Research shows that the global number of cyberattacks against government institutions and public sector services rose by 40% in just one quarter in 2023. This worrying trend has not gone unnoticed by the European Union. The international governing body has been working behind the scenes on a renewal of the Directive on Security of Network and Information Systems (NIS): the NIS2 directive. It will come into effect on October 17, 2024. Below, you'll read exactly what this directive entails, who it's intended for, and what you need to do if it applies to your organization.
Although the first cybercriminal was convicted in 1981, cybercrime really took off about ten years ago. In 2016, the EU introduced the Directive on Security of Network and Information Systems (NIS), marking the first legislation around cybersecurity. In the Netherlands, this first variant of the NIS Directive was implemented in the Security of Network and Information Systems Act (Wbni). This directive imposes strict cybersecurity requirements on so-called 'essential companies'. And it's precisely this that will change in the new, modified version – the NIS2 directive.
The NIS2 directive is essentially the updated legislation on cyber security. The directive provides a framework and accompanying legal measures to raise the level of cyber security in the EU, and in the individual member states. The NIS2 directive is a deepening of the current NIS directive but is also expanded with a number of additions that the original NIS directive does not yet provide for.
The new NIS2 directive will apply to many more sectors, and thus to many more companies and organizations, than the current NIS. The NIS2 directive applies not only to essential companies but also to important companies. With this adjustment, the EU wants to ensure that all organizations that perform an important function in society are covered by this directive. Think, for example, of companies in sectors such as food production, waste management, transport, finance, drinking water, and manufacturing, but also companies that play an important role in internet infrastructure, postal and courier services, the chemical sector, and digital providers such as marketplaces.
It is clear that more medium-sized and large companies will have to comply with the updated directive from its planned implementation in October. In addition, the government has the option to designate smaller companies with a high security risk as companies to which the directive applies. Those companies will then also have to comply with the new regulations.
Are you unsure if the new directive applies to your company? The NIS2 Self-Assessment NL tool from the Dutch government allows you to check if your company will also need to comply with the new regulations.
With the new NIS2 Directive, the EU introduces a number of mandatory measures to improve cybersecurity:
Another important addition to the NIS2 directive is proactive control. As an essential organization, you must prepare for proactive checks to see if you comply with the directive. If you do not comply, you risk a fine of up to 10 million euros, or the equivalent of two percent of your company's total annual turnover.
NOTE: It's important to realize that the government will not inform you if the NIS2 Directive applies to your company. You must check this yourself by carefully conducting the NIS2 self-assessment.
Although October is not immediately around the corner, it is wise to start making the necessary preparations now. To start, it's good to conduct a risk analysis. This consists of three steps: identifying the existing risks (1), evaluating these risks (2) in which you describe how likely it is that a certain risk will occur and what its impact is. Finally, you set up an action plan (3) to be able to execute proper incident management to control the identified risks as much and as well as possible.
Other actions you can take now:
It's important to realize that:
Much about the implementation of the NIS2 directive is not yet clear at this moment, but as soon as it is, we will supplement and update the information in this article.