Over the past few years, a range of developments, including COVID-19, issues in Ukraine, cybersecurity threats, and the consequences of climate change, have increasingly jeopardized the safety of our society and economy. In light of these developments, the European Union has been working since 2020 on the Network and Information Security (NIS2) directive. The directive aims to enhance the digital resilience of European Member States.
The NIS2 directive focuses on threats to network and information systems, such as cybersecurity risks. Its arrival is expected to contribute to greater European harmonization and a higher level of cybersecurity in companies and organizations. The NIS2 is the successor of the first NIS directive, also known as the NIB (Network and Information Security), which was incorporated into the Network and Information Systems Security Act (Wbni) in the Netherlands in 2016.
The Implications of the NIS2 Directive for Your Organisation
European Member States have until the end of 2024 to incorporate the directive into national legislation. This involves the implementation of a duty of care and a reporting obligation, which both public and private organizations within certain sectors must adhere to. The sections below summarise the obligations prescribed by the NIS2 directive and the sectors it will apply to, helping organizations visualize the obligations they may have to meet by the end of 2024.
Sectors and Organisations Covered by the NIS2 Directive
The NIS2 directive focuses on sectors already covered by the first NIS directive, as well as several new sectors. Therefore, the number of public and private organizations falling under the directive is set to increase. Organizations in the following sectors will be subject to the NIS2 directive:
- Annex 1 sectors: Energy, Transport, Banking, Infrastructure, Healthcare, Drinking water, Digital infrastructure, and ICT service managers.
- Annex 2 sectors: Wastewater, Government services, Space, ICT service management, Digital providers, Postal and courier services, Waste management, Food, Chemical substances, Research, Manufacturing/production.
Essential and Important Entities
A significant change from the first NIS directive is that organizations automatically fall under the NIS2 directive if they are active in one of the above sectors and can be characterized as ‘essential’ or ‘important’ entities based on the following criteria:
- Essential entities: These are large organizations active in a sector from Annex I of the NIS2 directive. An organization is considered large based on the following criteria: a minimum of 250 employees or an annual turnover of €50 million or more and a balance sheet total of €43 million or more.
- Important entities: These are medium-sized organizations active in a sector from Annex I and medium-sized and large organizations active in a sector from Annex II. An organization is considered medium-sized based on the following criteria: 50 or more employees or an annual turnover and balance sheet total of €10 million or more.
Generally, it is assumed that the disruption of services by essential entities would have a more significant disruptive impact on the economy and society than disruption at important entities. Essential entities fall under a more intensive supervision regime, with both proactive and reactive oversight of compliance with obligations. Important entities are subject to a lighter form of supervision, which only occurs retrospectively, such as in cases where there are indications of non-compliance with the law or an incident has occurred.
Does the NIS2 Directive Apply to SMEs?
Micro and small businesses are not generally covered by the NIS2 directive. However, the minister responsible for a certain sector can still choose to designate a micro or small business based on a risk assessment. For example, if their service is deemed crucial for the Dutch economy or society. In this case, these companies will be informed by the relevant ministry.
Moreover, some micro and small businesses do fall under the NIS2 directive. These are companies active as providers of trust services, as a top-level domain name registry, as domain name registration service providers or as providers of public electronic communication networks or public electronic communication services. These companies are automatically covered by the NIS2 directive. Government agencies from the above sectors are also automatically covered by the NIS2 directive.
Obligations of the NIS2 Directive
- Duty of Care: The directive includes a duty of care that requires entities to carry out a risk assessment themselves. They can then take appropriate measures to protect the information they use and ensure the continuity of their services as much as possible.
- Reporting Obligation: The directive stipulates that entities must report incidents to the regulator within 24 hours. These are incidents that could significantly disrupt the provision of the essential service. In the case of a cyber incident, it must also be reported to the Computer Security Incident Response Team (CSIRT), which then provides assistance and support.
What Can Organisations Expect from the Government?
The NIS2 directive obliges Member States to support critical, essential, and important entities in improving their resilience to digital risks. Essential and important entities must be supported by a CSIRT with advice and assistance. The support from the government can further consist of information exchange, guidelines, and resilience-enhancing instruments, for example, for carrying out a risk assessment.
How Can Organisations Prepare?
Organizations can prepare for the duty of care and reporting obligations imposed by the NIS2 directive by taking the following steps:
Conduct Risk Assessments: Evaluate your network and information systems to identify vulnerabilities and areas that could be improved to mitigate potential threats.
Implement Cybersecurity Measures: Invest in robust cybersecurity tools and measures to secure your networks and data from potential cyber threats.
Train Staff: Offer regular training to all staff members to ensure they understand their roles in cybersecurity and how to spot and respond to potential threats.
Develop Incident Response Plans: These plans should outline the steps your organization will take in the event of a cybersecurity incident, including how to report such incidents within the stipulated time frame.
Continuous Monitoring and Evaluation: Monitor the effectiveness of your cybersecurity measures and regularly review and update them to respond to the evolving threat landscape.
By understanding the requirements of the NIS2 directive and taking proactive steps to meet them, your organization can significantly enhance its cybersecurity readiness and resilience. Furthermore, it will ensure your compliance with this directive, thus avoiding potential penalties and reputational damage.
Given the potential implications and challenges posed by the NIS2 directive, it may be advisable to engage the services of experienced cybersecurity professionals who can guide your organization through the process of achieving compliance.
While the NIS2 directive will impose additional requirements on affected organizations, it is an important step in securing the digital infrastructure and information systems across the EU. Ultimately, these regulations will help to safeguard the integrity, confidentiality, and availability of networks and information systems – which are increasingly vital to our daily lives and economic activities.