What is NIS2?

The NICHE 2 is a cybersecurity directive and the successor to the 2018 NIS1. This new directive has a greater impact and includes more organizations. Although it is called a directive, it is actually an order from the EU to its member states (including the Dutch government) to implement this directive into legislation.

When does NIS2 take effect?

The European Council adopted the NIS2 Directive in November 2022. An internet consultation period for the draft bill will start in the autumn of 2023, where everyone can provide feedback. The NIS2 is expected to take effect in the autumn of 2024.

Who needs to comply with NIS2?

The NIS2 directive applies to all the following types of organizations within the EU:

Essential and important organizations:

• Essential organizations: These include utilities such as energy and water companies, financial institutions, government services such as hospitals and government agencies, transportation services such as aviation and railways, and communication services such as telecom providers
• Major organizations: These are companies that provide critical services to essential organizations, companies that process a large number of people, and companies that manage important infrastructure, such as water pipes and electricity grids.
• Large organizations:
  o At least 250 employees OR
  o An annual turnover of more than 50 million euros and a total balance sheet of more than 43 million.
• Medium-sized organizations:
  o At least 50 employees OR
  o An annual turnover and balance sheet total of more than 10 million

‍

It is important to note that micro and small companies are in principle not covered by the NIS2 directive. In exceptional cases, based on a risk assessment by the responsible minister, these companies may still fall under the directive if their services are critical to the economy or society. This also applies to certain micro and small companies that are active in specific sectors, such as:

‍

• Trust service providers (electronic stamps/signatures)
• Top Level Domain Name Registries (.nl/.com/org)
• Domain Name Registration Service Providers
• Providers of public electronic communications networks/communications services
• Small private disability care institutions

‍

The Ministry has a tool develops that allow organizations to check whether they fall under this directive.

What does the NIS2 include?

There will be a register where organizations must register, managed by the National Cyber Security Center (NCSC). The NIS2 directive includes a duty of care with 10 measures, which need to be further developed by the Ministry:

‍

1. Risk analysis: Perform a thorough risk analysis to identify and assess cyber risks for the organization.
2. Incident treatment: Report a major cyber incident to, among others, the National Cyber Security Authority.
3. Business Continuity: Set up backup management, emergency plans, and crisis management.
4. Supply chain security: Set higher supplier requirements and perform supplier reviews.
5. Network and Information Systems: Secure systems in acquiring, developing and maintaining network and information systems.
6. Measuring the effectiveness of measures: Measure and monitor measures, record and evaluate whether they have the desired effect.
7. Cyber hygiene and training: The organization's board is responsible for cybersecurity, not just the IT department (as we often see it now). Make sure that the management is trained for this.
8. Cryptography and Encryption: Establish policies and procedures for the use of cryptography and encryption.
9. Physical security: Think of access policy, staff and asset management.
10. Using MFA: Use multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems.

How do you comply with the NIS2?

Organizations take various steps to comply with the NIS2 directive:

‍

1. Cybersecurity Expertise: Hiring a cybersecurity expert to evaluate the guideline and develop a plan to meet the requirements.
2. Implementation of measures: Implementing appropriate information security measures, such as a security policy, incident management plan, and continuity plan. Following the ISO 27001:2022 directive is highly recommended.
3. Reporting incidents: Report significant incidents to the organization's supervisor and CISRT (Computer Security Incident Response Teams) within 24 hours. The threshold values of these incidents are being determined in more detail. In addition, there will also be a central reporting desk. The reporting obligation to the Data Protection Authority (AP) remains in force.
4. Regular evaluation: Perform regular tests and exercises to assess the effectiveness of the cybersecurity measures taken.

Consequences of not complying with NIS2

Failure to comply with the NIS2 directive can have serious consequences, including:

1. Warning: First, a non-compliance warning follows.
2. Reminder: In case of persistent non-compliance, a reminder can be issued.
3. Fines: As a final sanction, fines can be imposed, up to a maximum of 10 million euros or 2% of the annual turnover.

‍

Attention! The consequences can become even more serious if your organization is the victim of hacking and confidential information is exposed, which can lead to liability.

Do you comply with the NIS2 if you are ISO27001 or NEN7510 certified?

No, complying with ISO 27001 or NEN7510 does not guarantee that you comply with NIS2. Although much of it is similar, NIS2 has additional requirements that are not included in these standards.

‍

• ISO 27001 is an international standard for information security management systems. It sets a number of general requirements for implementing an information security policy and management system that are very similar to the requirements of the NIS2.
• NO 7510 is a Dutch standard for information security in the healthcare sector. It sets specific requirements for the security of personal data in the healthcare sector.

‍

The NIS2 sets additional requirements for essential and important organizations such as:

• Reporting major cyber incidents to the national cybersecurity authority.
• Performing regular tests and exercises to evaluate cyber security measures.
  ‍

The new NIS2 directive puts more emphasis on risk management, supplier management and incident management. It is precisely the ISO 27001 framework that offers a good basis. The additional NIS2 requirements are easy to implement to this framework. This way, your organization has one effective Information Security Management System (ISMS).

Need help?

Need help implementing an ISO 27001 standard and additional requirements to comply with the NICHE 2? Plan one free introduction or call: