The NIS 2 Directive - How to prepare for it?
The NIS 2 Directive and what it means for your organization
As technology evolves, so do the threats confronting our digital infrastructure. Therefore, the European Union has enacted the NIS 2 Directive, marking a significant escalation in cybersecurity mandates.
This Directive serves as a critical update to the existing frameworks, aiming to bolster the security of the infrastructure underpinning the EU's economy and societal functions.
What is NIS2?
The NIS2 Directive, an evolution of the original Network and Information Systems (NIS) Directive implemented by the European Union, represents a significant step forward in strengthening cybersecurity across the EU.
Aimed primarily at boosting cybersecurity across member states, NIS2 focuses on critical economic and societal sectors, ensuring their resilience against cyber threats.
NIS2 Directive mandates robust security and reporting obligations for both 'essential' and 'important' entities, with essential entities facing stricter requirements and more frequent scrutiny. You probably meant that important entities face lower fines than essential entities.
In reality, all penalties have been significant and higher since NIS2.
What’s new?
Building on the foundations of the original Network and Information Systems (NIS) Directive, NIS2 extends its reach and reinforces its requirements, setting a robust framework for both "essential" and "important" entities. This evolution addresses the need for:
-
Enhanced security measures across expanded sectors,
-
Stringent management of cybersecurity risks,
-
Immediate incident reporting,
-
Rigorous supervisory measures by national authorities.
Key enhancements and their impact
Several strategic enhancements are introduced aimed at strengthening your organization's cybersecurity framework and dedication:
-
Broader scope of application
Now includes medium and large organizations in the energy, transport, health, and digital infrastructure sectors.
-
Enhanced security requirements
Entities must adopt stringent risk management practices and improve their incident response capabilities.
-
Mandatory incident reporting
Rapid reporting of significant cybersecurity incidents is essential for timely and effective mitigation.
-
Stronger supervisory measures
Increased powers for national authorities to enforce compliance and conduct audits.
-
Higher fines for non-compliance
Potential fines have been significantly increased to ensure serious adherence. Essential entities face fines up to €10 million or 2% of annual turnover, and important entities up to €7 million or 1.4%.
-
Focus on supply chain security
Enhanced requirements to secure all aspects of network and information systems, including third-party services.
-
Enhanced cooperation among states
Encourages better information sharing and collaborative efforts among EU Member States.
Does NIS2 apply to your organization?
Now that this Directive has been transposed into law, many Belgian companies risk sanctions if they do not sufficiently protect themselves against hackers and other digital threats.
Organizations don't know whether they fall under the new rules.
All institutions and companies with more than 50 employees or an annual turnover exceeding 10 million euros must ensure the security of their network and information systems if they operate in critical sectors for the national economy and security.
There are 18 sectors, including energy, finance, drinking and wastewater, and digital infrastructure. However, the regulations also cover chemical companies, postal and courier services, and pharmaceutical producers.
Essential entities:
-
Banking/Finance: Credit, trade, market, and infrastructure
-
Digital Infrastructure and IT Services: DNS, name registries, trust services, data centers, cloud computing, electronic communication services, managed services, and managed security services.
-
Energy: Supply, distribution, transmission, and sale of electricity, gas, oil, heating/cooling, hydrogen, EV charging point operators
-
Health: Healthcare providers, research laboratories, pharmaceuticals, medical device manufacturing
-
Public Administration: Central government, regions, local (optional)
-
Space: Ground-based infrastructure operators
-
Transport: Air, rail, road, water transport (including shipping companies and port facilities)
-
Water: Drinking water suppliers and wastewater operators
Important entities:
-
Chemical Products: Production and distribution
-
Digital Providers: Online marketplaces, search engines, social platforms
-
Food: Distribution and production
-
Manufacturers: Medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, other transport equipment
-
Postal and Courier Services
-
Research Organisations
-
Waste Management