Blog
schedule
21 May 2024
person
Robin Vermeij

The impact of the CER & NIS2 directive on your organization

Two major directives on critical and digital infrastructure have recently entered into force, which will significantly improve the EU's resilience against both online and offline threats, ranging from cyber-attacks to crime and risks to public health or natural disasters.

New rules

This new rule is a response to recent threats targeting the EU’s critical infrastructure, attempts that put our collective security at risk. Already in 2020, the Commission presented a proposal to drastically improve EU legislation on the resilience of critical entities and the security of network and information systems.

The directives that have entered into force are:

  • The Directive concerning measures for a high common level of cybersecurity across the Union (NIS 2 Directive)
  • The Directive on the resilience of critical entities (CER Directive)

The European Member States have until the end of 2024 to integrate the directives into their national legislation. Both directives require the implementation of a duty of care and a reporting obligation, which will apply to both public and private organisations in specific sectors.

In this article, we will provide you with an easy-to-understand explanation of the obligations of the CER and NIS2 directives and the sectors to which they will apply. This will give you the opportunity to form an idea of ​​the obligations that you as an organisation may have to meet by the end of 2024.

What is NIS2?

With recent developments in technology, there are increased security risks for our society and economy, especially due to an increase in phishing attempts, malware and ransomware attacks and other cyber threats. To address these challenges, the EU has been working on the Network and Information Security (NIS2) Directive since 2020. It is designed to improve the digital and economic resilience of the member states.

The NIS2 Directive deals with risks that threaten network and information systems, such as cybersecurity risks. The implementation of this directive should contribute to more European harmonization and a higher level of cybersecurity for companies and organizations. The NIS2 Directive is the successor to the first NIS Directive.

NIS2  for who?

The NIS2 Directive covers sectors that were already covered by the first NIS Directive, but also includes a number of new sectors. This increases the number of public and private organisations covered by the Directive.

The striking difference with the first NIS Directive is that organisations that are active in the aforementioned sectors and that meet certain criteria automatically fall under the NIS2 Directive. These criteria define them as ‘essential’ or ‘important’ entities.

Essential sectors

  • Energy
  • Transport
  • Financial market infrastructure
  • Healthcare
  • Drinking water
  • Digital infrastructure
  • Waste water
  • Government services
  • Space
  • ICT management Services
  • Banking

Important sectors

  • Digital Providers
  • Postal and Courier Services
  • Waste Management
  • Food
  • Chemicals
  • Research
  • Manufacturing

Essential entities

These are organisations that are considered critical entities under the CER Directive and are automatically classified as essential entities under the NIS2 Directive. This category includes large organisations active in a sector from the essential sectors.

An organisation is considered large if it meets one of the following criteria:

  • more than 250 employees or;
  • a net turnover of more than €50 million and a balance sheet total of more than €43 million.

Important entities

This category includes medium-sized organisations that are active in sectors that are considered essential or important under the NIS2 Directive. They play an important role in the economic and social stability of the EU, despite not being classified as ‘critical’.

An organisation is classified as medium-sized if it meets one of the following criteria:

  • at least 50 employees or;
  • an annual turnover or balance sheet total of more than EUR 10 million

What does NIS2 mean for your organization?

If your organization falls under the NIS2 Directive, there are several obligations you must comply with:

  • Responsibility of care – The NIS2 Directive introduces a responsibility of care, which requires entities to carry out a risk assessment themselves. Based on this assessment, they must take appropriate actions to ensure the best possible provision of their services and to protect the information they use.
  • Reporting obligation – The NIS2 Directive requires entities to report incidents to the regulatory authority within 24 hours. This concerns incidents that (may) significantly disrupt the provision of essential services. In the event of a cyber incident, this must also be reported to the Computer Security Incident Response Team (CSIRT), which can then provide help and assistance. Criteria that make an incident reportable include, for example, the number of people affected by the disruption, the duration of the disruption and potential financial losses.
  • Supervision – Organizations that fall within the scope of the Directive will also be subject to supervision. This will check whether the obligations of the Directive, such as the duty of care and reporting, are being complied with. It is currently being determined which sectors will fall under which supervisory authority.

Failure to comply with the NIS2 directive can result in significant fines and reputational damage. It is therefore essential to take these guidelines seriously and comply with the requirements.

INBISCO Secure (ISMS) is the all-in-one solution

Via INBISCO-Secure we can record and disclose the principles regarding security. In the established Information Security strategy, the policy and the preconditions for a secure working method are outlined. Taking these preconditions into account, the working method is recorded in the Information Security Management System (ISMS) by means of processes and work instructions, in combination with all relevant (policy) documents. Processes and documents are now safely stored in the ISMS and can be easily shared with the organization.

Monitoring, analysis and improvement (issue management)

The follow-up of the various Information Security files, with the associated actions, can be monitored in a simple manner. Which files are still open? What is the status of the actions and is the handling going according to agreement? These are topics that can be easily managed via the dashboard of our software. All relevant information and documentation is stored centrally and is easy to access and view.

The recorded data can be quickly assessed and analyzed via adjustable reports and graphs. After the analysis, you have direct insight into the improvement opportunities of your organization and the improvement actions can be initiated. This is a recurring process; the security of information is continuously monitored and, if possible, increased.

What is CER?

The concept of CER, The Critical Entities Resilience (CER) Directive, introduced at the same time as the NIS2 Directive, aims to improve the resilience of critical entities to physical threats.

This Directive applies to both public and private organisations operating in sectors that are essential for the maintenance of vital societal functions, health, safety, security, economic well-being or social well-being of citizens.

The impact of these new guidelines can be significant, depending on the size and nature of your organisation. It is therefore essential to have a clear understanding of what these guidelines entail and how to meet the requirements.

Which sectors and organisations are covered by the CER Directive?

The Directive covers a variety of sectors, such as energy, transport, healthcare, drinking water supply, digital infrastructure and financial services, among others. Both public sector organisations and private sector institutions within these sectors can fall under the scope of the CER Directive.

It is essential that organisations operating within these sectors are aware of the implications of the CER Directive and implement the required measures to comply with the regulations. This is not only to meet legal requirements, but also to improve the resilience of the organisation and to be able to continue to function in the event of threats.

How can organizations prepare themselves well?

It is crucial for organizations subject to the CER & NIS2 directive to take proactive steps and prepare.

  1. One of the first steps is to understand the full scope of the directive and how it applies to the organization. This includes studying the directive itself, as well as obtaining legal and technical advice as needed.
  2. Next, organizations should conduct risk assessments to identify potential threats and plan measures to address them. This could mean updating their security protocols, upgrading technology, or developing contingency plans.
  3. It is also important to have incident reporting systems in place. Organizations should also be prepared to participate in collaborative assessments to improve their security measures and protocols.
  4. The ultimate goal of this preparation is not only to comply with the CER directive, but also to strengthen the resilience of the organization so that they can effectively respond to any threats and continue to operate despite potential disruptions.
Share
mail
Stay up to date

Knowledge, news & trends

Here you will find our latest blogs, events, online demonstrations and customer stories. Stay up to date with the latest developments and be inspired by practical examples in the field of quality, health, safety and environment.

Show all