Perhaps, and hopefully, you are already familiar with it, the current European Network and Information Security directive (NIS). It is possible you have heard of it before, but have not had to deal with it. This directive specifically applies to essential companies, such as water companies and telecom companies.
Nowadays NIS is actually considered insufficient, and thus the EU will introduce an updated version: NIS2. Its scope will include ten times as many companies than the current directive. This means that there is a good chance that your company will have to comply with this legislation as well. That is because more and more companies are being regarded as essential or important, but also because the entire supply chain has to be considered.
- The ten sectors which have been classified as essential are energy; transport; banking; financial market infrastructures; health, drinking water; waste water; digital infrastructure; public administration and space.
- The sectors of postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing and digital providers are regarded as important, and fall within the scope of NIS2 as well.
In May 2022 a political agreement was reached between the European Parliament and the Council of the European Union to approve the new directive. In November 2022 the European Union Parliament and Council formally approved the directive. From that moment, member states will have 21 months to transpose it into national law. Among others, this means that they will have to meet stricter requirements, that there will be stricter supervisory measures, and that sanction measures, just like reporting obligations, will be harmonized among member states. After all, NIS2 was created to protect data as good as possible in a society which is undergoing a digital transformation, whereby the threat landscape is expanding.
Governance & risk management
De need to better organize cybersecurity is greater than ever. For the continuity of business operations it is therefore essential to comply with the NIS2 directive as soon as possible.
The most important steps to take, in order to implement NIS2 within your organization as quickly as possible:
Create an overview of the risks and make them manageable
To start, you will need to set priorities. Ensuring that risks are identified as soon as possible, and are made manageable, provides a good basis for against cybercrime. For instance, think about employee awareness when everyone suddenly started working from home during the pandemic. On Tesorion’s website you will find seven clear basic measures that can be taken, at the lowest possible costs, to get your basic cyber hygiene in order. Remember that question is not whether you will be struck by ransomware, but when.
Ensure that your organization is aware of the legal obligations
One of the consequences of the adoption of NIS2 is that there will be stricter supervision of governance. And, not implementing this directive correctly will have great consequences. There will be an increased number of on-site inspections or audits by supervisors. If these show that organization are not in compliance with the requirements, hefty fines will be imposed. In addition, a lot more will be expected of organizations themselves. For instance, organization have an obligation to notify supervisory authorities when incidents are detected, similar to the GDPR. This notification has to be made within 24 hours, followed by final report within a month. Even threats will have to be reported.
Besides that, NIS2 forces you to sit down with vendors. Because, what if there is a cyber incident at one of your vendors? Cybercriminals can gain access to your organization via one of your (external) partners’ networks. Therefore, the way vendors and partners have organized their security has a direct impact on your own security. Here too, risks will have to be identified and agreements will have to be made. Who is responsible for the costs in the case of a cyber incident? This needs to be laid down in contracts.
Because cybersecurity a specific subject area, it is het advisable to create contractual agreements with the help of a legal service provider that specializes in this.
When the risks have been identified, are being managed and the legal obligations are clear, it is important to embed the new directive into the organization and continuously monitor and maintain it. It is very important to create company-wide awareness with regard to NIS2 and its importance in business operations. In order to integrate a plan within an organization, employees need to see the need for it as well, and know what they are expected to do. Make the risks, consequences and expectations very clear to employees as well, for example with the help of eLearning. Cybersecurity should be part of the company culture and not some kind of duty imposed on certain employees.
Many changes, huge gain
De introduction of NIS2 will bring a lot of changes along with it. The goal however is something that will profit every company, namely a more secure position in the digital world. Risks will keep growing and could do major damage with regard to your organization’s business continuity or the organizations in your supply chain. So, make sure your organization is prepared for this new directive and the responsibilities that come with it.