Cyberattacks pose a growing threat to vital societal functions, as well as small and large businesses and individuals. We live in an increasingly digitalized world, which means that sensitive data is becoming more and more accessible. Government organizations, individual businesses and private individuals therefore need to put additional resources into securing their data with the aim of maintaining a functioning society. The updated NIS2 Directive sets requirements for the security of networks and information systems containing sensitive information, in order to minimize the risk of malicious cyber attacks.

Updated EU directive to minimize the risk of cyber attacks

Maybe you have access to several cloud solutions, both privately and in your professional role? Then you can start thinking about questions such as, "How long will I be able to do my job if, for example, Microsoft 365 is down?". When you start thinking along these lines, you quickly get a sense of how vulnerable the situation could be. But there are lights in the tunnel. One of them is the directive that focuses on information security in the EU. It has now been updated and is known as NIS2 (EU 2022/2555). In short, the NIS directive sets requirements for the security of business networks and information systems.

The updated version brings major changes as it now covers more essential functions and companies (entities and actors). But the update also aims for a more harmonized legislation across the EU, with more clarity and less room for national interpretations. The original Directive has already been active for a few years, which means that not all information is necessarily new to everyone. However, in the past, information security requirements only covered major players such as healthcare, water supply infrastructure, the energy sector, etc. and there was also some scope for national interpretation in many of the decisions.

How life science activities are affected

We now see that our customers, partners and businesses, with whom we already collaborate today in Life Science, both on the pharmaceutical side and in medical device manufacturing (including In Vitro Diagnostics), may be affected in some way by the Directive. It now specifically targets suppliers in contact with healthcare providers (e.g. pharmaceutical companies) and medical device manufacturers. It is therefore now important to define whether your company is affected by NIS2 and how your business is affected. It is worth noting, however, that it is basically not about the fact that a new directive has come on Location but what you need to update your business structure with in order to have a secure business as much as possible and that you feel well prepared for how to act on the digital threats that will sooner or later arise.

One of the parts you should review at an early stage is how the organization works with supplier assessments. In many cases, suppliers of business systems become an extension of your own business and it is important that you have an understanding of how the supplier works and what level of security thinking the supplier has in order to be able to assess the risk of impact on your own business. In this article, we are referring to the entire business and not just to product development or manufacturing processes, which one might otherwise be used to focusing on.

"Finding solutions and practical possibilities, based on a company's unique conditions, is important for ensuring quality and safety at the highest possible level. Quality and safety work needs to be designed in such a way that the company has something to act on that actually generates safer operations and, by extension, safer products. Safety thinking and risk assessment must permeate the entire organization and all work processes." - Beatrice Orback, Team Leader & Consultant, Health Care Plantvision Compliance.

Do you need help and guidance through the new requirements and the way forward for your company? Contact one of our experts and take control of your information security today. 

*A directive sets targets for member states to reach, but they are free to decide how to achieve them. Before a directive can enter into force at national level, Member States must adopt a law transposing it. This national measure national measure must meet the objectives set out in the directive. National authorities authorities must inform the European Commission of these measures. Source: https://eur-lex.europa.eu/SV/legal-content/summary/european-union-directives.html

**NIS stands for "The Directive on measures for a high common level of cybersecurity across the Union" and the Directive is called "Measures for a high common level of security of network and information systems across the Union". Directive EU2022/2555 is active in the Union and must be fully implemented in all Member States by October 18, 2024.