber-security innovation, setting new standards both within the EU and globally. In a world where cyber threats know no borders, the ability to set the rules of engagement could provide a significant strategic advantage for the EU.
As we view it in Telenor, NIS2 is not merely a regulatory update, it is a comprehensive framework poised to reshape digital security in Europe. By driving higher standards, fostering collaboration, and spurring innovation, NIS2 will help build a more secure and resilient digital environment, ultimately positioning Europe as a global leader in cyber-security.
Nordic NIS2 readiness
Percentage of companies surveyed that already provide the cyber-security training required in NIS2
49% of Finnish companies
61% of Norwegian companies
33% of Swedish and Danish companies
Source:
Telenor Group and Norstat survey October 2023
