In 2024, several important developments in the field of information security are occurring that you as a CISO should be prepared for. With new standards, frameworks, and laws for cybersecurity, many companies will need to review their procedures and guidelines. Here are the five biggest changes happening this year—are you ready to meet them?
1. The swedish NIST standard is formulated
The Swedish NIST Standard is an initiative aimed at creating cybersecurity guidelines that are easy to understand and applicable even for organizations lacking deep technical expertise. The standard is based on the American NIST Cyber Security Framework and is driven by SIS (Swedish Standards Institute). This initiative arises from an increased demand for cybersecurity support, in light of the growing threat landscape in society. The NIST standard will include manuals and a technical specification that offers guidance and practical tools for companies to implement effective security measures.
“The NIST CSF will become a best practice for the Swedish market, and the guidance will provide clear examples of how this framework can be used within an organization. It will facilitate ongoing work with cybersecurity and ensure that the protection is correctly sized in all parts of the NIST CSF. At the same time, it will be easier to be compliant with current and upcoming legislation.” – Per Gustavsson, CISO at Stratsys.
2. New key technical standards under DORA
The DORA regulation, set to take effect in January 2025, continues to expand with new Regulatory Technical Standards (RTS) aimed at strengthening the digital resilience of financial authorities. During the winter of 2024, European supervisory authorities published final reports with proposals for technical standards linked to the DORA regulation. These reports, now before the European Commission for decision, focus on four key areas:
- ICT risk management framework: A framework that identifies additional elements related to ICT risk management to harmonize tools, methodologies, processes, and guidelines.
- Classification of ICT-related incidents: Specifies the criteria for classifying major ICT-related incidents, including thresholds for when an incident is considered significant, and how to assess severe cyber threats.
- Policy for ICT services performed by third-party providers: Describes parts of the governance structure, risk management, and control system that financial companies should implement when using third-party IT services.
- Templates for information registers: Establishes templates that financial companies must maintain and update related to contracts with providers, playing a crucial role in their framework for managing third-party risks.
"These technical standards are beneficial as they do not leave much room for interpretation around the framework. This simplifies processes such as purchasing security systems, training staff, and setting the right requirements for subcontractors. The latter is particularly interesting for CISOs to keep an eye on, to gain greater transparency around due diligence and security requirements in supplier contracts.” – Per Gustavsson.
Per Gustavsson, CISO at Stratsys
3. NIS2 becomes swedish cybersecurity law in 2024
In 2024, the NIS2 Directive will be implemented into Swedish law, significantly impacting organizations' security strategies. One of the major changes is that NIS2 expands the scope of sectors covered by the directive, meaning more organizations will be required to take measures to enhance their cybersecurity.
The directive also introduces stricter security requirements for both companies and digital service providers—and tougher penalties. Potentially, the NIS2 Directive could also allow regulatory authorities to impose sanctions of up to 10 million euros, or 2% of a company’s annual global turnover (which can be compared to GDPR, where penalties can reach double that amount). At the same time, fines and penalties could be directed specifically at, for example, board members and individuals in leadership positions.
Before the Swedish cybersecurity law is adopted, the CER Directive will also be presented, which is more focused on strengthening the resilience of critical entities, such as vital community operations. This mainly involves efforts to prepare and protect these operations against various threats—such as natural disasters, accidents, and cyber threats. The directive requires affected operations to conduct risk assessments and take measures to enhance their resilience in this regard.
4. AI Act – a unique EU law regulating AI
In March 2024, the European Parliament passed a completely new AI law that regulates the use of AI across the entire union. The AI Act applies to all providers handling AI systems in various capacities—from manufacturers to installers and distributors. The law categorizes AI into four different risk classes that dictate how various AI systems may be used—and outright bans certain applications. For instance, specific requirements are set for high-risk systems, such as those used in education, law enforcement, and infrastructure.
For Swedish companies, it becomes essential to conduct risk assessments and implement measures to comply with these requirements throughout the supply chain. Companies should begin by inventorying how AI systems are used within the organization and assess these based on the risk levels indicated in the law. Parts of the new law will come into effect as early as May 2024, and fully by 2026, and companies violating the law risk fines of up to seven percent of their global annual turnover.
“The use of AI should occur in several steps before it is fully implemented in the organization—it must start small and controlled, and be tested in many different ways. Above all, it is important to fail quickly. The goal is to figure out how AI can be used in a way that supports the business and its customers. Today’s challenges with AI are essentially the same three things as 30 years ago—ethics, data quality, and determinism. Is it acceptable to use the technology in the intended way? Is the data being used of sufficient quality? And how do you ensure that the same question receives the same answer over time?” – Per Gustavsson
5. Strict cybersecurity requirements across the entire supply chain
With the implementation of NIS2 and DORA, there are also new, specific requirements to ensure robust cybersecurity throughout the supply chain—much more decisively than before. An organization is no longer just responsible for its own cybersecurity but must also ensure that its suppliers and partners meet certain security standards. Nearly half of all IT incidents reported by authorities in 2023 occurred at a supplier level, clearly demonstrating how responsibility and cooperation are becoming increasingly important for protecting an organization. This is particularly critical when multiple operations share the same supplier that suffers an incident, as was the case with the attack on Tietoevry in the winter of 2024. Such disruptions pose the greatest risk of societal impact, as they affect numerous organizations simultaneously.
The expanded requirements of the NIS2 directive mean that organizations must take specific actions to mitigate risks that may also arise within the supply chain. This involves everything from regular security assessments to clauses about cybersecurity in contracts, as well as meticulous monitoring of shared traffic and data.
Do you want to know more about how Stratsys can help you in your information security work? Read more about our product Information security & privacy or contact us directly.
