The new European NIS2 directive is a hot topic since it will affect so many sectors and companies.
What is NIS2? NIS2 (Network and Information Security) is a European directive that requires organisations to take measures to raise the level of cyber security in Europe. It is part of a broader strategy to protect society from cyber threats so that citizens and businesses can reap the full benefits of digital technologies. By 17 October 2024 at the latest, this directive should be transposed into Belgian law. Non-compliance, or failure to comply with this law, can lead to high fines and huge reputational damage. We explain which organisations are and are not covered by the directive.
IT as backbone of economy and society
Core systems like ERP and CRM as digital engines, the automation of numerous operational and business processes, digital internal and external communication, data as oxygen for process optimisation and innovation like AI: IT is the backbone of every organisation today. However, cybersecurity threats are a worsening problem, according to news headlines such as 'One in three companies had at least one cybersecurity incident last year', 'AI and cloud create a heavier battleground' and 'Lack of security talent leads to more incidents' attest. By 2025, the damage from cybersecurity incidents worldwide will be around $10 trillion, insurer Allianz estimates in its recent Risk Barometer.
The EU recognises that IT is not only the backbone of individual organisations, but also of our entire economy and society. The NIS2 directive aims to increase cybersecurity in the EU and improve digital resilience. For instance, companies will have to focus on tightening imposed security requirements, addressing supply chain security, improving and streamlining reporting requirements.
More sectors, stricter standards
NIS2, as we explained earlier, is the successor to the Network and Information Security Directive (NIS). The original NIS directive, which came into force in 2016 as the very first EU cybersecurity legislation, was transposed in Belgium in the NIS law of 7 April 2019. This new directive applies to critical and very critical sectors within the European Union.
Whereas NIS focused on sectors such as energy, banking, transport, healthcare and digital services, NIS2 has now been expanded to cover a much wider range of sectors and organisations. Examples include transport (air, rails, water, roads), waste management, chemical manufacturing, production and distribution, the food industry, medical device manufacturing and more.
The main differences between NIS2 and its predecessor
- Huge expansion of the number of organisations and sectors covered by the law
- More specific measures
- More extensive rules around incident reporting
- Higher fines
- Strong accountability of top management in each organisation so cybersecurity becomes a priority in the Board of Directors.
Impact on the chain
Most organisations will have to deal with NIS2. If clients of companies have to comply with the directive, they will have their suppliers audited to protect the supply chain as well. This is because it imposes obligations on organisations to ensure compliance throughout the supply chain.
Essential and important entities
Within the new directive, which must be implemented by all EU member states by October 2024, a distinction is made between essential and significant entities. Essential entities are large organisations in very critical sectors whose service disruptions have serious consequences for our economy or society.
Important entities are large and medium-sized enterprises in critical sectors. Service disruptions to these organisations can have significant consequences, but are less far-reaching than for essential entities.
Finally, the responsible minister may also determine that certain small and micro enterprises are covered.
Is my organisation essential or important?
So whether your organisation is essential or important depends on the sector and your organisation size. The full text of the NIS2, including all sector summaries of Appendices I and II, can be found on this EU website.
Essential entities
Your organisation is an essential entity when you:
- Are active in one of the highly critical sectors listed in Annex I
- Are a large organisation with at least 250 employees or have an annual turnover of at least €50 million.
Annex I of NIS2 lists 11 sectors. These include sectors such as transport, healthcare, energy, digital infrastructure, drinking and wastewater, government, (infrastructure for) finance, management of business-to-business ICT services and space.
Important entities
Are you considered an important entity? This is the case when you:
- Are a medium-sized enterprise in a highly critical Annex I sector, meaning that you have at least 50 and up to 250 employees or an annual turnover of EUR 10 to 50 million;
- Are a large or medium-sized enterprise within a critical Annex II sector.
Not only within the office walls
It is important to note that NIS2 requirements apply not only to your office environment, but also to digital work processes that take place elsewhere, such as working from home, remote locations or on the road. The impact of these regulations on the security and integrity of your business operations is huge. NIS2 compliance is therefore crucial, regardless of the location where work is carried out.
Certain micro and small enterprises
In principle, micro and small companies are not covered by NIS2. Does a risk assessment show that the service provided by such a company is crucial for the Belgian economy or society? Then the responsible minister can determine that the company should still comply. This concerns, for example, providers of domain name registrations and electronic communication services. The company in question is informed of this in good time.
Reporting obligation and penalties
In essence, organisations must comply to two things, duty of care and duty of notification. Besides a duty of care, which we outline below, organisations to which the directive applies also have a duty of notification. Every significant security incident must be reported immediately to the Centre for Cybersecurity Belgium (CCB). Non-compliance carries heavy financial penalties, which can quickly run into millions of euros. More information, including on the duty to report and the penalties, can be found in a previous NIS2 article.
What is duty of care and what exactly does it entail?
Duty of Care means that organisations are obliged to take appropriate and proportionate technical and organisational measures to ensure the security of their network and information systems. This obligation means that organisations must actively work to prevent, detect, and respond to cyber threats and incidents to ensure service continuity and minimise the impact on both internal and external stakeholders.
- Risk assessment: Conduct regular comprehensive risk assessments to identify potential cybersecurity risks to your organisation. This will help determine the necessary security measures to be implemented.
- Implement appropriate security measures: Based on the risk analysis, implement the required technical and organisational measures to manage and mitigate the identified risks. This can range from strengthening network security to training staff in cybersecurity awareness.
- Incident management and recovery planning: Develop and maintain an effective incident management process and recovery plans to respond quickly and effectively to security incidents.
- Comply with reporting requirements: Ensure that you understand and comply with security incident reporting procedures as required by NIS2. This means you should be able to detect, assess and report incidents in a timely manner to, in the case of a Belgian context, the Center for Cyber security Belgium.
- Awareness and training: Increase awareness about cybersecurity within your organisation by organising regular training and awareness campaigns. This helps create a culture of cybersecurity where employees understand the risks and know how to act.
- Supply chain security: Evaluate the security practices of your suppliers and partners to ensure they also comply with the requirements of NIS2, especially given the directive's emphasis on supply chain security.
- Continuous evaluation and improvement: Cybersecurity is not a one-off task, but an ongoing process. Regularly evaluate the effectiveness of your security measures and adjust them in response to new threats or changes in the organisation. An experienced Managed Services Provider like Cheops has included these steps in its services and can support you in your path to compliance.
Starting quickly is key
The NIS2 directive must be transposed into Belgian law by 17 October 2024 and must apply on 18 October 2024. By then, the NIS2 obligations will therefore apply to organisations that comply with the descriptions. Drafting new policies, procedures and governance structures requires a lot of time and intensive thinking and consultation. Something you should also start in good time: cyber security training and shaping a security culture. After all, security is a mindset.
In other words: time is running out. Especially for companies with little IT expertise in-house, it is difficult to take the first steps. Outsourcing responsibility for cybersecurity to an ISO 27001-certified Managed Service Provider (MSP) such as Cheops is then a solution.
Cybersecurity in the right hands
For example, Cheops' Security Audits are perfect for assessing the current state of affairs, after which we can map out a roadmap for you to be compliant. With our Managed Security Services, your cybersecurity is in the right hands. Thanks to our Managed Security Awareness and Managed Cyber Defence services, with 24x7 monitoring by our Security Operations Centre (SOC) and a customised Security Incident Response Plan, you are not only optimally protected, but also NIS2-compliant at all times.
Time to improve your cybersecurity approach?
Cheops ensures that your IT security is perfectly in order, so you don't have to worry about anything.