The NIS2 Directive and the DNS: how will this affect your organisation?
How do you know if your organisation will be affected by NIS2 and what are the requirements you will need to fulfil? To help guide us through the details, we spoke with Michael Duffy, CEO, Excedo Networks AB.
1. What is NIS2 and when will it come into force?
Michael Duffy: NIS stands for Network and Information Systems. NIS2 follows from the original NIS Directive (2016), which was the first EU wide cybersecurity legislation detailing security requirements and incident reporting obligations for digital service providers and operators of essential services.
To ensure even more harmonisation and consistency, NIS2 makes it much more explicit which organisations the legislation applies to and the requirements they should fulfil. In terms of the DNS, NIS2 focuses on a common baseline of security requirements that aims to ensure a unified and robust approach to the DNS infrastructure used throughout the EU. NIS2 was approved by the EU in December 2022 and will come into force in all EU member states on 18 October 2024.
2. Which sectors are affected by NIS2?
Michael Duffy: The affected sectors, with some examples of Swedish organisations, include: economic security (e.g. Skatteverket); electronic communication and mail (MSB, Trafikverket); energy (Energimyndigheten, Svenska kraftnät); financial (state banks); major data in Sweden (Bolagsverket, Statistikmyndigheten); healthcare (Folkhälsomyndigheten, Ehälsomyndigheten) ; food and water (Livsmedelsverket, Hav och Vatten); law and security (Sakerhetspolisen, Justiedepartment); protection services (Myndigheten för samhällsskydd och beredskap, Kustbevakningen, Polisen); and transport services (Transportstyrelsen).
When it comes to the DNS, all of these 10 major sectors need a redundant DNS infrastructure and protection against all forms of DNS attack. They also need to ensure they have Web Application Firewalls and reliable, redundant routing.
3. Why is NIS2 important?
Michael Duffy: The above sectors all provide public services which are critical for society to function. The NIS2 directive is focused on ensuring that these services are always available, secure, and protected against attack or outage.
As of 18 October 2024, NIS2 will be implemented as national legislation in each EU member state. This means that compliance will be compulsory. The penalties for non-compliance will be very high indeed.
Each Member State will be responsible for conducting proactive and reactive checks on organisations to ensure compliance. Proactive checks will be conducted for critical infrastructure (for example, in Sweden this might include MSB, the police or Skatteverket). If an organisation is found to be non-compliant, there will be a fine of up to 10M EUR or 2% of the organisation’s annual turnover. Reactive checks will be conducted for organisations in the strategic sector such as local authorities who will be liable for penalties of up to 7M EUR for non-compliance.
4. What actions do you need to take?
Michael Duffy: Affected organisations need to look at their supply chain policy. In any audit, NIS2 specifies that your service provider (and any third party providers) can be audited to make sure they fulfil the NIS2 requirements. This means you need to have all parties explicitly listed on contracts and that you have an SLA that complies with all NIS2 requirements.
You will need to use providers with a presence in the EU and, preferably, in your local region. So affected organisations in Sweden are better off using Swedish providers who provide agreements and technical support in Swedish and who are much easier to deal with before and during any on-prem audit than companies based elsewhere. Trust and transparency are crucial here, so choosing the correct, local provider will solve a lot of headaches (and the potential of enormous penalties for non-compliance).
You will need to make sure that your organisation and all your providers have ISO27000 certification, or the equivalent level of security compliance required by NIS2.
If you are looking for more information, the European Union Agency for Cybersecurity (ENISA) has been tasked with providing recommendations for how to implement NIS2; in Sweden, MSB have been running an outreach campaign including events like the recent NIS2 conference in Stockholm which brought together more than 400 people.
About Excedo Networks AB
Excedo Networks AB is a leading Swedish digital security and intellectual property management company. With over 20 years of experience, Excedo Networks AB provides premium products and services to governmental and large enterprise clients with a global presence. For more information, visit www.excedo.se.