Since January 2023, the European NIS2 Directive has been in force. As a result, a much larger number of companies and organizations will have rules imposed around the cybersecurity of their networks and information systems. Every organization has the responsibility to comply with the new regulations.
IT as an indispensable part of business
Without IT infrastructure, digital applications and data, government organizations and businesses cannot function. IT is providing a huge boost to communication capabilities, innovation and efficiency. At the same time, concerns are also growing about the accessibility and security of all those IT assets. Not only technical difficulties but also hackers pose a major threat now that we are so dependent on IT.
Comprehensive regulation: NIS2 directive applies to many sectors
The first European "Network and Information Security" (NIS1) directive was applicable in Belgium from 2019 to organizations providing essential services, such as telecom companies and water utilities. It imposed obligations on them around the level of their cyber security. In the new NIS2 directive, the scope of regulation has been greatly expanded to a much larger number of sectors and organizations.
The basic idea of the NIS2 directive remains the same as its predecessor. The intention is to make companies aware of the importance of cybersecurity and to take appropriate measures around it. In addition, it aims to strengthen European cooperation on cybersecurity.
Mandatory optimization of cybersecurity
Companies operating in the sectors mentioned are obliged to take strict measures to ensure optimal cybersecurity. Among other things, they must follow specific procedures and rules around incident reporting and handling, business continuity, encryption and supply chain security. Moreover, sanctions are stricter and top management of companies are held strongly accountable. Cybersecurity should therefore become an even more important topic within the boardroom.
Now that the NIS2 directive has been approved in the European Parliament and also published, each EU member state has until October 2024 to transpose the directive into national law, including the imposition of fines when organizations fail to comply with it, similar to the GDPR directive that has been in place since 2016.
'essential entities':
- large enterprises as of 250 employees or with an annual turnover of at least EUR 50 million
- active in one of the critical sectors from Annex I
- face more NIS2 audits and tougher sanctions
- fines of up to 10 million euros or at least 2 percent of annual global turnover
'significant entities':
- active in one of the critical sectors from Annex I
- at least 50 to 250 employees or an annual turnover of 10 to 50 million euros
- or companies with at least 50 employees and activities listed in Annex II of the Directive
- fines of up to €7 million or at least 1.4 percent of annual worldwide turnover
Obligation to report security incidents.
Essential and major entities must report any significant security incident immediately to the appropriate national authorities. In Belgium, this is the Center for Cybersecurity Belgium (CCB). These are incidents that have a serious operational or financial impact on services in the sectors mentioned in the directive. A serious incident is also when it can cause major material, immaterial or physical damage to other natural or legal individuals.
Incident reporting steps
- At the latest within 24 hours: warning with minimal information, including the risk of spread to other sectors or abroad, and any suspicion of malicious intent.
- No later than within 72 hours: complete incident report with all available information.
- An interim report or progress report if requested by the CCB.
- One month after the initial report: a final report. If the incident is not settled by then, an interim report is required after one month and a final report after the incident is completed.
Is my company subject to the NIS2 directive?
The NIS2 Directive is there for both government organizations and commercial businesses. The full list of impacted sectors and all the details are online in Article 2, Article 3, Annex I and Annex II of the published directive. For example, Annex 1 lists the "highly critical sectors," which include energy, transportation, financial market infrastructure, central and regional governments and health care. Critical sectors include waste management, chemicals, manufacturing and research. Companies within the supply chain of those (very) critical sectors must also meet cybersecurity requirements.
Highly critical sectors and subsectors
| Sector | Subsector |
|---|---|
| Energy | Electricity, heating & cooling, gas, hydrogen, oil |
| Transport | By air, rail, water, road |
| Bank | Credit institutions |
| Financial market and infrastructure | Trading platforms, central counterparties |
| Healthcare | Healthcare providers, research laboratories, R&D, pharmaceutical production |
| Drinking water | Drinking water suppliers |
| Wastewater | Only if it is an essential part of the activity |
| Digital infrastructure | Trust services, DNS service providers, name registries, digital communication services, cloud service providers, data center service providers, content delivery network providers |
| ICT service management (B2B) | Managed Service Providers, Managed Security Service Providers |
| Government | Central and regional services, optionally local |
| Aerospace | Ground infrastructure operators |
Other critical sectors and subsectors
| Sector | Subsector |
|---|---|
| Postal and courier services | Providers of postal and courier services |
| Waste management | If it is the main activity |
| Chemical products | Production and distribution |
| Food | Production, processing, and distribution |
| Manufacturing | Medical devices, computers, electronics, optics, electrical appliances, machinery, motor vehicles, trailers, semitrailers, other means of transport |
| Digital services | Online marketplaces, search engines, social networks |
| Research | Research organizations |
Each organization is responsible for itself
It is important to note that the government will not actively communicate to the companies to which the directive applies. Thus, each organization has the responsibility to review the criteria itself and, if necessary, take the appropriate steps to comply with the new requirements.
Severe financial penalties
It remains to be seen how the Belgian government will enact the directive into concrete national legislation. After all, it also has the power to create its own categories or adjust the imposition of fines for government organizations. The directive already mentions severe financial penalties for non-compliance. Given the exponential increase in major cybersecurity incidents and the importance of a good cyber security and compliance policy, it is to be expected that the national interpretation will not be less stringent than the European directive.
It is therefore advisable not to wait until the national legislation comes into force. Similar to the time at which the GDPR regulations came into force, it is important to make the necessary adjustments in a timely manner. This is in the best interest of every organization anyway, because cybersecurity is simply not a luxury.
What is the challenge?
To properly handle this, companies best take measures in several areas:
- avoid security risks to the maximum extent possible,
- mitigate the consequences of potential problems,
- detect and report incidents quickly.
Only in this way are you able to optimize the continuity of your services. This is possible, for example, thanks to proactive 24/7 monitoring and surveillance of your IT systems and network, a solid incident response plan and security awareness training of employees.
Companies in which IT is not part of the core business clearly face a major and complex challenge. Providing all the adjustments and security management yourself requires a lot of investment, not only in software and tools but also in knowledge and processes. And often companies do not have the necessary budgets and/or the specific IT know-how to do this themselves.
Outsourcing responsibility
By outsourcing the responsibilityfor cybersecurity to an ISO 27001-certified Managed Service Provider (MSP) such as Cheops, companies can ensure that they comply with NIS2 regulations quickly in an accessible, cost-effective and flexible manner.
Through Managed Security Services, Cheops guides organizations toward high-performance cybersecurity - from screening and implementation to proactive monitoring and rapid incident response.
With Security Audits, Security Awareness training for employees, 24x7 monitoring by Cheops' Security Operations Center (SOC) and a customized Incident Response Plan, you can be sure you are following all guidelines correctly. This allows you to stay focused on your own business and the growth of your company.
Ready to improve your cybersecurity approach?
Cheops ensures that your IT security is in perfect order, so that you don’t have to worry about anything.