The NIS2 Guideline
Check the green boxes for IT Security.
The NIS2 Guideline (Network and Information Security) is the European obligation to have things in order when it comes to Cyber Security and IT management. You protect your organization and prevent costly incidents and fines. Aumatics carries out the NIS2 Quick Scan upon request to comply with the NIS2 Directive as quickly as possible.
Is it time to take steps? Let us know via 'Contact' at the top right. The IT Engineers from Aumatics get to work. With Compliance. Training. Or IT Security. Or whatever it takes to be ready in October 2024.
Register and receive the NIS2 White Paper!
NIS2 Guideline FAQ
Is my organization bound by the NIS2 Guideline?
The answer is: the chances are high. It has now become a directive with an obligation of result, in contrast to the previous directive, which only had an obligation of means. In other areas, the non-commitment is also gone. Particular attention is required for managerial positions.
The NIS2 Directive applies to two types of organizations: essential service providers and important service providers. Essential service providers are organizations in the energy, transport, banking, financial market infrastructure, healthcare, drinking water and digital infrastructure sectors. This organization must in any case comply with the directive. Important organizations follow the guideline above a certain size or nature of activities.
What is the difference between NIS1 and NIS2?
The predecessor of the NIS2 Directive mainly talked about essential infrastructure. Think of energy companies, governments and strategically indispensable companies. In addition, companies could also fall under the NIS rules due to their size.
Time has not stood still. We also see that smaller organizations are attacked more often. Until recently, larger companies were mainly attacked by hackers. Logically. After all, there is a lot to achieve with 1 successful attempt at intrusion.
Those were costly lessons for these companies and they learned from them by making their IT systems and OT more secure. As a result, the focus of hackers has shifted to medium-sized and smaller companies.
There is another reason for the wider scope of NIS2. Just think what happens if you have your affairs in order, but your supplier is affected. Suppose that supplier takes care of the shipment of your products. Then the address details of your customers are on the street.
The stricter rules are also necessary due to the far-reaching connectivity and solidarity in the Netherlands. Systems, servers and data centers are interconnected, which brings many benefits, but also the risk of infection if things go wrong.
The NIS2 Guideline distinguishes between 2 categories of companies: essential companies and important companies. The essential ones are further divided into critical and very critical sectors.
Why do I have to comply with the NIS2 Directive?
NIS2 aims to improve the cybersecurity of EU member states by requiring providers of essential services and digital service providers to meet certain standards. The NIS2 directive aims to improve the security of networks and information systems and reduce the risk of cyber attacks. Furthermore, failure to comply with the directive can lead to financial and reputational damage, as well as sanctions and fines from the authorities.
The directive revolves around the duty of care, duty to report and supervision. This means that your company must be resilient and adequately protected, that this can be demonstrated with documentation and that companies that help you with it are certified to offer these services. An incident must be reported within 24 hours if it has disrupted continuity, and in other cases this is 72 hours.
After an incident, government services, such as the National Cyber Security Center, will act. In any case, you will have to prepare a report of the events within a month.
What do I need to adapt to my organization's IT to comply?
Organizations must make adjustments to their IT systems to comply with the NIS2 directive. This includes identifying cybersecurity risks, implementing security measures, creating incident response plans and cooperating with authorities.
What do I need to comply with NIS2?
You must properly prepare your organization to comply with the NIS2 directive and have the necessary knowledge, technology and personnel to protect IT systems against cyber threats and respond to security incidents.
Is that already necessary?
No, you do not have to comply with the guideline yet. But yes, you have to get started now. After October 2024 everything should be in order and that is sooner than you think. And the requirements are broadly formulated and stricter, so there is homework. The European directive is currently being incorporated into national legislation. The translation into Dutch law is therefore now in progress. Consultation with companies will start in the autumn.
What does NIS2 say about an incident?
Safety in the field of Cyber Security is of national importance. And a cyber attack can have consequences for society as a whole. Partly for this reason, bAccording to the NIS2 Directive, directors of affected companies are also held jointly and severally liable for mistakes made or lax policies. In any case, the fines have been increased and could amount to millions. Or a few percent of the annual profit. So you have some explaining to do if things go wrong.
With this knowledge in mind, it will be clear to you by now: Doing nothing is not an option.