Menu

NIS2 guideline: what does management need to know?

Download the NIS2 brochure
NIS2 richtlijn voor management

At a time when cyber threats are becoming increasingly advanced, the European Union introduced the NIS2 Directive as a measure to strengthen the cybersecurity and digital resilience of EU member states. As a successor to the original NIS directive, NIS2 brings with it some new obligations and challenges that require immediate management attention within organizations. This article highlights the key points of NIS2 and what top management needs to know to ensure compliance and optimal preparation.

Comprehensive sectoral coverage

The NIS2 directive is not just limited to traditionally vital sectors such as energy, transportation and health-care, but now extends to other sectors including government and digital service providers. This means that a wider range of organizations are now within its scope and must comply with the new cyber security standards.

Supply Chain Responsibility

Companies covered by NIS2 must also take measures to ensure that the security of their suppliers and partners is secured. We call this supply chain responsibility. This could have a major impact on suppliers to these sectors. In practice, we will see that under the NIS2, sectors will place more requirements on their suppliers and it will become a testing criteria in procurements.

Obligations

Core obligations under the NIS2 include a duty of care and incident reporting. Organizations are required to conduct their own risk assessment and take appropriate measures based on that assessment to protect their services and information. For incidents that (may) significantly disrupt service delivery, there is a duty to report within 24 hours to the supervisor. Furthermore, cyber incidents must also be reported to the CSIRT for help and assistance.

Supervision and enforcement

The NIS2 Directive provides for independent monitoring of compliance with its obligations. It is important for management to understand who the regulators are and how enforcement will be implemented in practice, including the potential fines and penalties for noncompliance.

Preparing for NIS2

Preparation is critical to comply with the NIS2 guideline. This includes updating existing cybersecurity policies and procedures, strengthening incident response plans, and ensuring sufficient resources and expertise to meet its obligations. The basis for preparing for NIS2 can be found in existing information security frameworks, such as the Government Information Security Baseline (In Dutch Baseline Informatiebeveiliging Overheid, or BIO) for government agencies.

Communication and training

The people in your organization are one of the most important aspects when it comes to preventing successful cyber attacks. It is therefore essential that management ensure broad awareness and understanding of NIS2 obligations within the organization. This can be achieved through training, information sessions and ongoing communication about the changes brought about by NIS2.

In short…

The NIS2 directive brings new obligations and challenges that require a proactive approach from management. A thorough understanding of the directive, its obligations and the potential consequences of noncompliance is critical to ensuring cyber resilience and minimizing risk. By taking action now and creating a solid plan, organizations can position themselves to not only comply with the NIS2 directive, but also to strengthen their overall cyber security posture in light of the evolving cyber threat landscape.

NIS2 brochure

Detailed information about NIS2 can be found in our NIS2 brochure. It can be downloaded at the bottom of this page.

Bellen
Mailen