The NIS2 directive – and the national legislation that will follow – is coming. This may mean for your organization not only that you need to have your cyber defenses under control, but also includes obligations towards your supply chain and suppliers. Managers may also be held accountable in the event of incidents, with potential fines not being insignificant. We’ll tell you all about it on this page.

NIS stands for “network and information systems”. In Europe, the ‘NIS1 directive’ is still in force, made part of the Network and Information Systems Security Act (in Dutch: Wet beveiliging netwerken en informatiesystemen, Wbni) in the Netherlands and specifically intended for essential businesses, such as water and telecom companies. But, that will soon change.

This November, in fact, the NIS2 directive was finally adopted by the European Parliament, which means it can now also be transposed into national legislation. The revised Wbni is expected to be in force from July 2024.

Under NIS1, providers of essential services and digital parties are already designated by the government to take measures for their digital security and required to report serious incidents. From July 2024 on, the number of sectors and organizations will be greatly expanded. Indeed, the NIS2 must then be part of the Network and Information Systems Security Act (Wbni).

The NIS is a directive (at the European level), but it will be incorporated into legislation at the national level – and that is usually not a short process.

The NIS1, or rather its transposition into the Wbni, has been in force since 2016, but an update was proposed in 2020. Just 4 years is not a very long time for political adjustments. At the same time, 4 years is a sea of time in the world of cyber (security). Digitization is a very dynamic process, and so are increasing threats that go hand in hand with it. That requires adaptation.

That intended adaptation is now becoming a reality.

The goal of the NIS2 is to increase the digital security of vital providers in the EU with the aim of making the Union as a whole more resilient. It is therefore not just about vital providers, but applies to upstream and downstream partners as well.

The NIS2 has two categories: ‘essential’ and ‘important’ entities. For essential entities, supervision will soon be proactive. The important entities are mainly (medium) sized parties, where disruption will not have very serious social or economic consequences, but where chain resilience plays an important role.

NIS2 applies to organizations with more than 50 employees or a turnover of more than 10 million euros. Except for organizations in certain sectors, such as vital infrastructure and public services or a government service provider, or service providers where a single incident could impact public safety, security or healthcare or where a single failure could create systemic risks.

Always nice, a mnemonic device. In this case, an ABC that captures the essence of the NIS2 well: Accountability, Business continuity and Corporate governance. In other words, A) responsibility for cyber resilience, B) a plan of action to secure business continuity, and C) oversight of (and compliance with) the measures.

Governing bodies or the boards of essential and important entities must approve the risk management measures taken. But they are also responsible for any non-compliance. For this reason, they must monitor compliance. For the latter, also consider the appropriate personnel who must be properly trained.

In other words, executives no longer get away with being uninvolved in digitalization, and cyber has long since ceased to be the responsibility of IT alone. Indeed, in the cyber attack on Colonial Pipeline in the U.S. last year, that company was eventually sued for consequential damage in the chain, even though the organization itself was the initial victim.

There is no case law for that type of claim at this time, for now, but things are certainly going to change. Which brings us back to the A of accountability. That is about taking sufficient measures, and demonstrating that those measures have been taken. Article 18 (of the Dutch Wbni) contains the minimum measures as well as the general obligation to take appropriate/proportionate technical and organizational measures. Think of policies and procedures (tests and audits) to assess the effectiveness of measures.

Finally, business continuity is about all steps and measures that are taken in case of unforeseen circumstances to ensure continuity of services. There must be a plan for this; an inventory of vulnerabilities and possible consequences – and then an approach to deal with them in order to guarantee continuity.

EU member states will soon have the responsibility to ensure that these measures are in place or taken without delay. Which brings us to a very important addition to the ABC: the notification obligations.

Mandatory reporting of incidents to CSIRT or (other) competent authority will be a key pillar of the NIS2. An incident is defined as an event where “the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or related services offered by or accessed through network and information systems” has been compromised.

Entities must take “appropriate and proportionate measures to manage the risks to the security of their network and information systems that they use to operate or provide their service”. That includes incident handling, business continuity and supply chain security.

Key points at a glance:

• similar to the GDPR, national authorities will have the ability to issue binding instructions or orders, and even fines if organizations fail to comply with the law/directive. Maximum fines run as high as 10 million euros or 2% of global turnover, whichever is higher (nb: it remains to be seen what the Dutch government will actually write into law);

• there will be stricter oversight measures and requirements for enforcement. For example, a company director can be held accountable for demonstrable cybersecurity negligence, resulting in fines. Those fines can ran up to the high of those imposed by privacy watchdogs for violations of the GDPR;

• an organization needs to have an adequate approach to cybersecurity, including appropriate security measures. Standards such as ISO 27001 and NEN 7510 provide a structured interpretation of this. This duty of care means that a digital service provider must take appropriate organizational and technical measures to manage risks to the security of their ict systems and reduce the consequences of incidents;

• to ensure that management is sufficiently aware of cyber risks, the NIS2 requires, for example, that governing bodies undergo adequate cybersecurity training. The NIS2 recommends that all employees receive such training, but the latter is not mandatory. Furthermore, risk management and assessment activities should be conducted so that management is aware of and has considered risks within the organization;

• the notification obligation means that incidents must be reported to the regulator and to the CSIRT (Computer Security Incident Response Team) for digital services. If an organization becomes aware of an incident, it must submit an initial report to the applicable authorities within 24 hours if the incident has disrupted the availability of the services offered, and within 72 hours in all other cases mentioned. In addition, a full incident report must be submitted at least within one month of the initial report.

Is your organization adequately prepared for the arrival of NIS2, the biggest game changer since the GDPR? The new legislation not only includes the requirement that you have your own cyber defenses under control, but also includes obligations towards your supply chain and suppliers. Drivers can also be held accountable in the event of incidents, with potential fines, moreover, being not insignificant.

Would you like to know more about the impact of the NIS2, and especially what you can do to prepare your organization for the changes in the Wbni?
Then feel free to contact us!