NIS2: new European directives for cyber security
Download the pdf here
From January 2023, new European directives for cybersecurity, the Network and Information Security 2 (NIS2), will apply. These guidelines have major implications for companies and organizations in Europe, including the Dutch business community. This is because the NIS2 guidelines apply to a wide range of sectors, not just the vital sectors as with the predecessor NIS.
It’s important that companies comply with the NIS2 directives. Not just to avoid high fines that amount to 2% of annual sales, but more importantly, to ensure digital security and prevent cyber attacks. The NIS2 directives require companies and organizations to take their digital security to a higher level and adapt to increasing cybercrime threats.
On this page (and in more detail in our brochure at the bottom of this page) you can read about what the NIS2 entails, which sectors are covered by the directives, the consequences of non-compliance and how to prepare for the NIS2 as a company or organization.
What’s NIS?
The NIS regulation is the first cybersecurity regulation in Europe (and has been in effect in the Netherlands since 2018). The purpose of the NIS is to ensure a common level of security for network and information systems within the European Union. This is achieved by requiring member states to adopt and implement appropriate security measures that reduce the risks of cyber attacks and limit their consequences.
NIS focuses on companies and organizations operating in vital sectors, such as energy, transportation, healthcare, and financial services. Sectors that are critical to keeping our economy and society running and therefore need a higher level of security.
Another goal of the NIS is to strengthen cooperation among EU member states on cyber security. The directive requires member states to designate a national NIS authority and have it cooperate with other European authorities.
In short, the purpose of the NIS directive is to improve the cyber security of the EU’s vital sectors and strengthen cooperation among member states in the field of cyber security. But with the increase in cyber attacks, the NIS no longer appears to provide sufficient security. Therefore, in 2020, the European Commission introduced NIS2 as the new EU security strategy.
Difference between NIS and NIS2
Whereas the NIS focuses on large enterprises in vital sectors, the NIS2 goes beyond that. That means the NIS2 will have a major impact on European business community. The NIS2 focuses on three pillars of security:
- Security risk mapping;
- Protection and detection to mitigate risks;
- And mitigating the consequences of cyber incidents.
Where companies previously could get away with simply complying with the GDPR (AVG) and other basic rules, with the introduction of the NIS2, they must pull out all the stops to comply with the new guidelines. It’s therefore important for companies to be aware of the NIS2 and prepare accordingly in order to improve their cyber security to reduce the impact of cyber attacks.
Although the NIS directives are still relatively young, research by the EU Agency for Cybersecurity (ENISA) indicates that implementation of the NIS directive in Europe has already led to significant improvements in cybersecurity. Some facts and figures from this study are:
- 96% of member states have implemented national legislation to transpose the NIS Directive into national law.
- 92% of national authorities have dealt with at least one cybersecurity incident.
- 83% of organizations covered by the NIS Directive have implemented security measures to reduce cybersecurity risks.
To whom does the NIS2 apply?
The NIS2 is intended for all member states of the European Union. So all organizations and companies based in these member states that offer digital services or provide essential services must start complying with the NIS2. This covers a wide range of sectors, including energy, transportation, healthcare, finance, digital infrastructure and more. Unlike the original NIS directive, the NIS2 has a much broader scope and applies to a wide variety of organizations and businesses including:
- Providers of essential services (e.g., energy, transportation, banking, healthcare, drinking water supply, digital infrastructure).
- Digital service providers (e.g., online marketplaces, search engines and cloud computing providers).
- Government agencies (both national and local).
The specific criteria for which organizations and companies are covered by the NIS2 vary by state. The specific criteria for which organizations and companies are covered by the NIS2 vary by state. In the Netherlands, the central government has defined the sectors to which NIS2 applies; these can be found online Download the brochure to discover the full list of sectors.
An important difference from the first NIS Directive is that organizations are automatically covered by the NIS2 Directive if they are active in any of the above sectors and can be characterized as an “essential” or “significant” entity according to the criteria below. Unlike the CER Directive, the NIS2 Directive does not involve designation by ministries.
Transitioning to NIS2
The National Cyber Security Centre (NSCS) has drawn up a timeline for translating the CER and NIS2 guidelines into national legislation. You can see this full timeline in our brochure at the bottom of the page.
Why OpenSight ?
Calling in a specialist is the wisest choice and saves a lot of time. The knowledge and experience of a specialist ensure a worry-free process. By taking OpenSight as a partner, you can be sure that the knowledge and experience is there to ensure the best possible process.
Knowledge
OpenSight has been dealing with cybersecurity for companies for years. Originated out of an interest, developed into a passion and eventually formed into a company with helping services.
Experience
Numerous companies have previously partnered with OpenSight and as a result have achieved great successes regarding cybersecurity. From improved business processes to certifications and from consulting to implementations.
Documentation
Clear and accurate documentation is the foundation of cybersecurity. From the plan of action to checkpoints to recording calamities that have occurred and been resolved. In fact, most documentation is necessary for achieving and maintaining certifications. It also increases visibility into the progress and status of the management system.
Time Saving
With compliance software and help from OpenSight, you can minimize the pressure on the organization which saves an enormous amount of time. For example, the scheduling of regular tasks that happen automatically according to the set frequency and other automations.
Integrations
Integrations with Microsoft Teams or Slack are frequently requested options. This allows tasks arising from management to be distributed within the organization. Uit onze ervaring blijkt dat veel organisaties baat hebben bij het gebruik van dergelijke integraties en het onderhouden van bijvoorbeeld hun NIS2 managementsysteem. NIS2 is one of the frameworks that can be chosen to guide monitoring. OpenSight can provide these valuable integrations.
Download the NIS2 brochure
With OpenSight’s service you can easily follow the NIS2 guidelines. You get access to experienced experts, independent advice and practical support in implementing security measures and management systems. Enter your details below to download the brochure and find out how our NIS2 service can help your organization.
