Mapping Several NIS2 Directive Articles to Technical Specifications for the Healthcare Sector in Sweden

Abstract: Compliance with legal instruments is vital for the survival of any organization or company in the public and private sectors. Non-compliance may result in criminal and financial penalties that can have grave effects on the indicted institution. In the field of Information Security (In-foSec), legal compliance cannot be achieved without relating the legal text of the relevant legislations to the technical realm. Therefore, it is pivotal to construe the relevant legal instruments in the correctly intended way and in good faith. The correct interpretation of InfoSec legal text plays a crucial role in finding the technical requirements for InfoSec compliance. However, interpreting legal texts can be very tedious and sometimes challenging due to several possibilities of interpretations, several non-universal definitions, amendments, and jurisprudence that make the job of security engineers and compliance auditors harder when trying to extract technical requirements for compliance. Furthermore, it is crucial to understand the hierarchy of laws especially when international laws are effective like EU regulations and directives. This thesis fo-cuses on the NIS2 EU Directive and studies a few selected articles to find a method to transform the legal text to technical InfoSec specifications (specs) for compliance with focus on its application in healthcare critical infrastructures in Sweden. Accordingly, the thesis tries to answer the question on how to be compliant with selected Articles of NIS2 via setting technical specs for the healthcare sector in Sweden without violating legal obligations. Because of the multidisciplinary nature of this research within the legal and InfoSec fields, the thesis adopts two research methods with the triangulation approach (blending of two methods). The first one is the qualitative research method. The data collection in this method follows the ‘Document Studies’ scheme since all sources for the research are documents, a few of which are legal instruments like NIS2, the Medical Device Record (MDR) and other Swedish laws. Hence, data was gathered from both public documents and other publications. After data collection, qualitative content analysis is performed. A total of 410 main documents are analyzed, where 36 were mostly considered, after adding 3 legal instruments as focal laws, including EU directives, regulations, and local Swedish laws. Each data source is analyzed and processed accord-ingly to serve the aims and research questions of the thesis. The second research method is the dogmatic method, and it is only referred to for the legal parts of the study since it supports law hierarchy and allows for legal interpretation techniques that are essential to analyze legal texts e.g., NIS2 articles. The results show that there is a need to adopt the InfoSec definition by the specific standard of the International Organization for Standardization (ISO) and the International Electrotechnical Commission ISO/IEC 27000:2018. A second result is that the thesis work and focal points relate to socio-technical schemes and can benefit from their research results. A third result is that Institutional Grammar (IG) 2.0 as a framework to explain institutional text is only suitable for specific parts of the legal texts and is applied to Article 21(2)(e) NIS2. I.G. 2.0 is shown to be applicable when used with other interpretation techniques. A third result is that when looking for the transformation of the legal provisions to InfoSec technical specs, it is pivotal to be specific for the field of application (like healthcare CIs in this thesis) since laws from the application field may overlap with NIS2. In health related issues, NIS2 and the MDR are found to overlap, and this intersection is analyzed in the thesis. A consequent result is a set of technical specs on a timing scheme for reporting InfoSec vulnerabilities and incidents. The last result is a computer program tool written in Python that supports the research via aiding SMEs and other organizations to search for vulnerabilities related to their assets. This tool supports the reliability and validity of the results.