2022-05-30 08:45Blog post

The NIS-directive and Swedish protection of digital critical infrastructure

Scrabble letters that spell "LAW".

Some say there are only two types of companies; those who have been hacked, and those who haven't been hacked - yet. This is one of the reasons why the NIS Directive became Swedish law in 2018, intended to increase the level of protection of socially critical infrastructure. Let’s face it, we need a new approach to security, and at the moment this approach needs to be helped on its way by the law.


"There are only two types of companies; those who have been hacked, and those who haven't been hacked - yet."


The NIS-directive

In today’s digitized society we’re dependent on fully functioning networks and information systems that are reliable and secure. Our society must also function in the event of social disturbances, accidents, crises or during times of war. Some activities in society are more important than others - they are referred to as essential services. This resulted in the NIS Directive, the first EU-wide legislation on cybersecurity, and for Sweden, it became a law on 1 August 2018


NIS stands for “The Directive on network security and information systems” - and its goal is to boost the overall level of cybersecurity in the EU. The NIS Directive sets requirements for security in networks and information systems and includes businesses and organizations identified by the member states as "Operators of Essential Services" (short known as OES). In short, the NIS regulation entails requirements for information security and incident reporting for providers of operators of essential services and certain digital services.



But why are these regulations necessary?

The short answer is perhaps because if the law doesn’t protect us, no one else will. But are we not yet aware of the daily digital threats that rise in numbers and strength against us?


Apparently not, or not enough. Therefore operators of essential services have strict security requirements because of the high risks they typically face, and the fact that service interruptions would have more severe consequences for society. These operators of essential services can be found in both the private and public sectors, and they will have to take appropriate security measures and notify relevant national authorities of serious incidents and cyber threats.


Cybercriminals trying to steal data.


When things go wrong, they go very wrong indeed

Take a moment to consider what would happen if a bank was hacked? Banks hold a huge amount of personal information - birth date, social security number, address etc. If this data is exposed, the bank’s customers will be at risk of identity theft, criminals buying things with credit cards in the customer's name etc. then leading to massive debts and trouble with the law for the customer's sake. The bank would be responsible for their customer’s ill fortune. 


Two hands, one paying with a credit card and one holding the card reader.


But what if our water supply system was being targeted by cybercriminals – is that even possible? Yes, yes it is, and we’ve actually already seen it happen a few times. In February 2021 for example, cybercriminals where able to gain access to the operations technology system of a water treatment plant in Oldsmar, Florida. The attempt was to poison the water supply by increasing the amount of sodium hydroxide in the water to toxic levels.


"But why are these regulations necessary? The short answer is perhaps because if the law doesn’t protect us, no one else will."


The What, Why and Who

When it comes to NIS in Sweden, the Swedish Civil Contingencies Agency (MSB) has a coordinating broad role linked to the regulation. All separate organizations, both private and public, then have a responsible to identifying themselves as providers of essential services of any kind according to NIS, and are also responsible to report this to the respective supervisory authority. But how do you know if your business is affected by the regulations in the NIS Directive? Well, these services are first divided into two main groups; essential services and digital services. Essential services are services that are important for maintaining critical social or economic activity.


 If you want to read up more closely on what services are included in the NIS-directive, MSB provides further information. Here follows a short discription: 

These essential services are divided into seven sectors: 

  • Banking  
  • Digital infrastructure
  • Energy
  • Financial market infrastructure
  • Healthcare
  • Delivery and distribution of drinking water
  • Transport


Some additional pointers for identifying if you are a provider of essential services:

  • Provides a service that is important for maintaining critical social or economic activity in one of the above mentioned seven sectors which are covered by the NIS regulation.
  • The provision of the service depends on networks and information systems.
  • An incident would cause a significant disruption in the provision of the service.


A black computer mouse in focus, and hands typing on a keyboard in the background.


When it comes to key digital service providers, they are for example:

  • Search engines
  • Cloud computing services
  • Online marketplaces


Lastly some additional pointers for identifying if you are a digital service provider:

  • You have your main place of establishment in Sweden
  • You have an annual turnover in excess of EUR 10 million
  • You have 50 or more employees




Will You lead, and be a good example?

In accordance with the regulations, these companies that provide essential services are to systematically work with information security and based on risk and are also to report any incidents such as experienced cyber threats and security breaches. But this way of thinking and acting should apply to every organization, every business. Who will lead as good examples, and do what is needed - even if it is not covered by the law?


Cybersecurity is important, and not only for companies and organizations that are covered by the NIS Directive, but for ALL! Sure the effects of a digital security breach at a national bank will affect more people, but the effect of a cyberattack is just as costly and fatal for a local small business and its customers. Therefore, regardless of if you’re included as a provider of essential services by NIS or not - stay safe.




Do you want to know more about the NIS-directive?



Do you want to know more about MSB? 



About Farsight Tech Nordic

Farsight is a Swedish IT development partner that makes people and organizations grow! We are your ”go-to-guys” regarding all your IT systems, technology and IT-security subject matters. At the same time, we are local community builders and ensue a sound labour market and good ethics. Our business is all about finding clever solutions for secure access, management and communication of business-critical information.


Carina Sjövill
Head of Marketing & Communications
Carina Sjövill