The key elements to take into account when implementing NIS2
by Gorik Van den Bergh
The new European directive NIS2 is the successor to NIS (Network and Information Security Directive) and will come into force on 17 October 2024. In previous publications, we have told you what NIS2 exactly entails and the potential impact on your organisation. In this article, we make a list of the important elements to take into account when implementing NIS2.
We are confronted with the importance of cybersecurity and therefore the importance of NIS2 in the news every day. The Centre for Cybersecurity Belgium (CCB) also reported on this in its CCB Report:
Belgian organisations were mainly victims of ransomware and DDoS attacks in 2023. They were also affected by other categories of cyber incidents, such as data breaches, CEO fraud, threat indications on the dark web and dedicated forums where stolen data was published, and the compromise of Belgian IP addresses used in cyber operations.
Phishing is still one of the main attack methods used by attackers to install malware on a target system, but it is also one of the most common forms of attack used to steal data, such as personal and identification information, and to commit cyber fraud.
The key elements to take into account when implementing NIS2
1. Awareness
It is imperative that your organisation's senior management is aware of and understands the requirements of the NIS2 Directive and risk management efforts. Directors have a direct responsibility to address cyber risks and comply with the requirements. By extension, it is of course important that all employees are sufficiently aware of potential cyber threats.
2. Risk Management
The term risk management is mentioned no less than 144 times (!) in the NIS2 publication. It is therefore a part of the NIS2 directive that should not be underestimated. Indeed, organisations should implement measures to minimise the risks and consequences they have identified.
3. Reporting to authorities
Organisations should have processes and procedures in place to ensure that they report incidents to the authorities in an accurate and timely manner.
4. Business continuity
Organisations should take steps to ensure business continuity, including back-ups, recovery tests, emergency plans and crisis management.
5. Suppliers
In addition, organisations should identify security risks at their suppliers. Suppliers are often part of an organisation's wider chain of trust. An unprotected supplier can be a weak link and pose a risk to the entire organisation and its stakeholders.
6. Sanctions
Organisations that fail to comply with the requirements of NIS2 may be subject to a range of possible sanctions, including fines or administrative penalties of up to EUR 10 million for so-called significant entities (2% of global turnover) and EUR 7 million for important entities (1.4% of global turnover).
How can we at Vandelanotte help you?
(IT) risk management software to make your organisation's risk management more efficient;
Request penetration tests to evaluate and improve your organisation's resilience;
Discover our cybersecurity awareness solutions (phishing, online training, ...).
Our experts will advise and, if necessary, assist you in implementing the necessary security measures to be NIS compliant.
Want to know more about your organisation's cybersecurity compliance? Contact Gorik.vandenbergh@vdl.be
This form can only be sent with the use of technical cookies. You can accept these cookies here.
These cookies are used to distinguish people from bots. Certain data, such as your IP address or language preference, can be sent to Google. More information in our cookie policy.
Gorik Van den Bergh
Certified Information Systems Auditor Gorik.VandenBergh@vdl.be
Disclaimer
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
News and insights
Read our latest insights and news releases to stay abreast of changes in your industry.
