The NIS2 directive in force: now what?
The European Union adopted the new Network and Information Systems Security Directive (NIS2) in October 2022. This directive aims to improve the security of critical infrastructures and digital services in the EU.
What is NIS2? What do you need to consider as an organization? And what are the risks in not following NIS2? We'll take you through that in this blog.
NIS2, an extension to NIS1
Cyber threats have increased significantly in recent years. In addition, our society is increasingly dependent on digital infrastructure. The European Commission found that there is still much uncertainty in the field of information security: what measures should organizations comply with, who is responsible, what is the scope and how is it enforced?
Time for a new measure that brings everything into focus. The NIS2 is a successor to the NIS1. The latter has been in force since 2016 and enshrined in the Netherlands in the Network and Information Systems Security Act (Wbn).
Although there are similarities between the NIS1 and NIS2, the NIS2 has a much greater impact than its predecessor. This is partly because the NIS2 applies to more industries, the security requirements are expanded, and management is more involved in network and information systems security.
The changes in outline are:
- The new legislation applies to more sectors
- Security requirements have been expanded
- Managers and Boards become more involved and can be held responsible as well as accountable
- Sanctions and supervisory powers of competent authorities strengthened
- Failure to comply with the NIS directive can lead to fines and penalties
- Incident reporting obligations have been clarified
- The security of the chain of which the organization is a part receives more attention
NIS2 only applicable to the vital sector?
The NIS2 regulations do not apply to all companies and organizations, but are limited to the vital sector. This sector includes organizations and companies that play a crucial role in our society, so the importance of the NIS2 regulations is very high.
Organizations belonging to the vital sector are:
- Infrastructure of financial markets
- Healthcare (including laboratories, research and medical equipment)
- Drinking water and wastewater
- Digital infrastructure
- Digital services
- Postal and courier services
- Waste Management
- Industry (mainly medical, computer and transportation equipment)
It is important to keep in mind that the NIS2 directive does not only apply to these organizations, but also to the entire chain of these organizations. Thus, the regulations also apply to partners, suppliers and service providers of that vital sector.
It is important that everyone in the entire chain understands their responsibilities and takes the necessary measures to keep the security of the vital sector high. After all, the chain is only as strong as its weakest link.
From risk scan to encryption: what measures should you consider?
In essence, organizations covered by the NIS2 directive must secure their network and information systems against cyber attacks and other security risks. In doing so, they must first identify and evaluate their network and information systems. This is how to determine which systems are critical and where additional security is needed. Then, based on this risk analysis, appropriate security measures are taken. Management should also be well aware of liability and additional responsibilities. Finally, organizations should ensure long-term security and conduct risk assessment on a regular basis.
An overview of some of the measures organizations can take, shown in the NIS2 Article 18(2):
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in acquiring, developing and maintaining network and information systems
- Policies and procedures (pen testing and auditing) to assess the effectiveness of cyber security risk management measures
- The use of cryptography and encryption
Who is responsible for what?
Most organizations have an officer whose role is information security; the Security Officer or CISO. Given his or her knowledge in this area, the obvious thing to do is to place the implementation of these measures with this person.
Yet the ultimate responsibility lies with management and the board. They are responsible for ensuring compliance and implementing appropriate security measures within the organization. In doing so, they should develop an effective governance structure and make the appropriate processes and resources available for digital security.
Above all, information security and privacy concerns all employees. So place ownership for risks and control measures where it belongs and ensure that everyone in the organization has the necessary cybersecurity knowledge appropriate to their role.
Failure to comply with NIS2 has major consequences
Non-compliance with the NIS2 can lead to fines, penalties as well as damage to reputation. The exact penalties for a board member and/or officer who fails to comply with the law depend on the situation, specific provisions and the national legislation of the member state where the company is located.
A legal game changer with the NIS2 is that these regulations can now also hold responsible parties liable in cases of gross negligence. Think of management positions or directors. Customers or partners can also take legal action more easily.
Furthermore, it goes without saying that not complying with the NIS2 has a negative effect on the organization's image. Obviously, you do not want to be known as an organization that does not take information security seriously.
From regulation to practice, our concrete tools will get you started
What exactly you need to set up in terms of measures is not always clear. Based on your risk analysis, you need to take 'appropriate measures'. But what is appropriate? And how can you avoid overlooking things and still incur legal consequences?
NIS2 from regulation to practice. 3 renowned cyber security parties offer you concrete tools in complying with the NIS2 guidelines. Brand Compliance, Hacksclusive and Perium shared their knowledge on security governance and periodic pen testing as measures in a coherent NIS2 approach during a webinar on June 8, 2023.