Information security and cyber threats are important to any organisation because they can have a significant impact on the organisation's reputation, finances, and operations. Cyber attacks can result in data breaches, which can lead to the loss of sensitive information, financial loss, and legal consequences. In addition, cyber threats can disrupt an organisation's operations, leading to downtime and lost productivity.

If this wasn’t enough to make anyone keen on implementing effective information security measures, there is also legislation around the corner that will place higher requirements on businesses within the European Union. If you haven’t heard about the NIS 2 directive, it’s about time that you do.

The NIS Directive and its successor

In 2016, the Network and Information Systems (NIS) Directive was introduced in the EU. Its purpose was to improve the resilience of essential services and digital service providers in the European Union. The directive established a set of rules and security requirements for these organisations, to provide a common ground throughout the union regarding cybersecurity.

As the threat landscape has evolved and use of digital services are on the increase, an updated version of the directive, known as NIS 2, will soon replace the original one. Member states have until October 17th 2024 to implement the directive as national law, so time is ticking for any preparations to be made - and there might be a few depending on where you are starting out from!

Health Tech startup? You are probably within NIS 2 scope

Where NIS applies specifically to organisations within the categories ‘healthcare’ and ‘digital service providers’ (and others), NIS 2 will also apply to ‘manufacturing of medical devices’ and ‘data centre services’. If your business falls into any of these categories, and is considered a medium or large company (>50 employees and/or an annual turnover of €10 million), you will have to comply with NIS 2 based on that.

However, NIS 2 emphasises cybersecurity measures throughout the supply chain, too! This means that even if your business does not fall into any of the mentioned categories, you will have to comply with NIS 2 if you are a supplier to any of the categories within its scope. We can expect the market to include cybersecurity measures at NIS 2 level as firm requirements in contracts and tenders going forward.

What does it mean for our business?

NIS 2 puts higher security requirements for suppliers within critical infrastructure such as digital healthcare. It also outlines some specific security practices that should be in place. These are:

• Risk analysis and information system security policies.

• Incident handling (prevention, detection, and response to incidents).

• Business continuity and crisis management.

• Supply chain security.

• Security in network and information systems.

• Policies and procedures for cybersecurity risk management measures.

• The use of cryptography and encryption.

Most health tech companies are likely to at least have some of these measures in place already. However, it can be a good idea to assess to what extent the current practices are effective, and review whether they need to be updated. Especially as NIS 2 has swift and efficient incident reporting to the relevant authorities as one of its main requirements.

For instance, if you have a process for risk analysis in place, but there is low risk awareness throughout your organisation, you might need to work with your employees to ensure everyone knows how to handle identified risks throughout the organisation. If employees do not know that incidents need to be reported within 24 hours to the relevant authorities, then it will be a challenge to meet that requirement.

Consequences for organisations - and management teams

Similar to the sanctions in GDPR, NIS 2 can be expensive if you are not compliant. Organisations that fail to comply with the directive could face fines of up to 10 million euros or 2% of their global turnover, whichever is higher.

Another thing to bear in mind is that with NIS 2, company management will bear personal accountability for compliance with the requirements. So if information security practices are not yet in place or effective, you might want to make it a company priority for the year to come.

How to get started

If you’ve read this far, you will already have reached the conclusion that stepping up your organisation's information security work is a good idea. If implemented right, it can make your organisation both more secure and efficient, without slowing you down.

Adopting sound security practices requires systematic work - so a good idea is to assessing your organisation’s current level of cyber security practices and addressing any gaps that emerge. There are different frameworks for doing this - the Swedish authority MSB offers a free tool for example. The ISO 27001 standard is another great resource for identifying what should be in place for any organisation that takes information security seriously.

At Leyr, we have made information and cyber security a priority. We have analyzed our information security requirements and how to implement them in a way that prepares Leyr for a future certification of ISO 27001. We will share some concrete examples on actions that health tech startups can take in a later post. Stay tuned if you are interested!

Further reading:

• NIS 2 Directive, EU: https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf

• NIS 2 Directive, MSB (Swedish): https://www.msb.se/sv/amnesomraden/informationssakerhet-cybersakerhet-och-sakra-kommunikationer/nis-direktivet/

• Definition of company size by EU: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:124:0036:0041:en:PDF