With a global development towards more and more smart buildings and smart cities where sensors capture events and where identities and other data are collected, stored and analysed in order to make operations and processes more efficient in various ways. The possibilities are endless, but it’s also true that vulnerabilities are increasing as the IoT community expands.
For critical infrastructure, it is particularly serious. Therefore, the EU countries’ joint cyber security agency Enisa has launched NIS, the Directive on security of network and information systems, which sets requirements for security in networks and information systems. The NIS Act covers all companies that deliver socially important services and certain digital services covered by the NIS Act.
Difference between GDPR and NIS
That NIS compliance will be tightened via legislation brings to mind the implementation of GDPR. The difference, however, is that NIS is an EU directive with the aim of increasing Europe’s resilience against cyber attacks by protecting IT systems and infrastructure. The purpose of GDPR is to protect personal data.
Another difference is that the GDPR is an EU regulation that can be directly applied in the member states legal system while the NIS is a directive applied by each member state introducing local laws in the local legal systems.
Important security issue
In interviews and in debate articles, Robert Jansson has taken up the importance of suppliers and users of systems for ID management and access control starting to discuss NIS. At the recent security exhibition in Stockholm – Skydd – he participated in a panel discussion on the subject.
“The security industry’s actors in access control must start their journey now. Non-NIS-compliant access control systems are an important security issue, not only for the industry but for society at large,” he says.
“The NIS directive will raise the EU member states’ level of protection with regard to socially critical infrastructure. Therefore, the directive will become law in Sweden and other EU countries in 2025,” he states further.
French initiative behind NIS
Stid Security’s heavy involvement in NIS has a historical background. Stid Security is a French manufacturer and developer of smart identification solutions and it is France where work on protecting personal identity began, according to Robert Jansson.
“There was already national legislation regarding identity protection, long before the GDPR became law in EU countries. It was also French authorities that wanted to create an order that clarified how different systems become GDPR-compatible,” says Robert Jansson.
“The French cyber security agency Agence Nationale de la Sécurité des Systèmes d’information (Anssi) was commissioned to create a standard that described in clear steps how to build systems that ensure protection of personal identity.”
GDPR is not enough
Robert Jansson highlights the need for the NIS directive by giving an example of a company that has a biometric solution for access control.
“The biometric signature is stored in a hardware, system or in the cloud. The supplier claims that the solution is safe and approved as it is encrypted and no one can read the information stored in an EU country. In addition, the manufacturer or supplier of the solution is a well-known company domiciled in an EU country. It may sound safe, but it is not,” he says.
“The important thing is who has access to the key. If the solution is sold to a company that is fairly uninterested in the European GDPR legislation, then they have access to the users’ biometric values, i.e. the identity.”
In the worst case, people’s biometric data may be bought by the highest bidder and used in a way that is not compatible with European legislation and ethical guidelines.
NIS complements GDPR
NIS will be introduced in January 2023 and all countries then have two years to implement what the directive requires before NIS becomes law in 2025.
“NIS clarifies how identities in a pass system can and must be protected. The example of the biometric signature is just a variant of how identities in a pass system can come into operation,” states Robert Jansson.
Dialogue is important
In Sweden, access control providers do not seem overly interested in publicly discussing NIS. Jansson suggests why that might be.
“Maybe it is because you have insufficient knowledge and that you are late in the process. I hope that is not the case. An open dialogue between us suppliers where we discuss the way forward towards NIS-compatible solutions for systems that handle ID and access control should be a matter of course,” says Rober Jansson, who believes that Stid Security has a lot to offer in such a dialogue.
“We have followed the entire development of the NIS directive and made the technology available through the European organisation SPAC at SPAC’s web page. Everything required to technically comply with the law and manage all flows of identities and identityrelated information can be downloaded free of charge there.”
The SPAC organisation represents European technology and standards and works to secure identity-related information.