The NIS2 directive is getting closer. Not on board with the story yet?
We provide a quick summary of what it is and how to prepare.
In December 2022, the European Parliament adopted the NIS2 Directive for the Security of Network and Information Systems to ensure a higher level of cybersecurity in the EU. Think of it as the more technical version of GDPR, which imposed rules around privacy on organizations in Europe. But while GDPR has been widely covered in the media, when it comes to NIS2, companies are still much more in the dark.
Now Belgium is set to introduce new legislation to replace the existing NIS law by Oct. 17, 2024.
What is the NIS2 guideline?
NIS stands for network and information systems, and back in 2016, the first NIS guideline was published. It was particularly intended for large companies and institutions that perform essential functions within society. The European Parliament has now approved the introduction of a more strict version of this in the form of new legislation that sets stricter cybersecurity requirements for companies, governments and infrastructure.
That NIS was in need of an upgrade is evidenced by the rate at which the number of cyber attacks is increasing and the impact an incident has on society. It is therefore the goal of NIS2 to make organizations more resilient against cyber attacks with potential to cripple their entire business.
Surely no company can object to that?
For whom?
In addition to sectors already covered by the current NIS directive, new sectors are included in the scope. Anyone providing an essential service to consumers is covered by the new law of NIS2. The big question is what exactly is meant by "essential. Small organizations are exempt, though what is "small" remains to be determined.
Incidentally, it is important to consider the place of the organization in the supply chain. This is because NIS2 applies to the entire supply chain of the "essential" organization. As a result, companies that do not carry out essential activities themselves, but do business with parties that do, are also covered by the new directive.
How do you prepare? ?
Don't wait until October 2024; start implementing cybersecurity measures now. These are things you can already do yourself to ensure better cyber hygiene:
- Incident management: make sure you are able to detect an incident and know what to do. In many organizations, there is no procedure or no one is aware
- Incident Notification: review your ability to properly preserve and transfer evidence after an incident
- Continuity: to take the right actions, you need to be able to assess the impact on operations. How dangerous is it when a process is interrupted? How long can you sustain it before business suffers?
- Access Control: who has access to what system and what data?
- Security Awareness: the biggest risk is between the keyboard and the screen. Provide training for your people, make them aware of the dangers so they can actively contribute to increasing the organization's resilience
- Last but not least, get an external IT partner. We are the experts and will guide you every step of the way!
More info on NIS2 or cybersecurity in general? We are happy to give you advice!