What does the new NIS2 directive mean for you?
In 2016, the NIS directive was established. NIS stands for ‘Network and Information Security’. The NIS directive was designed with the aim of strengthening the security of critical infrastructure such as those of banks, energy companies and telecommunications companies.
On 16 January 2023, the revised directive (NIS2) came into force. With this revision, more sectors will be covered by the directive and therefore have to comply with more security requirements. In addition, compliance monitoring and sanctions will also be harmonised across the EU.
With greater scope and stricter requirements, NIS2 will have to better protect the EU from cyber attacks and other digital security threats.
EU member states have 21 months from the entry into force of the NIS2 directive to transpose it into their national legislation and set up the necessary infrastructure to enforce it. From September 2024, the NIS2 legislation will come into force in the Netherlands and organisations will have to comply. It is therefore important for organisations covered by the NIS2 directive to prepare now for the changes the directive will bring.
Below, we detail which organisations are covered by the NIS2 directive and what these organisations need to do to comply with the directive.
Which organisations are covered by the NIS2 directive?
The NIS2 directive applies to highly critical and critical sectors within the EU. This includes companies in the financial, energy and transport sectors, digital service providers such as cloud computing, online marketplaces, online search engines and social networks.
Of the organisations covered by the NIS2 directive, a distinction is made between essential and important organisations. This difference leads to a different elaboration of the NIS2. The difference is explained below.
Essential entities
Only large organisations1 that fall under highly critical sectors are considered 'essential'. In addition, some organisations are automatically considered 'essential', regardless of their size, if a breakdown in their services would have serious consequences for society or if they are the only provider in the market.
This includes organisations providing public communication networks and services, trust service providers and top-level domain name and domain name registration service providers.
Important entities
In addition to essential organisations, the NIS2 directive also refers to important organisations. Medium-sized organisations2 operating in highly critical sectors are considered important, along with large and medium-sized organisations in critical sectors.
Most of the organisations covered by the NIS2 directive end up in the important category. In important organisations, monitoring takes place after the fact, when reports have been made and an incident has occurred. Should it turn out after an incident that the organisation did not take the required steps in terms of security requirements, these organisations will also face fines for non-compliance.
1 Large organisations: more than 250 employees and an annual turnover of at least €50 million.
2 Medium-sized organisations: fewer than 250 employees and an annual turnover of up to €50 million.
NIS2 - Essential and important entities by sector
What are the implications of the NIS2 directive?
Organisations covered by the NIS2 directive must adhere to strict security requirements and report incidents to the national competent authority within 24 hours of detection. Moreover, organisations need to act quickly to manage the situation and mitigate the impact in case of a cyberattack or other security incident. Non-compliance can lead to fines and possible suspension at board level.
What should organisations do to comply with the NIS2 directive?
Organisations covered by the NIS2 directive must take the necessary measures to improve their digital security and report incidents to national authorities.
The measures below represent the minimum requirements to be met:
- Risk analysis and information systems security policies;
- An incident handling process;
- Business continuity, such as backup management and contingency plans and crisis management;
- Supply chain security, including security-related aspects relating to the relationships between each entity and its direct suppliers or service providers;
- Security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure;
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures;
- Basic cyber hygiene practices and cybersecurity training (see NCSC basic measures in the infographic below);
- Policies and procedures on the use of cryptography and, where appropriate, encryption;
- Security aspects regarding personnel, access policy and asset management.
DataExpert
If you have any questions around NIS2 and the current status of the above measures within your organisation, please contact us. We will be happy to help you map the current implementation and establish the required implementation of these measures.