What is the new NIS2 directive and who does it concern?

Research shows that the global number of cyberattacks against government institutions and public sector services rose by 40% in just one quarter in 2023. This worrying trend has not gone unnoticed by the European Union. The international governing body has been working behind the scenes on a renewal of the Directive on Security of Network and Information Systems (NIS): the NIS2 directive. It will come into effect on October 17, 2024. Below, you'll read exactly what this directive entails, who it's intended for, and what you need to do if it applies to your organization.

NIS vs NIS2: what's different?

Although the first cybercriminal was convicted in 1981, cybercrime really took off about ten years ago. In 2016, the EU introduced the Directive on Security of Network and Information Systems (NIS), marking the first legislation around cybersecurity. In the Netherlands, this first variant of the NIS Directive was implemented in the Security of Network and Information Systems Act (Wbni). This directive imposes strict cybersecurity requirements on so-called 'essential companies'. And it's precisely this that will change in the new, modified version – the NIS2 directive.

The NIS2 directive is essentially the updated legislation on cyber security. The directive provides a framework and accompanying legal measures to raise the level of cyber security in the EU, and in the individual member states. The NIS2 directive is a deepening of the current NIS directive but is also expanded with a number of additions that the original NIS directive does not yet provide for.

Who does the NIS2 directive apply to?

The new NIS2 directive will apply to many more sectors, and thus to many more companies and organizations, than the current NIS. The NIS2 directive applies not only to essential companies but also to important companies. With this adjustment, the EU wants to ensure that all organizations that perform an important function in society are covered by this directive. Think, for example, of companies in sectors such as food production, waste management, transport, finance, drinking water, and manufacturing, but also companies that play an important role in internet infrastructure, postal and courier services, the chemical sector, and digital providers such as marketplaces.

It is clear that more medium-sized and large companies will have to comply with the updated directive from its planned implementation in October. In addition, the government has the option to designate smaller companies with a high security risk as companies to which the directive applies. Those companies will then also have to comply with the new regulations.

Are you unsure if the new directive applies to your company? The NIS2 Self-Assessment NL tool from the Dutch government allows you to check if your company will also need to comply with the new regulations.

What does the NIS2 directive mean?

With the new NIS2 Directive, the EU introduces a number of mandatory measures to improve cybersecurity:

• Implementing a risk management process: risk management is part of your organization's quality management. As an organization, you need to be aware of the risks you face. Cyber risks must be identified and addressed.
• Incident management and developing an incident response plan: this ensures business continuity in the event of a cyberattack. It is expected that a plan will be in place that will be activated in the event of an incident. Think of system restoration, emergency procedures, and setting up a crisis organization.
• Sharing information about IT security incidents: the new NIS2 directive demands that your organizational processes are set up in such a way that a correct report can be made quickly to the authorities in the event of a cyberattack. This includes the strict requirement that major incidents be reported within 24 hours.
  
  

Penalty for non-compliance with NIS2?

Another important addition to the NIS2 directive is proactive control. As an essential organization, you must prepare for proactive checks to see if you comply with the directive. If you do not comply, you risk a fine of up to 10 million euros, or the equivalent of two percent of your company's total annual turnover.

NOTE: It's important to realize that the government will not inform you if the NIS2 Directive applies to your company. You must check this yourself by carefully conducting the NIS2 self-assessment.

NIS2: how can I prepare?

Although October is not immediately around the corner, it is wise to start making the necessary preparations now. To start, it's good to conduct a risk analysis. This consists of three steps: identifying the existing risks (1), evaluating these risks (2) in which you describe how likely it is that a certain risk will occur and what its impact is. Finally, you set up an action plan (3) to be able to execute proper incident management to control the identified risks as much and as well as possible.

Other actions you can take now:

• Check if the new directive applies to you
• Determine which measures are needed to comply with the requirements of the directive
• Determine which network and information systems are used within your organization
• Raise awareness among staff about IT security and cyber risks
• Budget the possible measures so you are not suddenly surprised by the costs of implementation
  
  

Keep this in mind

It's important to realize that:

• the NIS2 directive will be implemented at the national level, meaning all EU member states themselves must determine how the NIS2 directive will work exactly.
• For SMEs, there are other solutions, because the costs of making your organization cyber risk-proof, let alone paying a fine for not complying with the NIS2 directive, are simply not affordable for such companies. The government offers a subsidy scheme, and SMEs can also choose another route to arm themselves against cyber risks, for example, by working according to SIRA standards.
• WoodWing is ISO 27001 certified. That's why it is expected, because WoodWing already works in accordance with ISO 27001, that complying with the NIS2 directive will not be problematic. It also makes WoodWing more credible when we post articles on incident management, cybersecurity, and related subjects, and advise organizations on how to comply with the NIS2 directive requirements.

Much about the implementation of the NIS2 directive is not yet clear at this moment, but as soon as it is, we will supplement and update the information in this article.