NIS Directive - how growing businesses avoid the pitfalls

EU NIS Directive
Since 2018, a law has been in force called the Act on Information Security for Vital Societal and Digital Services, commonly referred to as the NIS Act. In short, the law sets requirements for information security and mandatory incident reporting. The requirements apply to providers of essential services in areas such as energy, transport and digital infrastructure, but also to providers of the following digital services: cloud services, e-commerce sites and search engines. The law does not differentiate between private and public service providers, so the requirements apply to all - regardless of ownership. Smaller companies are exempt from the requirements.

The main responsibility for the law lies with the Swedish Civil Contingencies Agency (MSB), but responsibility for the various sectors covered lies with specific supervisory authorities. The Swedish Post and Telecom Authority (PTS) is the responsible supervisory authority for both the part of essential services that consists of digital infrastructure and for digital services.

Why is the NIS law relevant for start-ups and SMEs?

As I wrote above, there is an exemption for smaller companies. So why is the NIS law relevant for start-ups and small and medium-sized enterprises (SMEs) as well? Well, because as soon as a company grows and "crosses" the threshold in the definition of what counts as a small business, yes, then the company is subject to the requirements of the law. This is something that most small businesses are probably not fully aware of. Since there are no requirements for notification to PTS or, for that matter, to any other actor to conduct business in the areas covered in the category of digital services, it is difficult to get out with targeted information. We at IT&Telekomföretagen therefore think it is important to contribute by informing about this within our membership and in our channels.

SME boundaries

The threshold for small businesses according to the EU definition and thus also the NIS Act is:

  • 50 employees and
  • 10M Euro in turnover or
  • 10 M Euro in total assets

This means that if you are an SME operating in the field of digital services but fall below the above limits, your company is not subject to NIS regulation.

If, on the other hand, you intend to grow your business and may therefore exceed the EU SME limits, it is wise to know what the NIS regulation entails.

Areas to think about

  • Information security
  • Incident reporting
  • Security by design and default
  • Privacy by design and default

Making conscious and informed choices at the outset about what the requirements are/might be avoids major problems as the business grows.