Who is NIS2 for?
The NIS2 Directive, the new EU cybersecurity legislation, will come into effect on the 17th of October 2024. The directive applies to a wide range of organizations, including:
- Organizations that provide critical services, such as energy, water and transport
- Organizations that process large amounts of personal data
- Organizations that provide online services
The organizations are divided into essential and important entities. Our previous blog ‘The impact of the CER & NIS2 directive on your organisation’ explains in detail which sectors fall under which. Even if your organization does not meet the criteria of an essential or important entity, it is still possible that you fall under the directive.
Organizations that are part of the core process of the supply chain of an essential or important organization must also comply with the NIS2 directive. This is to prevent cyber attacks from reaching an essential or important organization via chain partners.
Although the NIS2 directive mainly focuses on large to medium-sized organizations, there are also a number of small and micro-enterprises that will have to comply with it. These are companies that play an important role in the infrastructure of the internet and are therefore strategic targets for cyber attacks. Furthermore, an organization can also be designated by the ministry of their sector to comply with the NIS2 directive, even if they do not meet the above criteria.
With the first NIS directive, the ministry of the sector specifically stated whether an organization fell under this. With the NIS2 directive, this will not happen, with a few exceptions. It is therefore important to be clear in advance whether your organization will have to follow the directive and associated legislation and regulations. It is the organization’s own responsibility to comply with the directive.
What does NIS2 mean for an organization?
The NIS2 directive requires these companies to take a number of measures to improve their cybersecurity. These measures include:
- Implementing a risk management process
- Creating an incident response plan
- Sharing information about cybersecurity incidents
Organizations that do not comply with the NIS2 directive can face significant fines. These fines can include a minimum of €10 million or 2% of annual global turnover for essential organizations and a minimum of €7 million or 1.4% of annual global turnover for significant organizations in serious cases.
The transition from NIS to NIS2 also has important implications for directors. They are now personally liable for any damage caused by a cyber incident resulting from a breach of the NIS2 directive. It is the responsibility of directors to implement the measures within their organization.
A difference with the first NIS directive is proactive checks. Essential organizations must prepare for proactive checks, which will check whether they comply with the directive. Important organizations will be checked if there is a clear reason for this, such as after a serious cyber incident.
The organizations under the NIS2 directive can expect support from the government in various areas. The directive stipulates that the EU member states must offer organizations advice and support from a Computer Security Incident Response Team (CSIRT). This can also consist of information exchange and guidelines.
What can you do now?
The NIS2 directive is an important development in the field of cyber security. In order to comply with the directive, it is important to start preparing now. Especially because organizations are automatically registered under the NIS2 directive, and are no longer explicitly designated by a ministry as with the first NIS directive.
Risk analysis
It is useful to start by inventorying and assessing the existing risks. This helps to gain insight into the vulnerabilities of the organization and to take appropriate measures. A risk analysis consists of three steps:
Step 1: Identifying your risks
A risk analysis starts with identifying all risks in the organization. Take into account both internal and external factors, such as the chance of a data breach but also possible problems with a supplier. Involve employees from different departments for a complete picture.
Step 2: Evaluate your risks
The second step is to evaluate the likelihood and impact of each risk. This can be done based on two factors:
- The chance that the risk will occur;
- The impact of the risk if it does occur.
Step 3: Manage your risks
The third step is to manage the risks. Create an action plan to manage the measures and resources of the risks. Think of organizational, technical and human measures. An example of an organizational measure is setting strong passwords and two-factor authentication. Technical measures relate to the security of IT systems and infrastructure. Human measures include employee training, for example.
Prevention is better than cure, but also prepare for what needs to happen if a risk does occur. It can help to work out scenarios so that it is clear which steps need to be taken and who is responsible for what.
Other options:
Other steps that can already be taken are:
- Budgeting for the possible measures that need to be taken;
- Inventory of all network and information systems that are used;
- Increasing cyber awareness among staff, for example by holding a workshop on phishing or sharing tips for cybersecure behavior.
INBISCO helps with the preparation
A solid Information Security system helps you to comply with the guideline.
INBISCO’s ISMS can help to map risks, implement measures and ensure compliance.
INBISCO customers use the ISMS for, among other things:
- Protection of information;
- Compliance with regulations;
- Risk management;
- Improving business reputation;
- Business continuity;
- Efficiency.
The ISMS records working methods and processes in combination with relevant documents. The next step is to manage this working method. This is done by collecting data about the possible dangers present and their consequences. The recorded data can then be converted into actions that are assigned and carried out by employees. The data can also be converted into reports and graphs so that they can be easily assessed and analysed.
Do you want to know how INBISCO can help you to comply with the NIS2 guideline? Then request a free one-on-one meeting with our Security Officer, Maureen de Raad. In half an hour she can help you to identify the best steps for your organization in the field of cybersecurity and preparing for the directive.
