EU member states will be required to implement the so-called NIS2 directive from September 2024. This directive will ensure that companies will have to put considerable effort into their cybersecurity systems. In this blog, we will discuss the specific implications of the directive and give you tips on how best to handle it as a company.
The emergence of the NIS2 guideline
Cyber attacks can lead to enormous damage on a business and personal level, in fact, in a world where we work more and more digitally, it is mainly to have a functioning digital infrastructure.
The war in Ukraine has made it even clearer that our awareness of cyber security is far too low. That is why the initiative has come from Europe to develop the
Network and Information Security 2 (NIS2
), this guideline is a collection of rules around the security of network and information systems.
The NIS2 will be implemented by October 2024 at an estimated more than 16,000 companies in Belgium that are considered to provide essential services.
What does the NIS2 Directive stipulate?
In 2016, the EU already adopted the
Directive on Security of Network
(NIS Directive) introduced. This NIS1 was the first directive to significantly strenge cybersecurity requirements for so-called ‘essential companies’. Dhe list was short in 2016, however, and included only companies such as water, energy and telecom companiesn. The NIS2 adds significantly to this list, which will make more companies eligible to be labeled “essential business”. obtain. In addition, the NIS2 provision introduces a host of other stringent measures, notably:
- As more sectors are included in the new directive, large and medium-sized companies in some sectors will be required to implement security measures. Member states can even take steps to identify smaller companies, which do not meet certain size requirements (such as no more than €10 million in annual revenue and fewer than 50 staff), as high risk.
- The governing bodies of companies will be more tightly controlled and will be able to be held accountable under the NIS2 if something goes wrong.
- Stricter supervision measures will be given to national authorities and there will be more cooperation among member states to improve safety.
- The NIS2 tightens Cybersecurity requirements for businesses, addressing risk management and key cybersecurity measures.
- The NIS2 no longer distinguishes between different types of services. Under the new directive, organizations are classified according to their importance and are divided into essential and important categories.
- The NIS2 also applies to subcontractors and service providers who have access to a company’s critical infrastructure. They too must meet stricter cybersecurity obligations if they want to partner with an essential company.
- Incidents must be reported immediately by companies and there are stiffer penalties for companies that do not comply.
- Companies should also address security risks in their supply chains and supplier relationships.
In addition, the
provides a list of minimum basic security requirements that companies must implement:
- Risk analysis and information security policy
- Supply chain security
- Incident handling
- Business continuity and crisis management
- The use of cryptography/encryption
- Security in network and information systems
- Policies and procedures for cybersecurity risk management measures.
It falls to the national authorities to monitor this and handport if the companies do not take the necessary steps nemen.
What is the impact of the new legislation?
From the moment your business is labeled “essential,” you must comply with the NIS2 provisions. If you don’t, you could risk a fine of up to 10 million euros or 2% of total worldwide annual sales. In addition, company executives can be held personally responsible for failure to comply with NIS2.
NIS2 expects “good Cyber security” from essential companies. But what is good cyber security? Having the necessary technology is obviously important, but without the right people who know how to properly apply this technology, even the most equipped technology is useless.
The NIS2 applies the “zero trust principle,” this principle states that as a company you should always verify everything first and not just trust things, “never trust, always verify.
How can your company prepare for NIS2?
From the moment member states are required to officially implement NIS2, there will be many monitoring moments and audits organized by regulators. Your company will then be strictly monitored for cybersecurity.
As with GDPR violations, financial penalties for failure to comply with NIS2 are based on your company’s global revenue. So the costs can be enormous.
A first important step is to make your company’s employees aware of NIS2 and its legal obligations to avoid penalties. Our consultants can train and reform your companies to comply with the rules as soon as they take effect. Our consultants do this by encouraging companies to make the right investments, which can be small-scale but efficient things like training courses that employees can attend to adopt the right mindset.
It is essential to understand the importance of the new NIS2 directive and take the necessary steps to ensure Cybersecurity. Did u like to have support in this? Contact then feel free to contact one of our consultants to u assist you and to conduct a thorough Security Audit.