The NIS2 Guideline

The predecessor of the NIS2 Directive mainly talked about essential infrastructure. Think of energy companies, governments and strategically indispensable companies. In addition, companies could also fall under the NIS rules due to their size.

Time has not stood still. We also see that smaller organizations are attacked more often. Until recently, larger companies were mainly attacked by hackers. Logically. After all, there is a lot to achieve with 1 successful attempt at intrusion.

Those were costly lessons for these companies and they learned from them by making their IT systems and OT more secure. As a result, the focus of hackers has shifted to medium-sized and smaller companies.

There is another reason for the wider scope of NIS2. Just think what happens if you have your affairs in order, but your supplier is affected. Suppose that supplier takes care of the shipment of your products. Then the address details of your customers are on the street.  

The stricter rules are also necessary due to the far-reaching connectivity and solidarity in the Netherlands. Systems, servers and data centers are interconnected, which brings many benefits, but also the risk of infection if things go wrong.

The NIS2 Guideline distinguishes between 2 categories of companies: essential companies and important companies. The essential ones are further divided into critical and very critical sectors.  

NIS2 aims to improve the cybersecurity of EU member states by requiring providers of essential services and digital service providers to meet certain standards. The NIS2 directive aims to improve the security of networks and information systems and reduce the risk of cyber attacks. Furthermore, failure to comply with the directive can lead to financial and reputational damage, as well as sanctions and fines from the authorities.

The directive revolves around the duty of care, duty to report and supervision. This means that your company must be resilient and adequately protected, that this can be demonstrated with documentation and that companies that help you with it are certified to offer these services. An incident must be reported within 24 hours if it has disrupted continuity, and in other cases this is 72 hours.

After an incident, government services, such as the National Cyber ​​Security Center, will act. In any case, you will have to prepare a report of the events within a month.

Organizations must make adjustments to their IT systems to comply with the NIS2 directive. This includes identifying cybersecurity risks, implementing security measures, creating incident response plans and cooperating with authorities.

You must properly prepare your organization to comply with the NIS2 directive and have the necessary knowledge, technology and personnel to protect IT systems against cyber threats and respond to security incidents.

No, you do not have to comply with the guideline yet. But yes, you have to get started now. After October 2024 everything should be in order and that is sooner than you think. And the requirements are broadly formulated and stricter, so there is homework. The European directive is currently being incorporated into national legislation. The translation into Dutch law is therefore now in progress. Consultation with companies will start in the autumn.

Safety in the field of Cyber ​​Security is of national importance. And a cyber attack can have consequences for society as a whole. Partly for this reason, bAccording to the NIS2 Directive, directors of affected companies are also held jointly and severally liable for mistakes made or lax policies. In any case, the fines have been increased and could amount to millions. Or a few percent of the annual profit. So you have some explaining to do if things go wrong. 

With this knowledge in mind, it will be clear to you by now: Doing nothing is not an option.