From medical devices and food production to courier services and chemical industries, NIS2 requires many more organisations to comply with stricter European cybersecurity rules soon. If your organisation is considered an essential or important entity, you will fall under the scope of the directive. What impact will the relevant obligation have on your organisation?
Far more sectors than NIS1
By 17 October 2024, all EU member states must have incorporated the second Network and Information Security (NIS2) directive into their national legislation. NIS2 covers many more sectors than its 2016 predecessor. Whereas NIS1 applies to a few hundred Belgian organisations, NIS2 will cover several thousand.
The new European directive imposes a range of cybersecurity-related requirements. These apply to essential and important entities, for which the sector and organisation size are considered. We explain the implications of this relevant duty
'Appropriate and proportionate' security measures
The NIS2 directive imposes a duty of care on your organisation, which means that you must take 'appropriate' and 'proportionate' cybersecurity measures. The aim is threefold: manage risks to your network and information systems, prevent incidents and mitigate the consequences of incidents.
The text of the European directive is not very specific about the required security measures, but it does list seven areas of focus. These include risk analysis policies and appropriate security measures, supply chain security, vulnerability management, employee and organisation awareness and training, and ongoing assessment. In all these areas, according to NIS2, you must follow industry standards. That is, you should take appropriate and proportionate measures: depending on the technology and standards available and in proportion to the risk and cost.
Timely and adequate reporting of incidents
In addition to a duty of care, you also have a duty of notification. This means that you must immediately report any serious incident to the Centre for Cybersecurity Belgium (CCB). This concerns incidents that (may) seriously affect your operational services, that may have a financial impact or where natural or legal persons as third parties (may) be affected by significant material or immaterial damage.
The reporting obligation includes:
1. Immediately making an initial report
Within 24 hours of noticing the incident, you must report it to the CBB. In doing so, you must provide certain basic information about the incident, including the risk of spread to other sectors or abroad. You must also report whether malicious intent is suspected.
2. Complete notification within 72 hours
No later than 72 hours after detection, you must submit a full report with all available information. Among other things, you must describe the type of attack, the vulnerabilities identified, all affected systems, services and data, key times, a simultaneous assessment of the severity of the impact (not only on yourself, but also on external parties such as customers and suppliers), and proportionate actions.
3. Final report and temporary report
No later than one month after the full report, you must send a final report. In addition to all the points mentioned above, you also include lessons learned. Is the incident still ongoing? Then it is mandatory to make an interim report at that time. The final report will follow once the handling of the incident has been completed.
4. Informing customers
Is it a serious incident that could harm your customers' services? If so, you are obliged to also inform your customers - preferably as soon as possible. Moreover, you should advise them on steps they can take to minimise the negative effects
Greater responsibilities for top management
NIS2 explicitly places certain responsibilities on the top management of the organisations where it applies to the essential entities. The idea behind it: cybersecurity must become an integral part of strategic business operations. So it should not be seen only as a technical or operational problem for operational managers. Partly due to the board's involvement, a culture change will come about, if all goes well. In it, security is seen as a crucial prerequisite for business continuity.
The following responsibilities for directors flow from NIS2:
- (co-)defining cybersecurity policies;
- allocating sufficient resources;
- deciding on key cybersecurity measures;
- oversee the implementation and effectiveness of these measures;
- attend relevant cybersecurity training courses.
With continuous training, they should learn to understand the risks and be able to assess both cybersecurity measures and their potential consequences. Top executives of key entities may even be held personally liable for regulatory non-compliance. A real compensation obligation is not provided for in NIS2, but obviously third parties who have suffered damages can claim compensation for non-compliance with NIS2 obligations.
Firm penalties
Does your organisation not comply with risk management or incident reporting requirements? If so, this could lead to fines. Essential entities risk a fine of up to €10 million or 2 per cent of total annual global turnover (whichever is higher). For significant entities, it is €7 million or 1.4 per cent.
In addition to financial penalties, the authorities (provided this is included in national legislation) can also impose other measures. For example, they may require your organisation to take specific measures, inform customers or implement an audit.
Thorough preparation: start now
Good to avoid: you are fully responsible for taking the appropriate (preparatory) measures yourself. The Belgian government does inform in general, but does not actively communicate to organisations when the NIS2 directive applies.
Much depends on the maturity of your cybersecurity landscape, becoming compliant usually also requires necessary investments.
Additional cybersecurity measures
For many NIS2-regulated organisations, the first step is a security assessment: how mature is the security landscape and what additional measures are needed? You can commission a security audit or, if you are skilled enough, get started yourself using the CCB's Cyber Fundamentals Framework.
Cost- and time-intensive measures
Some measures you can implement relatively easily and quickly, such as security awareness training. Other measures involve a lot of investment and time. Consider implementing a Security Operations Centre and optimising security throughout the supply chain. Consider whether you want to invest in this yourself, for instance by recruiting (cybersecurity) professionals, or whether you would rather outsource this to a Managed Service Provider.
Policies, procedures and processes
A lot of time goes into drawing up policies, procedures and processes, which you lay down in (among others) an incident response, disaster recovery and crisis management plan. We also recommend developing processes and procedures as necessary for, for instance, access control (including authentication and authorisation), logging, supplier management and regular review of security measures.
Outsourcing: maximum security, minimum effort
The cybersecurity world is evolving rapidly and becoming more complex by the day. Realise that you are dependent on the evolution of technology and standards if you keep cybersecurity in your own hands. You therefore need to follow it closely. If you outsource this part, however, it becomes the responsibility of the service provider.
Moreover, finding the right cybersecurity professionals is often a hassle. For instance, there is a huge scarcity of these profiles in the market. Consequently, many organisations that need to be NIS2-compliant outsource (part of) their cybersecurity to a specialised partner.
Would you like to discover what you still need to do to become NIS2-compliant? Do you need support in implementing concrete measures and procedures? Do you want successfully managed security of your network and IT environment, proactively and 24/7, with cybersecurity professionals at the controls?
Cheops has the knowledge, expertise and tools to guide organisations - however large and critical - through the NIS2 complexity.
Time to upgrade your cybersecurity approach?
Cheops makes sure your IT security is in perfect order so you don't have to worry about anything.