The new NIS2 cybersecurity directive: how to get started?

What is the NIS2 Directive?

In 2016, the European Union introduced the Directive on the Security of Network and Information Systems (NIS Directive). This first NIS Directive (NIS1) imposed strict cybersecurity requirements on companies considered essential, such as water, energy and telecoms companies. Following an evaluation of the NIS1 Directive by the European Commission, it was found that its scope was too limited and that there were inconsistencies between Member States, which hampered its effectiveness. This led to the need for a new NIS Directive - NIS2. The introduction of NIS2 extends the scope.

Why is the NIS2 Directive important?

As our most vital sectors, such as transport, energy, health and finance, become increasingly dependent on digital technologies to carry out their core activities, they are also increasingly vulnerable to cyber threats. Cyber security incidents are becoming larger and more complex, and often have serious economic and social consequences. The NIS2 Directive recognises this and places emphasis on taking effective measures to protect network and information systems. These measures aim to reduce your organisation's vulnerability and increase its resilience to cyber attacks.

What's new about NIS2?

Some key observations:

• More organisations, including SMEs in some sectors, will be required to implement security measures;

• More comprehensive requirements will be imposed*:

1. Risk management

2. Incident management (prevention, detection and response) and incident reporting

3. Business Continuity and Crisis Management

4. Supply chain security (with a focus on supplier relationships)

5. More transparent disclosure and management of vulnerabilities

6. Cooperation between Member States;

• The NIS2 classifies organisations according to their importance and divides them into essential and important entities;

• NIS2 no longer requires organisations to be either externally audited or ISO27001 certified. However, as with the AVG or GDPR legislation, organisations will need to be able to demonstrate compliance with the NIS2 regulations to national authorities at any time. National authorities will also have the power to take action to encourage organisations to take appropriate measures. In addition to administrative measures, fines may also be imposed (see below).

*In a future publication we will discuss the requirements in these areas in more detail.

Does the NIS2 Directive apply to my organisation?

As mentioned above, the NIS2 Directive has not yet been transposed into Belgian law, which may differ from the European Directive. Therefore, the information below is based on the existing NIS2 Directive.

The NIS2 Directive focuses on sectors already covered by the first NIS Directive and some new sectors. Importantly, organisations may automatically be covered by the NIS2 Directive if they are active in one of the sectors listed below and are classified as 'essential' or 'important' according to the criteria:

Essential entities

Essential entities within NIS2 are the large organisations active in a sector listed in Annex I of the NIS2 Directive. Large organisations are those with (1) at least 250 employees, or (2) an annual turnover of at least €50 million, or (3) an annual balance sheet total of at least €43 million.

Important enterprises

Important enterprises in the NIS2 are medium-sized organisations active in an Annex I sector and medium-sized and large organisations active in an Annex II sector. Medium-sized organisations are those with (1) at least 50 employees or (2) an annual turnover (or balance sheet total) of at least EUR 10 million.)

Exemptions

However, there are exceptions for smaller companies that may also be considered important but do not meet certain size requirements. In addition, some enterprises may be explicitly excluded from the NIS2 by Member States.

Under NIS2, organisations can be designated as essential or important, with the same cybersecurity management and reporting requirements. The main difference between the two is the level of compliance oversight. For example, essential organisations are subject to a more intensive oversight regime and stricter sanctions.

The Centre for Cybersecurity Belgium (CCB) has developed a scoping tool to determine whether your organisation falls within the scope of the Belgian NIS2 law.

Can sanctions be imposed?

Member States must effectively ensure that NIS2 entities take the necessary measures and report incidents. They can do this, for example, by carrying out regular external audits and inspections or by requiring certain documents. Organisations that fail to comply with the requirements of NIS2 may be subject to a range of possible sanctions, including fines or administrative penalties of up to €10 million for "essential entities" (2% of global turnover) and €7 million for "important entities" (1.4% of global turnover). Board members may be held personally liable for non-compliance (Article 32.6).

How can we help you at Vandelanotte?

• You are not sure if and to what extent you need to be NIS2 compliant?

• Do you want to gain more insight into which concrete measures you still need to take to be NIS2 compliant?

• Are you unsure of the right approach?

Our experts can advise and, if necessary, assist you in implementing the necessary security measures to become NIS compliant.

Want to know more about your organisation's cybersecurity compliance? Contact us at Gorik.vandenbergh@vdl.be or cyber@vdl.be.