GDPR & Cybersecurity
21 September 2023

The new NIS2 cybersecurity directive: how to get started?

by Gorik Van den Bergh and Frederik Vervoort

In December 2022, the European Parliament adopted the NIS2 Directive on the security of network and information systems to ensure a higher level of cybersecurity in the EU. It is now up to Belgium to introduce new legislation to replace the existing NIS law by 17 October 2024. In this first article, we will focus on the following questions: What is NIS2? Why is NIS2 important? Does NIS2 apply to my organisation? In a second part, we will look at the concrete measures and procedures required.

What is the NIS2 Directive?

In 2016, the European Union introduced the Directive on the Security of Network and Information Systems (NIS Directive). This first NIS Directive (NIS1) imposed strict cybersecurity requirements on companies considered essential, such as water, energy and telecoms companies. Following an evaluation of the NIS1 Directive by the European Commission, it was found that its scope was too limited and that there were inconsistencies between Member States, which hampered its effectiveness. This led to the need for a new NIS Directive - NIS2. The introduction of NIS2 extends the scope.

Why is the NIS2 Directive important?

As our most vital sectors, such as transport, energy, health and finance, become increasingly dependent on digital technologies to carry out their core activities, they are also increasingly vulnerable to cyber threats. Cyber security incidents are becoming larger and more complex, and often have serious economic and social consequences. The NIS2 Directive recognises this and places emphasis on taking effective measures to protect network and information systems. These measures aim to reduce your organisation's vulnerability and increase its resilience to cyber attacks.

What's new about NIS2?

Some key observations:

  • More organisations, including SMEs in some sectors, will be required to implement security measures;

  • More comprehensive requirements will be imposed*:

  1. Risk management

  2. Incident management (prevention, detection and response) and incident reporting

  3. Business Continuity and Crisis Management

  4. Supply chain security (with a focus on supplier relationships)

  5. More transparent disclosure and management of vulnerabilities

  6. Cooperation between Member States;

  • The NIS2 classifies organisations according to their importance and divides them into essential and important entities;

  • NIS2 no longer requires organisations to be either externally audited or ISO27001 certified. However, as with the AVG or GDPR legislation, organisations will need to be able to demonstrate compliance with the NIS2 regulations to national authorities at any time. National authorities will also have the power to take action to encourage organisations to take appropriate measures. In addition to administrative measures, fines may also be imposed (see below).

*In a future publication we will discuss the requirements in these areas in more detail.

Does the NIS2 Directive apply to my organisation?

As mentioned above, the NIS2 Directive has not yet been transposed into Belgian law, which may differ from the European Directive. Therefore, the information below is based on the existing NIS2 Directive.

The NIS2 Directive focuses on sectors already covered by the first NIS Directive and some new sectors. Importantly, organisations may automatically be covered by the NIS2 Directive if they are active in one of the sectors listed below and are classified as 'essential' or 'important' according to the criteria:

Essential entities

Essential entities within NIS2 are the large organisations active in a sector listed in Annex I of the NIS2 Directive. Large organisations are those with (1) at least 250 employees, or (2) an annual turnover of at least €50 million, or (3) an annual balance sheet total of at least €43 million.

Important enterprises

Important enterprises in the NIS2 are medium-sized organisations active in an Annex I sector and medium-sized and large organisations active in an Annex II sector. Medium-sized organisations are those with (1) at least 50 employees or (2) an annual turnover (or balance sheet total) of at least EUR 10 million.)

Exemptions

However, there are exceptions for smaller companies that may also be considered important but do not meet certain size requirements. In addition, some enterprises may be explicitly excluded from the NIS2 by Member States.

Sectors attachment 1

Sectors attachment 2

Energy sector
Transportation
Banking
Infrastructure Financial
Healthcare
Drinking Water
Digital Infrastructure
Managers of ICT services
Waste Water
Government services
Space

Digital providers
Postal and courier services
Waste Management
Food products
Chemical products
Research and development
Manufacturing industry

Under NIS2, organisations can be designated as essential or important, with the same cybersecurity management and reporting requirements. The main difference between the two is the level of compliance oversight. For example, essential organisations are subject to a more intensive oversight regime and stricter sanctions.

The Centre for Cybersecurity Belgium (CCB) has developed a scoping tool to determine whether your organisation falls within the scope of the Belgian NIS2 law.

Can sanctions be imposed?

Member States must effectively ensure that NIS2 entities take the necessary measures and report incidents. They can do this, for example, by carrying out regular external audits and inspections or by requiring certain documents. Organisations that fail to comply with the requirements of NIS2 may be subject to a range of possible sanctions, including fines or administrative penalties of up to €10 million for "essential entities" (2% of global turnover) and €7 million for "important entities" (1.4% of global turnover). Board members may be held personally liable for non-compliance (Article 32.6).

NIS2 Compliance Journey
Vandelanotte

How can we help you at Vandelanotte?

  • You are not sure if and to what extent you need to be NIS2 compliant?

  • Do you want to gain more insight into which concrete measures you still need to take to be NIS2 compliant?

  • Are you unsure of the right approach?

Our experts can advise and, if necessary, assist you in implementing the necessary security measures to become NIS compliant.

Want to know more about your organisation's cybersecurity compliance? Contact us at Gorik.vandenbergh@vdl.be or cyber@vdl.be.

Contact form

Do you want to know more or need specialist advice? Don't hesitate to contact one of our specialists.

This form can only be sent with the use of technical cookies. You can accept these cookies here.
These cookies are used to distinguish people from bots. Certain data, such as your IP address or language preference, can be sent to Google. More information in our cookie policy.

Share this item

Gorik Van den Bergh

Certified Information Systems Auditor Gorik.VandenBergh@vdl.be

Frederik Vervoort

Managing consultant frederik.vervoort@vdl.be

Disclaimer
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.


News and insights

Read our latest insights and news releases to stay abreast of changes in your industry.