<img height="1" width="1" style="display:none" alt="fbpx" src="https://www.facebook.com/tr?id=1214895146390980&amp;ev=PageView&amp;noscript=1">

NIS2 for directors and supervisors

Before you know it, NIS2 will be in force. This new cyber legislation, based on the EU Directive, will have a significant impact on many organizations from the end of 2024, but at the same time it also offers new opportunities. A large number of organizations will be classified as "significant" or "essential," resulting in more legal obligations and expanded directors' liability.

Administrators face an important task when it comes to cyber security. NIS2 requires a complete focus on establishing optimal digital resilience. But as a director, where do you put the focus and what questions can you ask as a regulator?

Which organizations must comply with NIS2?

NIS2 applies to all medium and large enterprises in sectors as specified in (Annexes I and II of) the NIS2 Directive. This distinguishes between key and major sectors and considers the size of the organization.

Key sectors include: energy, transportation, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (Business to Business), government services and space.

The key sectors are: postal and courier services, waste management, chemical industry, food industry, manufacturing industry (certain specific segments), digital service providers (such as marketplaces) and research.

In principle, the NIS2 Directive focuses on organizations that are classified as medium or large, i.e. organizations with more than 50 employees and/or a turnover of more than 10 million euros per year. This appears to exclude SMEs but for certain, specific ICT services, the NIS2 Directive also applies to smaller organizations.

Organizations covered by NIS2 must all meet the same cybersecurity and reporting requirements, but oversight and penalty regimes will differ. Essential sectors will be subject to a stricter supervisory regime than key sectors.

Many organizations are wondering if NIS2 will soon apply to them.

Tip: Do the check through this website: https://regelhulpenvoorbedrijven.nl/NIS-2-NL/

What will change?

First, organizations may face hefty fines if the NIS2 guidelines are not followed. This is similar to the introduction of the AVG in 2018. Regulators must ensure that covered organizations demonstrably comply with NIS2 requirements. In addition, directors can more easily be held liable if the NIS2 requirements are not implemented at an acceptable level.

The organizations covered by the NIS2 Directive must take appropriate and proportionate technical, operational and organizational measures. This is designed to manage the security risks to the network and information systems these entities use for their operations or services. This includes preventing incidents and mitigating the impact of incidents on the users of their services and other service providers. Risk management should be implemented and forms the basis for determining appropriate measures.

Article 21(2) of the NIS2 Directive describes a set of minimum requirements that must be met. Some of these requirements include risk analysis, information security policies, backup and recovery, supply chain security, basic cyber hygiene practices and cyber security training, policies and procedures for the use of cryptography, and if applicable, encryption. Refer to Article 21(2) of the Directive for a complete overview.

In addition, the European Commission will later introduce specific measures for several specific service providers, including DNS service providers, top-level domain name registries, cloud computing service providers, data centers, network providers and managed security service providers.

Demonstrably in control

Organizations playing a role with each other in a chain will increasingly start asking each other if they are demonstrably compliant with the NIS2. We see a few ways to demonstrate this. For example, you can have an audit report drawn up periodically with the NIS2 as scope, but it may be more efficient and effective for your organization to work according to a recognized framework such as the ISO27001, the Baseline Information Security Government (BIO) or the NEN7510 (Healthcare) and get certified. By getting certified, presenting such a certificate in combination with the declaration of applicability (scope) is usually sufficient.

Cybersecurity is not something you do to meet a standard. It is an essential aspect of protecting your business. The risk of major incidents occurring and leading to extensive damage (continuity of operations, image, financial) is significant.

How do I approach this as a driver?

As a director, there are a number of things you can set in motion. Below we outline the most important steps:

  1. Do the check on the website mentioned above and determine if you need to comply with NIS2.
  2. Ensure adequate knowledge by providing and facilitating training.
  3. Implement risk management. Create a risk inventory and conduct a risk analysis.
  4. Implement an Information Security Management System (ISMS) and control measures, using a recognized standard such as the ISO27001 and ISO27002. Start with the important elements from the NIS2:
    1. Business continuity such as backup and recovery.
    2. Incident handling.
    3. Information security training and awareness.
    4. Network and information systems security including vulnerability response.
    5. Supply chain visibility and security.
    6. Policies and procedures on the use of cryptography and encryption.
    7. Use of multi-factor authentication, secure voice, video and text communications, and secure emergency communications systems.
    8. Policies and procedures to assess the effectiveness of cybersecurity risk management measures.

Tips

  • Also, use risk management primarily to determine the proportionality of the control measures (to be implemented). Ensure cost-effective deployment of control measures.
  • Above all, use existing and recognized standards. These standards already provide many tips on the practical implementation and execution of the necessary management measures.
  • Use standards for monitoring chain partners such as ISO27002. This standard includes measures for controlling third-party information security.
  • Deploy tooling that makes these standards available and ensures a strong PDCA cycle. Cybersecurity is not a one-time activity but requires constant attention and action.

 

What questions do I ask as a supervisor?

As a supervisor, you want to feel comfortable that your organization is digitally resilient and compliant with legal requirements. Not just to avoid fines but especially because you want to handle your personnel data, your trade secrets, (sensitive) personal customer information et cetera safely. What questions can you use to keep your managers on their toes and get the right information on the table?

  1. Do we fall under the scope of the NIS2? Even if your organization is not covered by the NIS2, you might want to work on optimizing your digital resilience and the steps above are relevant.
  2. As regulators, we need to be knowledgeable enough about information security. How do we do that?
  3. What is our status now with regard to information security? Are the responsibilities assigned? Do we have a working implementation in accordance with, for example, the ISO27001? Are we working on the basis of a recognized standard with control measures such as the ISO27002? Is there an information security policy in place? How mature are we with respect to the NIS2 elements?
  4. Have we implemented risk management? Where are our biggest information security risks currently and what is being done about them?
  5. Is there a detailed plan of action to ensure that we demonstrably comply with NIS2 in a timely manner? How will we demonstrably comply with NIS2? Are sufficient resources available for this? How do we monitor progress and ensure we make timely adjustments?
  6. Do we have a sufficient understanding of the security of our supply chain partners? Is the scope of certifications and/or audit reports of these partners sufficient? Are we arranged to have our own audits performed?
  7. Are we working efficiently on risk management and information security? Do we conduct periodic assessments of risks and control measures? Do we work on improvement? Do we use tools for this that stimulate overview, insight, reporting, transparency and a strong PDCA cycle or do we work with static solutions such as Excel sheets?

 

Questions?

Do you have questions or want to know more about NIS2 and Perium? If so, please contact us. We will be happy to talk to you!