The European Union’s NIS2 Directive is transposed into Finnish law as the Law on Cybersecurity Risk Management and will come into effect in October 2024. The Directive and national legislation aim to ensure a sufficiently high level of cybersecurity in sectors classified as critical and to enhance the management of cyber risks and threats. Sectors are divided based on their criticality into highly critical and critical sectors.
Sectors defined as highly critical include energy, healthcare, transportation, drinking and wastewater, space, the financial sector and its infrastructure, public administration, ICT operators providing security and management services, and digital infrastructure. Critical sectors include the food industry, waste management, postal and courier services, and the manufacturing industry, for instance, medical devices, digital services such as marketplaces and search engines, the chemical sector, and research activities.
The law affects the following measures:
- Risk management
- Corporate responsibility, specifically sanctioned management responsibility for cyber risk management
- Notification and reporting obligations regarding cyber incidents to service users, stakeholders, and the supervisory authority
- Ensuring and maintaining business continuity and crisis management capability
- Adequate technical and methodological cybersecurity measures to ensure cyber resilience, such as encryption solutions, multi-factor authentication, and access and identity management
- Careful consideration of security in procurement
- Training activities to ensure people’s competence and cybersecurity orientation
- Procedures for assessing the effectiveness of cyber measures
- It’s important to note that the legislation’s impact is not only on the critical organization itself but also applies to the supply chains of entities within the scope of the legislation.
The organization’s responsibility extends to partners as well
It’s important to note that the legislation’s impact is not only on the critical organization itself but it also applies to the supply chains of entities within the scope of the legislation.
It’s important to note that the legislation’s impact is not only on the critical organization itself but also applies to the supply chains of entities within the scope of the legislation – that is, all stakeholders that are in a dependency relationship with the critical operator. Therefore, organizations are subject to requirements under the NIS2 Directive either directly or indirectly.
If an organization already has a cybersecurity management system like ISO27001, complying with the NIS2 Directive’s requirements is generally easier, as processes for systematically managing and improving cybersecurity are already in place. Regardless of the cybersecurity management system, organizations must ensure compliance and implement necessary measures to achieve sufficient operational risk management capability and cyber resilience. This involves significant change management capability. Compliance requires stakeholders to have sufficient awareness, understanding, and competence.
Are you ready for continuous risk assessment?
The challenge in assessing adequate risk management measures is that they must be proportionate to the organization’s operational criticality and identified risks and threats. The legislation requires organizations to conduct a risk assessment and continuously evaluate the adequacy of implemented measures. If an organization does not yet understand the risks and threats related to its operations, the assessment of the adequacy of measures can go seriously wrong, causing additional costs that could be allocated to other development activities.
When an organization evaluates adequate measures, key approaches include comprehensive threat and risk assessment, modelling of business continuity factors, and identifying the organization’s critical assets to be protected. The risk assessment must also extend to the supply chain. Unfortunately, the supply chain is often the weak link in an organization, which cybercriminals are aware of. Organizations typically understand their own operations but do not see the real level of their partners’ cybersecurity and risk management. Supply chain risk management and cybersecurity level can be clarified and monitored through systematic measurement based on defined metrics and requirements.
The time for change management under the NIS2 Directive is now.
There is currently a buzz around the Directive and national legislation, as both organizations and consulting firms are eagerly trying to understand what requirements the Directive imposes on organizations and what actually needs to be improved and developed. Ultimately, the answer is straightforward at a general level: understand the threats and risks to your operations, know your organization’s activities and its critical factors, and build sufficient cyber resilience.
Cyber resilience is built on capabilities that ensure the identification of cyber threats, vulnerabilities, and risks, protection against cyber-attacks, detection of successful attacks, response to successful attacks, and recovery from attacks. In addition, the organization must maintain cybersecurity awareness and lead and manage operations at the strategic, tactical, and operational levels – not forgetting supply chains. If you haven’t started implementing this change yet, now is the time.
Wondering how to prepare for the requirements of the NIS2 Directive?
