Scenario 6: Solicure is a leading pharmaceutical company dedicated to manufacturing and distributing essential medications. Thriving in an industry characterized by strict regulations and demanding quality benchmarks, Solicure has taken proactive steps to adhere to the requirements of the NIS 2 Directive. This proactive approach strengthens digital resilience and ensures the continued excellence of product offerings.
Last year, a cyberattack disrupted Solicure’s research and development operations, raising concerns about the potential compromise of sensitive information regarding drug formulation. Solicure initiated an immediate investigation led by its cybersecurity team, gathering technical data to understand the attackers’ methods, assess the damage, and swiftly identify the source of the breach. In addition, the company implemented measures to isolate compromised systems and remove the attackers from its network. Lastly, acknowledging the necessity for long-term security improvement, Solicure implemented a comprehensive set of security measures to comply with NIS 2 Directive requirements, covering aspects such as cybersecurity risk management, supply chain security, incident handling, crisis management, and cybersecurity crisis response planning, among others.
In line with its crisis management strategy, Solicure’s chief information security officer, Sarah, led the initiative to develop a comprehensive exercise plan to enhance cyber resilience. This plan was designed to be adaptable and inclusive, ensuring that organizational decision-makers possessed the essential knowledge and skills required for effective cybersecurity threat mitigation. Additionally, to enhance the efficacy of its crisis management planning, Solicure adopted an approach that prioritized the structuring of crisis response.
A key aspect of Solicure’s cybersecurity risk management approach centered on the security of its human resources. Given the sensitive nature of its pharmaceutical products, the company placed utmost importance on the employees’ backgrounds. As a result, Solicure implemented a rigorous evaluation process for new employees, including criminal history reviews, prior role investigations, reference check, and pre-employment drug tests.
To comply with NIS 2 requirements, Solicure integrated a business continuity strategy into its operations. As a leading provider of life-saving medicines and critical healthcare products, Solicure faced high stakes, with potential production and distribution interruptions carrying life-threatening consequences for patients. After extensive research and consultation with business management experts, the company decided to utilize a secondary location to reinforce the critical operations at the primary site. Along with its business continuity management strategy, Solicure developed a set of procedures to recover and protect its IT infrastructure in the event of a disaster and ensure the continued availability of its medications.
Does Solicure effectively handle cyber crises, including all necessary steps? Refer to scenario 6.
Scenario 7:CleanHydro is a forward-thinking company operating in the wastewater industry. Based in Stockholm, Sweden, the company is dedicated to revolutionizing wastewater treatment processes using advanced automated technology aiming to reduce environmental impact.
Recognizing the paramount importance of robust cybersecurity measures to protect its advanced technologies, CleanHydro is committed to ensuring compliance with the NIS 2 Directive. In line with this commitment, the company has initiated a comprehensive employee training program. To do so, the company adheres to Sweden’s national cybersecurity strategy, which includes objectives, governance frameworks to guide strategy implementation and define roles and responsibilities at the national level, risk assessment mechanism, incident preparedness measures, a list of involved authorities and stakeholders, and coordination policies.
In addition, CleanHydro engaged GuardSecurity, an external cybersecurity consultancy firm, to evaluate and potentially improve the cybersecurity infrastructure of the company to ensure compliance with the NIS 2 Directive. GuardSecurity focused on strengthening the risk management process of the company.
The company started determining competence development needs by considering competence levels, comparing them with required competence levels, and then prioritizing actions to address competence gaps found based on risk-based thinking. Based on this determination, the company planned the competence development activities and defined the competence development program type and structure. To provide the training and awareness programs, the company contracted CyberSafe, a reputable training provider, to provide the necessary resources, such as relevant documentation or tools for effective training delivery. The company’s top management convened a meeting to establish a comprehensive cybersecurity awareness training policy. It was decided that cybersecurity awareness training sessions would be conducted twice during the onboarding process for new employee to instill a culture of cybersecurity from the outset and following a cybersecurity incident.
In line with the NIS 2 compliance requirements, CleanHydro acknowledges the importance of engaging in communication with communities consisting of other essential and important entities. These communities are formed based on industry sectors, critical infrastructure sectors, or other relevant classifications. The company recognizes that this communication is vital for sharing and receiving crucial cybersecurity information that contributes to the overall security of wastewater management operations.
When developing its cybersecurity communication strategy and setting objectives, CleanHydto engaged with interested parties, including employees, suppliers, and service providers, to understand their concerns and gain insights. Additionally, the company identified potential stakeholders who has expressed interest in its activities, products, and services. These activities aimed to contribute to the achievement of the overall objectives of its cybersecurity communication strategy, ensuring that it effectively addressed the needs of all relevant parties.
Based on the scenario above, answer the following questions:
Is the national cybersecurity strategy in accordance with Article 7 of the NIS 2 Directive?
According to Article 7 of the NIS 2 Directive, what is one of the aspects that the national cybersecurity strategy adopted by Member States must include?
Scenario 7:CleanHydro is a forward-thinking company operating in the wastewater industry. Based in Stockholm, Sweden, the company is dedicated to revolutionizing wastewater treatment processes using advanced automated technology aiming to reduce environmental impact.
Recognizing the paramount importance of robust cybersecurity measures to protect its advanced technologies, CleanHydro is committed to ensuring compliance with the NIS 2 Directive. In line with this commitment, the company has initiated a comprehensive employee training program. To do so, the company adheres to Sweden’s national cybersecurity strategy, which includes objectives, governance frameworks to guide strategy implementation and define roles and responsibilities at the national level, risk assessment mechanism, incident preparedness measures, a list of involved authorities and stakeholders, and coordination policies.
In addition, CleanHydro engaged GuardSecurity, an external cybersecurity consultancy firm, to evaluate and potentially improve the cybersecurity infrastructure of the company to ensure compliance with the NIS 2 Directive. GuardSecurity focused on strengthening the risk management process of the company.
The company started determining competence development needs by considering competence levels, comparing them with required competence levels, and then prioritizing actions to address competence gaps found based on risk-based thinking. Based on this determination, the company planned the competence development activities and defined the competence development program type and structure. To provide the training and awareness programs, the company contracted CyberSafe, a reputable training provider, to provide the necessary resources, such as relevant documentation or tools for effective training delivery. The company’s top management convened a meeting to establish a comprehensive cybersecurity awareness training policy. It was decided that cybersecurity awareness training sessions would be conducted twice during the onboarding process for new employee to instill a culture of cybersecurity from the outset and following a cybersecurity incident.
In line with the NIS 2 compliance requirements, CleanHydro acknowledges the importance of engaging in communication with communities consisting of other essential and important entities. These communities are formed based on industry sectors, critical infrastructure sectors, or other relevant classifications. The company recognizes that this communication is vital for sharing and receiving crucial cybersecurity information that contributes to the overall security of wastewater management operations.
When developing its cybersecurity communication strategy and setting objectives, CleanHydto engaged with interested parties, including employees, suppliers, and service providers, to understand their concerns and gain insights. Additionally, the company identified potential stakeholders who has expressed interest in its activities, products, and services. These activities aimed to contribute to the achievement of the overall objectives of its cybersecurity communication strategy, ensuring that it effectively addressed the needs of all relevant parties.
According to scenario 7, how does CleanHydro align with the provisions of Article 29, Cybersecurity information-sharing arrangements, of the NIS 2 Directive?
