May the force be with EU: Swedish MSB’s latest statement of opinion on NIS2

What is NIS2 and Why Should I Be Aware of it?

The NIS2 Directive specifies cybersecurity requirements that need to be implemented by European Union companies that are considered as critical infrastructure. It aims to achieve a high common level of cybersecurity across all member states.

In Sweden, the NIS2 directive will be implemented into a new Swedish law, the Cybersecurity Act. Swedes should be aware of NIS2 because of:

• The expanded scope of sectors that are covered by the directive, from seven to eighteen critical industries.
• Stricter requirements for the organization, including incident reporting, notification obligations, and risk management measures
• New proposed sanctions and increased sanction fees

Statement of Opinion from MSB

The statement of opinion from MSB was released on April 12^th, 2024, it discusses the proposed changes to cyber security laws in Sweden, specifically the upcoming implementation of the NIS2 directive. The key points of this statement is:

• An Expanded Scope: MSB suggests expanding the scope of the NIS2 directive to meet the needs of total defense for Sweden.
• Security Baseline: The NIS2 and CER regulations should be serving as a security baseline and compliment any existing security protections.
• Centralized Reporting Platform: There should be a centralized service to report incidents and streamline processes.
• Avoiding Overlap: There may be an aspect of overlapping regulations and these should be avoided if possible.

MSB emphasizes the importance of considering perspectives from both private and public operators since the current proposal may lead to inefficiencies and double work within both sectors.

Their statement of opinion also includes a detailed analysis and several propositions to improve the implementation of NIS2 within Sweden.

• Roles and Responsibilities: MSB supports its continued role as the national contact point, CSIRT unit, and new role as the national cyber crisis management authority.
• Critique and Suggestions: MSB does criticize the limited scope of the proposed legislation since they deem it fails to fully strengthen resilience in vital societal functions and overlooks any perspectives and needs of both the private and public sector.

Looking to the Future

The NIS2 directive is set to take effect on the 18^th of October 2024; however, the new Cybersecurity Act law in Sweden has been suggested to come into force on the 1^st of January in 2025.

Implementing this new NIS2 Directive in your organization means ensuring that you are well-prepared. This includes activities such as:

• Assessing existing internal cyber security strategies
• Updating incident management policies
• Securing and strengthening collaboration within and outside the organization

In writing moment, Sweden is still in its early moments on how to adapt the NIS2 Directive. The government is supposed to deliver the final report by September 16^th, 2024, and the Directive is set to be conformed on October 18^th, 2024.

Do you and your organization need advice on NIS2?

Connect with us at Onevinn.