Eight Things You Need to Know About NIS2

NIS2 aims to harmonize cybersecurity across all European organizations within vital sectors and create a basic framework for the entire "vital sector." Increasing the resilience of European institutions is crucial due to the rise in cyberattacks and threats from criminal organizations and other malicious actors.

Yes. NIS2 is mandatory for all medium-sized and large organizations within vital sectors in the EU. It is a European directive, and EU member states have until October 17th 2024, to transpose it into national legislation. However, it is now clear that the Netherlands will not meet this deadline. The Minister of Justice has expressed the aim to present a bill to parliament this autumn, but organizations should not wait to implement NIS2.

The following sectors are covered by NIS2:

The duty of care under NIS2 requires organizations to conduct risk assessments and take appropriate measures to manage risks, prevent incidents, and effectively respond if incidents occur. This includes identifying critical business processes/systems and performing risk analyses. Reporting obligations mean institutions must notify their supervisory authority within 24 hours of a significant incident. The institution must also submit an incident report within 72 hours and a final report within one month.

The reporting obligation under NIS2 means that institutions must notify their supervisor of a significant incident within 24 hours. A significant incident is defined in NIS2 as an incident that has a significant impact on the provision of services. What constitutes a 'significant' consequence is unique to each institution. NIS2 does offer institutions the following criteria to determine whether an incident has significant consequences:

• the degree of operational disruption to services or financial losses to the organization
• the number of affected users
• the duration of the incident and
• the geographical scope of the incident

In addition, the institution must submit an incident report to its supervisor within 72 hours. No later than one month after, the institution will submit a final report containing at least the following points about the incident:

• detailed description of incident (severity/consequences)
• root cause
• risk mitigation measures
• possible cross-border consequences
  

The NIS2 is intended to help organizations withstand increasing cyber risks and protect organizations' business operations. Complying with NIS2 is therefore actually something that organizations should want themselves. After all, as an organization you have the intrinsic motivation to achieve social or commercial goals and to handle information from employees, citizens, customers and chain partners properly. From care and respect for your target groups or your own reputation. In addition, doing nothing about NIS2 is not a realistic option. The supervisory authority can impose various sanctions on organizations that do not comply with the guideline, such as imposing fines and holding jointly and severally liable for and temporarily removing directors from office.

The following criteria are taken into account, among other things, for the amount of the sanctions:

• failure to fulfill duty of care
• failure to comply with reporting obligation
• seriousness of infringement
• the duration/repetition of the infringement
• damage caused
• intent or negligence

For the organizations that fall under the NIS2 directive, the directive imposes risk management and reporting obligations. Since the directive has yet to be translated into national legislation, there is currently some uncertainty about the specific obligations that these organizations will face. However, explicit reference is made to the use of existing standards for supervision. However, this does not mean that, for example, ISO27001 or BIO compliance organizations automatically comply with NIS2. In a next blog we will discuss in more detail the specific obligations that organizations face and what additional organizations must do for NIS2 if they already comply with ISO27001 or BIO.

In addition, NIS2 requires a number of measures under Article 21 that organizations must implement as a minimum.

• Policies and procedures for measuring cybersecurity effectiveness (ISMS). A specific elaboration here is having an information security policy for both IT and OT.
• A process must be set up for risk management.
• Setting up awareness campaigns and security awareness training for all staff (including directors). Specific attention is paid to phishing campaigns.
• Securing the continuity of business operations by setting up policies and/or procedures for this purpose.
• Identity and Access Management + MFA (multi-factor authentication) or continuous authentication: authorization rules that determine who has which access to which application/data and determine with additional certainty which identity it concerns.
• Security of the supply chain, in particular identifying suppliers and making agreements with them about the security of their services.
• Monitoring: knowing who is on your network, systems and applications.
• Software updates and patching: removing vulnerabilities.
• Encryption: protect data during transport and storage against unauthorized access or modification.
• Have a policy or process for incident response, possibly supplemented with SIEM/SOC.

NIS2 requires direct involvement of the director for information security. More than set out in previous legislation. The board must be closely involved in themes such as business continuity, risk management and third party management. In addition, directors must demonstrably follow training/education for information security. Directors must be aware of NIS2 and what it requires of the organization. Merely informing the board by memo is no longer sufficient under NIS2.

What supervision will look like in practice is still being worked out. What is known is that a supervisor is appointed for each sector to supervise this specific sector. The organizations within the vital sector are divided into so-called 'essential entities' and 'important entities'.

Essential entities are organizations with at least 250 employees or an annual turnover of €50 million or more and a balance sheet total of more than €43 million. Important entities are organizations with at least 50 employees or an annual turnover and balance sheet total of €10 million or more.

The difference between essential and important entities is that a disruption of services at essential entities usually leads to a greater disruption to our economy and society than a disruption at important entities.

The method of supervision differs for essential entities compared to important entities, and the requirements they must meet do not differ from each other.

Supervisors work proactively at essential entities, periodically checking whether the guideline is being followed. At important entities, supervisors work reactively, with control only taking place once an incident has occurred at the institution.

Want to know more about NIS2? Please contact me at: Nino van Leeuwen or Shankar Sahtie.