Blog 1 van 9

On Dec. 27, 2022, the EU published the successor to the NIS Directive, the NIS2 Directive. The Network Information Security (NIS) directive is intended to prescribe minimum security measures associated with a high level of protection of digital systems and cyber resilience. The directive is expected to become law by the end of 2024 and will then be mandatory for many organizations.

Classification of Organizations

The new directive distinguishes between “essential” and “significant” entities within industries. Under the new directive, many more, and smaller, organizations will have to comply with the laws and regulations. This may already apply to organizations with 50 employees or an annual turnover and balance sheet total of 10 million euros. For a complete overview, please visit NCSC-overview-NIS2.

Organizations where an incident could impact public safety, security or healthcare, or where a disruption could cause systemic risks, are covered by the new guideline.

Objectives of the NIS2 Directive

The directive aims to raise the level of cybersecurity in the EU by, among other things:

- Increasing cyber resilience in multiple sectors.

- Making the implementation of cybersecurity measures mandatory.

- Setting strict(er) incident reporting requirements.

- Unifying cybersecurity rules in Europe.

- Strengthening cooperation among member states.

Differences Between NIS and NIS2

There are some key differences between the original 2015 NIS directive and the new NIS2 directive:

Scope

- NIS2 applies to multiple sectors characterized as “essential” or “important” and their suppliers.

- NIS2 now also applies to medium and small organizations.

- NIS2 introduces stricter requirements for “strategic entities” such as governments, defense and the energy sector.

Supply Chain

- NIS2 requires organizations to address cybersecurity risks in their supply chain.

Mandatory reporting and sanctions

- A wider range of incidents are now required to be reported, and they must be reported more quickly.

- Higher fines (up to 10 million euros or 2% of global turnover) apply to organizations that fail to comply, with directors' liability also applied.

Requirements and Obligations

The NIS2 directive requires organizations to assess and manage the cybersecurity risks of their ICT systems. This includes identifying and mitigating the risks as well as reporting incidents. So, what does this mean for organizations? It involves three key concepts: duty of care, duty of notification and supervision.

Duty of Care

Organizations should conduct their own risk assessment. Based on this, appropriate measures should be taken to ensure the continuity of services as much as possible and to protect the information used.

Duty of notification

“Significant” incidents must be reported to the regulator within 24 hours. These are incidents that (may) significantly disrupt the provision of the essential service. In the case of a cyber incident, it must also be reported to the Computer Security Incident Response Team (CSIRT), which then provides help and assistance. Factors that make an incident reportable include the number of people affected by the disruption, the length of time of a disruption and the potential financial losses.

Supervision

Organizations covered by the Directive will automatically come under supervision. This involves monitoring compliance with the obligations of the directive, such as the duty of care and notification.

When will this directive become a legal obligation?

The central government is currently working on transposing the NIS2 directive into national legislation. This may take some time, although it should formally be active by the end of 2024. That it is coming is certain, but the exact date is not there yet.

What can you do now?

In anticipation of this, you can get started with your organization in preparation for two topics:

1. Determine whether your organization is covered by the NIS2 Directive: If the answer is positive, you are required to register. This should ensure a Europe-wide picture of the number of entities under the NIS2.

2. Make a risk analysis of the digital threats to your organization: Based on this, appropriate measures should be taken to ensure continuity of services as much as possible and to protect the information used.

3. Determine how the duty to report can be shaped: Incidents must be reported to the supervisor within 24 hours. These are incidents that (may) significantly disrupt the provision of the essential service. In the case of a cyber incident, it must also be reported to the Computer Security Incident Response Team (CSIRT). Factors that make an incident reportable include the number of people affected by the disruption, the duration of a disruption and the potential financial losses.

What will soon be expected of you?

The website of the Ministry of Economic Affairs and Climate (Digital Trust Center Website - NIS2) contains the 10 basic measures as a result of the directive.

We are happy to assist you in the further elaboration and possible implementation of these measures.

Would you like to stay up to date with all the news regarding the NIS2 guidelines? Please contact Fred Mahler or sign up for our NIS2 newsletter here.