The NIS 2 Directive - How to prepare for it?

The NIS 2 Directive and what it means for your organization 

As technology evolves, so do the threats confronting our digital infrastructure. Therefore, the European Union has enacted the NIS 2 Directive, marking a significant escalation in cybersecurity mandates.  
 

This Directive serves as a critical update to the existing frameworks, aiming to bolster the security of the infrastructure underpinning the EU's economy and societal functions.  

 

What is NIS2?  

The NIS2 Directive, an evolution of the original Network and Information Systems (NIS) Directive implemented by the European Union, represents a significant step forward in strengthening cybersecurity across the EU.  


Aimed primarily at boosting cybersecurity across member states, NIS2 focuses on critical economic and societal sectors, ensuring their resilience against cyber threats.  

NIS2 Directive mandates robust security and reporting obligations for both 'essential' and 'important' entities, with essential entities facing stricter requirements and more frequent scrutiny. You probably meant that important entities face lower fines than essential entities. 
In reality, all penalties have been significant and higher since NIS2.

 

What’s new? 

Building on the foundations of the original Network and Information Systems (NIS) Directive, NIS2 extends its reach and reinforces its requirements, setting a robust framework for both "essential" and "important" entities. This evolution addresses the need for:  
 

  • Enhanced security measures across expanded sectors,  

  • Stringent management of cybersecurity risks,  

  • Immediate incident reporting,  

  • Rigorous supervisory measures by national authorities.  

 

Key enhancements and their impact  

Several strategic enhancements are introduced aimed at strengthening your organization's cybersecurity framework and dedication:  
 

  • Broader scope of application
    Now includes medium and large organizations in the energy, transport, health, and digital infrastructure sectors. 

  • Enhanced security requirements
    Entities must adopt stringent risk management practices and improve their incident response capabilities. 

  • Mandatory incident reporting
    Rapid reporting of significant cybersecurity incidents is essential for timely and effective mitigation. 

  • Stronger supervisory measures
    Increased powers for national authorities to enforce compliance and conduct audits.  

  • Higher fines for non-compliance
    Potential fines have been significantly increased to ensure serious adherence. Essential entities face fines up to €10 million or 2% of annual turnover, and important entities up to €7 million or 1.4%.

  • Focus on supply chain security
    Enhanced requirements to secure all aspects of network and information systems, including third-party services. 

  • Enhanced cooperation among states
    Encourages better information sharing and collaborative efforts among EU Member States.  

 

Nis2

Does NIS2 apply to your organization?  

Now that this Directive has been transposed into law, many Belgian companies risk sanctions if they do not sufficiently protect themselves against hackers and other digital threats. 

Organizations don't know whether they fall under the new rules. 

All institutions and companies with more than 50 employees or an annual turnover exceeding 10 million euros must ensure the security of their network and information systems if they operate in critical sectors for the national economy and security. 

 

There are 18 sectors, including energy, finance, drinking and wastewater, and digital infrastructure.  However, the regulations also cover chemical companies, postal and courier services, and pharmaceutical producers.

 

Essential entities:

  • Banking/Finance: Credit, trade, market, and infrastructure  

  • Digital Infrastructure and IT Services: DNS, name registries, trust services, data centers, cloud computing, electronic communication services, managed services, and managed security services.  

  • Energy: Supply, distribution, transmission, and sale of electricity, gas, oil, heating/cooling, hydrogen, EV charging point operators  

  • Health: Healthcare providers, research laboratories, pharmaceuticals, medical device manufacturing  

  • Public Administration: Central government, regions, local (optional)  

  • Space: Ground-based infrastructure operators  

  • Transport: Air, rail, road, water transport (including shipping companies and port facilities)  

  • Water: Drinking water suppliers and wastewater operators    

Important entities:

  • Chemical Products: Production and distribution  

  • Digital Providers: Online marketplaces, search engines, social platforms  

  • Food: Distribution and production  

  • Manufacturers: Medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, other transport equipment  

  • Postal and Courier Services    

  • Research Organisations  

  • Waste Management 

Depending on how they are classified under NIS2, companies have until early 2026 to comply with the new regulations. But they are immediately obliged to report any incidents.  

 

How can we help 

INNOCOM can help you determine how the NIS 2 Directive applies to your operations and ensure your organization not only complies but leads in cybersecurity within your sector.  

Determining impact  

We work with you to assess whether you are affected by the NIS2 Directive and gauge your NIS2 readiness.  

  

  • Clarifying responsibilities: Once the groundwork has been laid, we identify shortcomings when meeting requirements under the Directive.  
  • Defining duties: In partnership with you, we identify the measures needed to comply with the directive.  
  • Ensuring business continuity: You need a robust cybersecurity framework in the event of a cyber incident.  
  • Setting up a reporting process: We develop procedures to ensure incidents are properly reported to the authorities.  
  • Ensuring monitoring: We develop constant checks to safeguard your developed measures. 
  • Providing coaching services:  We offer coaching to guide your team through implementing NIS2 compliance strategies, enhancing understanding and capability within your organization.  

Contact us for more info:

Hans Hujoel

Hans Hujoel

Enterprise Security Architect
Profile picture

Frank Souffriau

Enterprise Security Architect

Ook boeiend:

Telenet

The software development lifecycle at Telenet

Lees meer
Domain driven design

Domain-Driven Design at Elia

Lees meer
Art in the Park 2024

This was Art in the Park 2024

Lees meer