by Gorik Van den Bergh and Frederik Vervoort
In December 2022, the European Parliament adopted the NIS2 Directive on the security of network and information systems to ensure a higher level of cybersecurity in the EU. It is now up to Belgium to introduce new legislation to replace the existing NIS law by 17 October 2024. In this first article, we will focus on the following questions: What is NIS2? Why is NIS2 important? Does NIS2 apply to my organisation? In a second part, we will look at the concrete measures and procedures required.
In 2016, the European Union introduced the Directive on the Security of Network and Information Systems (NIS Directive). This first NIS Directive (NIS1) imposed strict cybersecurity requirements on companies considered essential, such as water, energy and telecoms companies. Following an evaluation of the NIS1 Directive by the European Commission, it was found that its scope was too limited and that there were inconsistencies between Member States, which hampered its effectiveness. This led to the need for a new NIS Directive - NIS2. The introduction of NIS2 extends the scope.
As our most vital sectors, such as transport, energy, health and finance, become increasingly dependent on digital technologies to carry out their core activities, they are also increasingly vulnerable to cyber threats. Cyber security incidents are becoming larger and more complex, and often have serious economic and social consequences. The NIS2 Directive recognises this and places emphasis on taking effective measures to protect network and information systems. These measures aim to reduce your organisation's vulnerability and increase its resilience to cyber attacks.
Some key observations:
More organisations, including SMEs in some sectors, will be required to implement security measures;
More comprehensive requirements will be imposed*:
Incident management (prevention, detection and response) and incident reporting
Business Continuity and Crisis Management
Supply chain security (with a focus on supplier relationships)
More transparent disclosure and management of vulnerabilities
Cooperation between Member States;
The NIS2 classifies organisations according to their importance and divides them into essential and important entities;
NIS2 no longer requires organisations to be either externally audited or ISO27001 certified. However, as with the AVG or GDPR legislation, organisations will need to be able to demonstrate compliance with the NIS2 regulations to national authorities at any time. National authorities will also have the power to take action to encourage organisations to take appropriate measures. In addition to administrative measures, fines may also be imposed (see below).
*In a future publication we will discuss the requirements in these areas in more detail.
As mentioned above, the NIS2 Directive has not yet been transposed into Belgian law, which may differ from the European Directive. Therefore, the information below is based on the existing NIS2 Directive.
The NIS2 Directive focuses on sectors already covered by the first NIS Directive and some new sectors. Importantly, organisations may automatically be covered by the NIS2 Directive if they are active in one of the sectors listed below and are classified as 'essential' or 'important' according to the criteria:
Essential entities within NIS2 are the large organisations active in a sector listed in Annex I of the NIS2 Directive. Large organisations are those with (1) at least 250 employees, or (2) an annual turnover of at least €50 million, or (3) an annual balance sheet total of at least €43 million.
Important enterprises in the NIS2 are medium-sized organisations active in an Annex I sector and medium-sized and large organisations active in an Annex II sector. Medium-sized organisations are those with (1) at least 50 employees or (2) an annual turnover (or balance sheet total) of at least EUR 10 million.)
However, there are exceptions for smaller companies that may also be considered important but do not meet certain size requirements. In addition, some enterprises may be explicitly excluded from the NIS2 by Member States.
Sectors attachment 1
Sectors attachment 2
Under NIS2, organisations can be designated as essential or important, with the same cybersecurity management and reporting requirements. The main difference between the two is the level of compliance oversight. For example, essential organisations are subject to a more intensive oversight regime and stricter sanctions.
Member States must effectively ensure that NIS2 entities take the necessary measures and report incidents. They can do this, for example, by carrying out regular external audits and inspections or by requiring certain documents. Organisations that fail to comply with the requirements of NIS2 may be subject to a range of possible sanctions, including fines or administrative penalties of up to €10 million for "essential entities" (2% of global turnover) and €7 million for "important entities" (1.4% of global turnover). Board members may be held personally liable for non-compliance (Article 32.6).
You are not sure if and to what extent you need to be NIS2 compliant?
Do you want to gain more insight into which concrete measures you still need to take to be NIS2 compliant?
Are you unsure of the right approach?
Our experts can advise and, if necessary, assist you in implementing the necessary security measures to become NIS compliant.
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
Read our latest insights and news releases to stay abreast of changes in your industry.