Ready for NIS2?

Learn more
Klaar voor NIS2?

By the end of 2024, that's when the new NIS2 directive comes into effect. And, just as with the arrival of the AVG, we mostly hear, "What am I supposed to do with that? A duty of care, duty of notification and risk of fines; the new directive has a major impact on organizations. How do you ensure that this impact will be positive, rather than negative? In this blog, we discuss what exactly the directive is and how you can prepare your company.

What is NIS2?

The NIS2 guideline, or the "Network and Information Security Directive 2," replaces the current NIS directive, implemented in the Netherlands as the WBNI (Wet Beveiliging netwerk- en informatiesystemen). The new directive sets rules for organizations in the European Union, with the goal of increasing resilience against all threats posed by hackers and malware. And this is much needed, because the development of cybercrime does not stand still 1.

Who does NIS2 apply to?

Of uw organisatie moet voldoen aan de NIS2 hangt af van de grootte en de sector. Is uw organisatie 'groot' of 'middelgroot' en valt deze onder een 'kritiek sector'? Dan moet u aan de NIS2 voldoen. Dit lichten we toe.

Uw organisatie is 'groot' als deze voldoet aan één van deze voorwaarden:

  • 250 employees or more
  • An annual turnover of more than 50 million euros and a balance sheet total above 43 million euros

Uw organisatie is 'middelgroot' als deze voldoet aan één van deze voorwaarden:

  • 50-249 employees with annual sales of 10 to 50 million euros
  • 50-249 employees with a balance sheet total of 10 to 43 million euros

De kritieke sectoren zijn afgebeeld in de tabel hieronder. Uw organisatie moet dus voldoen aan de NIS2 als deze in een van deze sectoren valt én een 'grote' of 'middelgrote' organisatie is.

The exceptions are organizations that do not meet these but are still considered such, such as central government agencies, DNS service providers and public electronic communications network providers.  

Sectoren gekenmerkt als 'kritieke sectoren'

Central government: NIS2 Self-assessment NL

Not sure if your organization is covered by the directive? The central government has developed a tool to check whether the NIS2 directive applies to your organization: rule-helps-for-businesses.com/NIS-2-NL

What does my company need to comply with?

What is important to know is that as the board of your organization, you are liable for compliance. Do you fail to do so? Then you risk a fine. Some organizations are actively monitored for compliance with NIS2. Others are monitored reactively, that is, for example, when customers report a non-conformity Nonconformity is a situation where something does not meet the required standards. . Which method of control applies to your organization, our security consultants can determine for you.

This is what you should at least implement/implement in your organization:

  • Risk analysis
  • Incident handling
  • Business continuity policy
  • Supply chain security (in relationships/suppliers)
  • Measuring effectiveness of measures (KPIs).
  • Cyber hygiene and staff training
  • Policies and procedures on use of cryptography and encryption
  • Security aspects v. personnel, such as access policies and asset management
  • Security in acquisition, development and maintenance of network and information systems
  • Use of 2FA, secure emergency communication system, etc.

Should an incident occur, it must be reported to the supervisor within 24 hours.

The role of ISO 27001

To make your organization compliant with NIS2, we recommend that you adopt the standard ISO 27001 te implementeren. Met deze norm voldoet u niet alleen aan de eisen van NIS2, maar bouwt u tegelijkertijd ook aan een managementsysteem (het ISMS) dat alle maatregelen die u heeft getroffen ook onderhoudt. In plaats van het schrijven van een vuistdik beleidsdocument om aan NIS2 te voldoen en dat u - laten we eerlijk zijn - opbergt in een ladekast, zorgt u met het opzetten van een ISMS voor een duidelijk proces van continue verbetering.

Getting started!

Don't let the impact of NIS2 be negative and instead see the positive in it. Because with improved cyber resilience, you can prevent a lot of trouble. Less chance of viruses as well as fines. So take the steps now, so you can sit down to Christmas dinner in 2024 with peace of mind.

  1. https://www.abnamro.nl/nl/zakelijk/insights/cybersecurity/cyberaanval/aantal-bedrijven-getroffen-door-cyberaanval-gestegen-tot-45procent.html ↩︎

This article was written by Margo Sportel. Do you need help or have any questions? Please feel free to contact her without obligation.