The impact of the CER & NIS2 directive on your organization

Two important directives related to critical and digital infrastructure recently came into force, which will significantly improve the EU's resilience against both online and offline threats ranging from cyber-attacks to crime and risks to public health or natural disasters.

These new regulations are a response to recent threats directed against the EU's critical infrastructure, attempts that threatened our collective security. Already in 2020, the Commission had presented a proposal to dramatically improve EU legislation related to the resilience of critical entities and the security of network and information systems.

The directives that came into force are:

1. The Directive on measures for a high common level of cybersecurity in the Union (NIS 2 Directive)
2. The Directive on the resilience of critical entities (CER Directive).

What is NiS2?

With recent developments in technology, there are increased security risks to our society and economy, especially due to an increase in phishing attempts, malware and ransomware attacks and other cyber threats. To address these challenges, the EU has been working on the Network and Information Security (NiS2) Directive since 2020. It is designed to improve the digital and economic resilience of member states.

The NiS2 directive deals with risks that threaten network and information systems, such as cybersecurity risks. The implementation of this directive should contribute to more European harmonization and a higher level of cybersecurity among companies and organizations. The NiS2 directive is the successor to the first NiS directive, also known as the NiB, which was integrated into the Network and Information Systems Security Act (Wbni) in the Netherlands in 2016.

Who is covered by the NIS2 directive?

The NIS2 Directive covers sectors already covered by the first NIS Directive, but also includes a number of new sectors. This increases the number of public and private organizations covered.

Essential sectors

• Energy
• Transportation
• Infrastructure Financial market
• Healthcare
• Drinking water
• Digital infrastructure
• Wastewater
• Government services
• Space
• Management of ICT Services
• Banking

Key sectors

• Digital providers
• Postal and courier services
• Waste management
• Food products
• Chemicals
• Research
• Manufacturing/manufacturing

An important change from the first NIS Directive is that organizations are automatically covered by the NIS2 Directive if they operate in one of the listed sectors and meet the following criteria to qualify as an "essential" or "significant" entity.

Essential Entities.

These are organizations identified as critical entities under the CER Directive and automatically classified as essential entities under the NIS2 Directive. This category includes large organizations operating in a sector from the essential sectors.

An organization is considered large if it meets one of the following criteria:

• more than 250 employees or;
• a net turnover of more than €50 million and a balance sheet total of more than €43 million.

Major entities

This category includes medium-sized organizations operating in sectors considered essential or important under the NIS2 Directive. They play an important role in the economic and social stability of the EU, despite not being classified as "critical.

An organization is classified as medium-sized if it meets one of the following criteria:

• at least 50 employees or;
• an annual turnover or balance sheet total of more than 10 million euros

What does NIS2 mean for your organization?

If your organization is covered by NIS2, there are several obligations you must meet:

• Care responsibility - The NIS2 directive introduces a care responsibility, which requires entities to conduct their own risk assessment. Based on this assessment, they must take appropriate actions to best ensure their services and protect the information they use.
• Reporting requirement - The NIS2 Directive requires entities to report incidents to the regulator within 24 hours. This covers incidents that (may) significantly interrupt the provision of essential services. In the event of a cyber incident, it must also be reported to the Computer Security Incident Response Team (CSIRT), which can then provide help and assistance. Criteria that make an incident reportable include the number of people affected by the disruption, the duration of a disruption and potential financial losses.
• Monitoring - Organizations that fall within the scope of the directive will also be subject to monitoring. This involves monitoring compliance with the obligations of the Directive, such as the duty of care and notification. It is currently being determined which sectors will fall under which supervisory authority.
  Failure to comply with the NIS2 directive can result in significant fines and reputational damage. Therefore, it is essential to take these guidelines seriously and comply with the requirements.

What is CER?

Understanding CER, The Critical Entities Resilience (CER) Directive, introduced at the same time as the NIS2 Directive, aims to improve the resilience of critical entities to physical threats.

This directive applies to both public and private organizations operating in sectors critical to the maintenance of vital societal functions, health, safety, security, economic well-being or social welfare of citizens.

The impact of these new guidelines can be significant, depending on the size and nature of your organization. It is therefore essential to have a clear understanding of what these guidelines entail and how to comply with the requirements.

What sectors and organizations are covered by the CER directive?

The directive covers a diversity of sectors, including energy, transportation, healthcare, drinking water, digital infrastructure and financial services, among others. Both government organizations and private entities within these sectors may fall within the scope of the CER Directive.

It is essential that organizations operating within these sectors are aware of the implications of the CER Directive and implement the required measures to comply. This is not only to comply with legal requirements, but also to improve organizational resilience and continue to function in the face of threats.

How can organizations prepare properly?

It is crucial for organizations covered by the CER & NIS2 directive to take proactive measures and prepare.

• One of the first steps is to understand the full scope of the directive and how it applies to the organization. This includes studying the directive itself, as well as obtaining legal and technical advice if needed.
• Next, organizations should conduct risk assessments to identify potential threats and plan measures to address them. This could mean updating their security protocols, upgrading technology or developing contingency plans.
• Furthermore, it is important to have systems in place for incident reporting. Organizations should also be prepared to participate in collaborative assessments to improve their security measures and protocols.
• The ultimate goal of this preparation is not only to comply with the CER directive, but also to strengthen the organization's resilience so that it can effectively respond to any threats and continue to function despite possible disruptions. 

INBISCO Secure is the all in one solution

Through INBISCO- Secure, we can capture and disclose the principles related to security. The established Information Security strategy outlines the policy and preconditions for secure operations. Taking these preconditions into account, the Information Security Management System (ISMS) records the working method by means of processes and work instructions, in combination with all relevant (policy) documents. Processes and documents are now safely stored in the ISMS and can easily be shared with the organization.

Want to know what INBISCO - Secure can do for your organization?

Schedule a consultation