Wat is NIS2 en wat betekent het voor jouw organisatie?

In recent years, we have seen a sharp rise in the number of cyber attacks and incidents in Europe. In particular, phishing, malware and ransomware are major problems. Cyber attacks can significantly impact societies, as we rely heavily on a well-functioning digital infrastructure, both on a business and personal level. With all of us mainly working digitally, cybersecurity is a basic requirement rather than an option.

To tighten cybersecurity Europe-wide, the European Parliament voted to adopt the revised Network and Information Systems Directive 2022/0383, more commonly referred to as “NIS2”. Seeking to expand, strengthen and harmonise the implementation of the EU’s existing cybersecurity framework, NIS2 forms a key part of the EU’s Cybersecurity Strategy and aligns with the European Commission’s priority to make Europe fit for the digital age. Which sectors does it apply to? And what does its introduction mean for your organisation? You can read about it in this article.

What is the NIS2 Directive?

In 2016, the EU introduced the Network and Information Security (NIS) Directive. This NIS1 sets stringent cybersecurity requirements for so-called 'essential companies'. These are e.g. water, energy and telecoms companies. The NIS2 complements and extends the directive that designates more companies as essential companies. In total, it involves some 160,000 organisations across Europe.

The key components of the NIS2 are:

  • Based on the importance to the economy and society, the new directive covers more sectors and revises the way in which companies are classified. Medium and large companies in selected sectors are included in the proposal. At the same time, it gives member states some flexibility to identify smaller companies with a high-risk profile.

  • A stronger focus on the management bodies of in-scope companies, in which Member States must ensure that such management bodies can be held liable for infringements by the entity of provisions relating to those measures.

  • The directive tightens security requirements for companies by imposing a risk management approach, and outlining the core cybersecurity measures that all in-scope organisations need to put in place.

  • The NIS2 no longer distinguishes between operators of essential services and providers of digital services. Organisations are classified according to their importance and divided into essential and important categories, with the result that they are subject to different supervisory regimes.

  • Incident reporting requirements will be strongly amended, and sanctions for non-compliance will be bolstered.

  • Individual companies must address security risks in supply chains and supplier relationships.

  • There will be stronger supervisory measures for national authorities, stricter requirements for enforcing security measures and harmonisation of sanctioning regimes and reporting obligations in member states, and the cooperation and information sharing between Member States will be enhanced.

When and to whom does NIS2 apply?

The NIS2 applies to any organisation operating or providing activities within the EU that provides an essential service to consumers (meaning that they match the description of an “essential” or “important” entity in a defined list of sectors). Examples include internet providers, energy suppliers, drinking water companies, waste processors, banks, transporters, healthcare institutions and factories producing food or major household items. Notable exceptions will be smaller companies that could be considered essential but do not meet a size cap (which is expected to be at EUR 10M in annual revenue and/or have less than 50-person personnel) and other entities explicitly excluded by the Member States.

The NIS2 can label organisations as either essential or important – which are subject to the same cybersecurity management requirements and incident reporting obligations under NIS2. What is the biggest difference between essential and important organisations? Compliance monitoring. For essential providers, mainly parties from vital sectors, monitoring will need to be strictly proactive and clearly reflected in their processes. This means that supervisors check whether these organisations apply and comply correctly. With key providers, supervision takes place after the event if there are indications of a cyber incident.

The new legislation has a wider scope (more sectors and more organisations) than the NIS1 directive and aims to equalise and increase digital resilience across EU member states. NIS2 is expected to be enshrined in law in the Netherlands by September 2024 at the latest. “For many SMEs, NIS2 will have no impact unless you are essential. Then you have to be certified and you will get more frequent visits from a regulator,” explained Bart Groothuis, a member of the European Parliament.

Placeholder for From NIS to NIS2From NIS to NIS2

What is the impact of the new legislation?

Is your organisation identified as essential? And are you not complying with the requirements of the NIS2? Then you could face fines of up to 10 million euros or 2% of total annual global turnover. Individuals with relevant cybersecurity authority or (management) roles may be held personally responsible for non-compliance.

Thorough preparation

The formal approval of NIS2 took place on 10 November 2022, however, the formal publication of the directive is expected soon – meaning that European member states will have to start implementation within 21 months from that publication date leading to an expected implementation on or around the third quarter of 2024. This gives companies the time to get ready before this time.

Fortunately, there is a lot you can do to take your cybersecurity to the next level. Ensure that you adopt the principles of security and privacy by design when introducing new processes or reviewing suppliers – and prepare for NIS2 compliance in a holistic manner that also considers relevant obligations under other laws. For example, your cybersecurity policies and incident management procedures will need to consider all relevant requirements across applicable laws, including GDPR requirements for incident reporting and for appropriate technical and organisational measures, but do not automatically assume that a GDPR-compliant incident response process will be sufficient for NIS2 purposes, particularly in light of NIS2’s tighter reporting timeframes. Review your requirements and incident reporting – and consider what changes are necessary.

Consistently applying multi-factor authentication (MFA), developing a sound framework for identity and access management (IAM) and reducing the digital attack surface also help increase your digital security level.

Security and privacy design is not something that “should” be considered - it is already part of existing directives.

Here's how Nomios helps

Are you struggling to meet the strict cybersecurity requirements? And do you find it a challenge to get your organisation ready for the NIS2? Then Nomios is happy to help you. We are a recognised specialist in cybersecurity and networking and have the knowledge and solutions to help you meet the NIS2 requirements.

Help with NIS2

A selection of our services and solutions

Get in touch with our expertsOur team is ready for you

Do you want to know more about this topic? Leave a message or your number and we'll call you back. We are looking forward to helping you further.

More updates