developments concerning NIS2
Download the NIS2 brochure
The NIS2 Directive is a European Union initiative that aims to improve cybersecurity and the resilience of essential services in EU member states. This directive is an extension of the earlier NIS directive and covers more sectors, sets stricter security standards and introduces incident reporting requirements. No surprise, then, that it has become a major topic in many a board meeting.
Most important developments:
- Comprehensive sectoral coverage:
The NIS2 directive will apply to industries and organizations vital to society such as healthcare, transportation, energy providers, government services, food, water management companies and digital providers. - Obligations and supervision:
Within the NIS2 Directive, entities are required to conduct a risk assessment and, based on that assessment, take appropriate measures to protect their services and information. Incidents that (may) significantly disrupt services must be reported to the supervisor within 24 hours. The NIS2 Directive also provides for monitoring of compliance with its obligations by an independent regulator. - Transition to national legislation:
The EU has adopted the NIS2 directive and it is now being translated into Dutch law, with details being worked out about which organizations are covered and what the exact obligations will be.
Information sessions and preparation
OpenSight organizes several information sessions that take a deeper look at how the legislation fits together and how it corresponds to other frameworks such as BIO, ISO27001, NEN7510 and NIST. The obligations of the NIS2 directive are largely aligned with existing information security frameworks, which provides an interesting point of reference. OpenSight will begin hosting this session in the first quarter of the new year. Want to receive an invitation when the date of this session is known?
Click here to submit your interest!
From our experience in implementing frameworks, it is good to begin preparations in a timely manner. It takes an average organization about 12 months to implement a new framework to the point where it works well and is part of its daily operations.
NIS2 obligations
The NIS2 Directive imposes several obligations on entities to strengthen cyber security and resilience of essential services in EU member states. A core obligation is the duty of care, which requires entities to conduct their own risk assessment and, based on that assessment, take appropriate measures to safeguard their services as much as possible and protect the information used.
It further introduces a reporting duty for incidents. Entities must report incidents that (may) significantly disrupt the provision of the essential service to the supervisor within 24 hours. Cyber incidents must also be reported to the Computer Security Incident Response Team (CSIRT), which can then provide help and assistance. The factors that make an incident reportable include, for example, the number of people affected by the disruption, the duration of a disruption and the potential financial losses.
Finally, the NIS2 Directive requires oversight of covered organizations. An independent supervisor will be appointed to monitor compliance with the directive’s obligations, such as the duty of care and notification. The exact details of oversight, including which regulator will be responsible for the government sector, are still being determined, with the intention of using existing accountability structures and seeking to harmonize them.
NIS2 brochure
Detailed information about NIS2 can be found in our NIS2 brochure. It can be downloaded at the bottom of this page.