The new NIS2 directive, what does it mean for you? 

The latest EU policy to improve cybersecurity; what is it and who does it apply to.

Lees meer
Warpnet icon
De nieuwe NIS2-richtlijn, wat betekent dit voor u? 

You may have heard of it: NIS2. The NIS2 Directive (Network and Information Security Directive) is the latest EU policy to improve the collective cybersecurity of member states. And by the end of 2024, this directive will actually come into effect. That, of course, raises questions. In this blog, we discuss what the directive is and what it means for you.

What is NIS2?

NIS2 replaces the current NIS directive, implemented in the Netherlands as the WBNI (Wet Beveiliging Netwerk- en Informatiesystemen). Seven years after this directive, the cyber threat landscape has changed significantly and no longer met the needs. The NIS2 directive ensures that all organizations that perform a vital function in society have a high level of cyber security. The goal of this is to be more resilient against threats posed by hackers and malware.

Does the NIS2 also apply to you?

Do you have more than 250 employees? Then you must comply with NIS2 anyway. For organizations with less than 250 employees, it depends on the sector. NIS2 distinguishes 2 groups here: essential and important. Both are subject to the same cybersecurity management and incident reporting requirements under NIS2. The main difference between essential and key organizations is compliance monitoring. For essential providers, primarily parties in vital sectors, monitoring must be strictly proactive and clearly reflected in their processes. This means that regulators will check that these organizations are correctly implementing and complying with the rules. For organizations in key sectors, monitoring will be reactive, when there is evidence of a cyber incident.

If your organization falls into one of these groups and you have more than 50 employees or a minimum annual turnover and balance sheet total of 10 million, you must also comply with NIS2.

Overview of essential and key sectors according to the NIS2 directive

Central government: NIS2 Self-assessment NL

Not sure if your organization is covered by the directive? The central government has developed a tool to check whether the NIS2 directive applies to your organization: NIS 2 Self-assessment EN (rule aids-for-businesses.com)

What your organization must meet according to NIS2

NIS2 will address the problems with the previous NIS legislation and tighten the rules. The main one concerns the inconsistent way the previous NIS2 directive was implemented. This made cooperation between countries difficult and weakened ensuring the effectiveness of cybersecurity in the EU.

If you are among the organizations required to comply with the NIS2 guideline, this is at least what you need to implement/implement:

  • Risk analysis
  • Incident handling
  • Business continuity policy
  • Supply chain security (in relationships/suppliers)
  • Measuring effectiveness of measures (KPIs).
  • Cyber hygiene and staff training
  • Policies and procedures on use of cryptography and encryption
  • Security aspects v. personnel, such as access policies and asset management
  • Security in acquisition, development and maintenance of network and information systems
  • Use of 2FA, secure emergency communication system, etc.

The consequences of non-compliance

Should an incident occur, it must be reported to the regulator within 24 hours. What is important to know is that as the board of your organization, you are liable for compliance. If you fail to do so? Then you risk a fine. These fines are the same as those for AVG violations, which means that NIS2 should be understood in a similar way and taken just as seriously.

Preparing for NIS2

On the contrary, see the positive side of NIS2! Because with better cyber security, you can prevent a lot of misery. Less chance of viruses and fines! If you have any questions about NIS2, please feel free to contact us.