Digital makes vulnerable
The world is becoming increasingly digital. Many organizations function by the grace of well-functioning ICT. That is great, because it allows many processes to run faster and more efficiently. At the same time, it also makes people vulnerable, because what if the systems of hospitals or an energy company come down? That can have a huge disruptive effect on society. Or think of the personal data that many organizations have stored. That is often necessary, but no one wants their data to end up in the wrong hands. In short, digital security is of great importance for the functioning of essential and important sectors.
More digital security with NIS2
To increase digital security, the European Union introduced the NIS (Network and Information Systems Directive) in 2018. This directive obliges essential service providers and digital service providers to ensure the security of their networks and information systems. With the ever-increasing cybercrime and growing vulnerability of sectors, it is now time for an update of the NIS with NIS2: with more organizations covered by the directive (such as government and postal and courier services) and more responsibility for their directors.
New: duty of care and reporting obligation
In addition to the fact that new sectors have been added to the directive and more service providers fall under the directive (the complete overview can be found at the bottom of the article), NIS2 sets stricter security requirements in order to limit cybersecurity risks. For example, organizations have a duty of care: they must thoroughly assess their risks and then take appropriate security measures to mitigate risks. For many organizations, this means that they will have to pay more attention to active risk management. This will make risk management essential in the strategic and tactical policy of organizations. This is a drastic, but also promising step because good risk management is the driving force behind the success of every organization. Being better resistant to cyber threats is not only in the interest of citizens and society, but certainly also in the interest of the organization itself. In addition, organizations are given a reporting obligation under the new directive, whereby they must report incidents that (could) seriously disrupt the provision of an essential service to the supervisory authority within 24 hours. It is currently being determined who will be the supervisory authority in the Netherlands.
New: joint and several liability of directors
Another important difference with the previous NIS directive is one with considerable impact: directors of organisations that fall under the NIS2 will be jointly and severally liable for non-compliance. This means that management is directly responsible for identifying risks regarding the security of networks and information systems and for taking appropriate measures. In order to increase resilience in the area of information security, governance is added to the NIS directive. Organisations are required to record roles, responsibilities and priorities and to increase maturity in risk management. It is no longer just about demonstrating compliance with, for example, ISO27001, BIO (Baseline Information Security Government) or NEN-7510, but about an organisation-wide risk approach. This liability will ensure that the involvement of directors in risk management increases, making risk management a core function in the strategic management of organisations.
Preparing for NIS2
Organizations that have already set up their compliance well already have a good basis for NIS2. But it is clear that the new directive will result in additional accountability obligations – and therefore more pressure on the management organization and extra work. For the time being, only the European NIS2 directive has been published. This already provides a good insight into what is to come. While waiting for the translation of the NIS2 directive into Dutch legislation, organizations can already think about their governance structure, the processes around risk management and about taking basic security measures based on the NCSC guideline basic cybersecurity measures. The sooner the security of the networks and information systems within the organization is in order, the better it is for both the organization and the Dutch citizens.
Grip on the entire Governance Risk and Compliance function
Anyone who complies with the ISO27001 or BIO frameworks has a good starting point to also comply with the duty of care from NIS2. Our customers who use Key Control Dashboard also have a head start. They already have grip and control over internal control and the entire Governance Risk and Compliance function. With Key Control Dashboard, the step to accountability for NIS2 is a lot easier. Performing checks, creating reports and reporting incidents is all possible with the ISMS solution. For the time being, we are waiting for the Dutch NIS2 law, which is expected to come into effect at the end of 2024. As soon as standards can be distilled from Dutch legislation around NIS2, we will include them in Key Control Dashboard. If the standards (partly) correspond to those from BIO or ISO27001, this offers opportunities for an additional efficiency boost, because as an organization you then perform the control activities, where possible, once and use them to account for various applications. Key Control Dashboard makes it easier to get from policy to execution, also for NIS2. And that is a nice thought for Key Control Dashboard users.
Which organisations fall under the NIS2 directive?
NIS2 focuses on two categories: essential and important service providers.
- Essential Service Providers: These are organisations that provide services in the areas of energy, transport, banking, healthcare, drinking water, wastewater, digital infrastructure, ICT Service Management (B2B), Government, Space and Financial Markets Infrastructure, where an interruption of service could have serious consequences for society.
- Key service providers: These are postal and courier services, waste management, manufacturing, digital providers, research, manufacturing, production and distribution of chemicals and production and processing and distribution of food.
Essential service providers are large organisations with at least 250 employees or an annual turnover of more than 50 million euros and a balance sheet total of more than 43 million euros. Important service providers include medium-sized and large organisations. Medium-sized organisations have at least 50 employees or an annual turnover and balance sheet total of more than 10 million euros. Essential service providers are subject to stricter supervision than important service providers.