A tsunami of new cybersecurity laws. That was the title of Compare’s latest networking breakfast, organised under the Interreg Sweden-Norway Cross Border Cyber Capacity project. There are many new rules to keep track of. Not least the EU directives NIS2 and CER. To find out what these mean and how they will affect Swedish businesses, the event was attended by Satu Björn, cyber security analyst at MSB, and Tomas Björn, CEO of Aktiv IT, which helps companies with secure IT solutions.
Satu explained that NIS2 aims to achieve a high common level of cybersecurity across the Union, while CER (Critical Entities Resilience) focuses on strengthening the resilience of critical actors. In other words, NIS2 is a more general directive and will be transposed in Sweden through the Cybersecurity Act, while CER is a complement for critical entities.
How is NIS2 different from NIS?
- More covered entities (and entire organisations)
- Stronger sanctions
- Stricter requirements
- Unified incident reporting
- Strengthened international co-operation
- Package solution with the CER Directive
The Cybersecurity Act is due to enter into force on 1 January 2025. However, Satu noted that Sweden will not meet this deadline, but rather believes that the law will enter into force sometime closer to summer 2025. But she emphasised the importance of having structured cybersecurity work in place to be one step ahead when the law comes into force. MSB has several digital tools and reports to help organisations comply with the NIS2 directive.
Sweden is in the top tier in terms of digitalisation, but is not even in the top 20 in terms of cybersecurity. This gap is understandably problematic and leaves us vulnerable. Tomas Björn explains that the gap is a result of Sweden being quick on the uptake of PCs in households and getting fibre up and running, but not prioritising security aspects. Many countries started at the other end by getting policies in place first and have therefore overtaken Sweden in terms of cybersecurity.
To-do list for businesses
- Risk and incident management
- Backup and crisis management
- Supply chain security
- Continuous assessment
- Personal security of staff
- Access control
- Encryption policy
In his work, Tomas sees first-hand how important it is for companies to be digitally prepared. He gave the example of a customer who recently suffered 170,908 intrusion attempts in one day. Without firewalls and security procedures, it could have ended quite badly. For many companies, it ends badly. Tomas pointed to figures showing that last year the global cost of cybercrime was SEK 87 trillion, compared to military spending of SEK 26 trillion. The bottom line is that the consequences of cyber incidents are more costly than efforts to strengthen their cyber security. So make sure you stay ahead of the game.
And don’t forget the next networking breakfast on 14 November on the theme of IoT.
