Experience first-hand how to implement a cyber security framework such as NIS2
Geplaatst op: 4 April 2024
The NIS2 and several solutions to help you become compliant have been hot topic for a while now. The advice we’ve brought out is trustworthy, of course, but all that information can make the process a bit confusing. Want to keep track? Try deploying a GRC tooling to keep an overview and link the different solutions together in a logical way.
NIS2: the next European directive on cyber security
NIS2, the second European directive on the security of your network and information systems, sets stringent requirements for organizations managing critical infrastructure or providing digital services. It aims to increase resilience to cyber threats and minimize the impact of incidents.
For companies, compliance with NIS2 means not only meeting legal requirements, but also protecting digital assets, ensuring business continuity and preventing financial and image damage.
The role of GRC tooling
Governance, Risk & Compliance (GRC) tooling provides organizations with a structured approach to managing regulatory requirements, risks and compliance processes. These tools automate and streamline the audit process, allowing organizations to save time and resources while still complying with complex regulations such as NIS2.
The benefits of GRC tooling for your own NIS2 audit
- Centralization of data: GRC tooling provides a central repository for all relevant data related to cyber security and compliance, making it easier to manage, analyze and report data during an NIS2 audit.
- Automating processes: By automating audit processes, such as evidence collection, audit validation and report generation, organizations can improve efficiency and minimize human error.
- Risk management: GRC tools help identify, evaluate and manage risks that may affect NIS2 compliance. By addressing risks proactively, organizations can identify potential weaknesses and take corrective action before they become a problem.
- Compliance controls: GRC tooling provides built-in controls to ensure that organizations comply with the requirements of NIS2. These controls can be tailored to the specific needs of the organization and help demonstrate compliance during an audit.
GRC tooling makes it easier
NIS2 compliance is a complex and challenging task that many organizations have to face on top of their own activities, but with the right approach and tools, they can take the necessary steps to meet the requirements and establish a stronger cyber security culture. GRC tooling provides an integrated and structured approach to managing regulatory requirements and risks, allowing organizations to remain compliant while maintaining operational efficiency.
Cyberday.ai
Inspired by our blog? Take a look at the website of cyberday.ai, one of our partners. We have used this tooling to implement the various cyber security frameworks at multiple clients without losing overview. Want to know how OpenSight can support your organisation? That, of course, is possible too! Schedule a no-obligation appointment with us.
NIS2 guideline: what does management need to know?
Geplaatst op: 29 January 2024
At a time when cyber threats are becoming increasingly advanced, the European Union introduced the NIS2 Directive as a measure to strengthen the cybersecurity and digital resilience of EU member states. As a successor to the original NIS directive, NIS2 brings with it some new obligations and challenges that require immediate management attention within organizations. This article highlights the key points of NIS2 and what top management needs to know to ensure compliance and optimal preparation.
Comprehensive sectoral coverage
The NIS2 directive is not just limited to traditionally vital sectors such as energy, transportation and health-care, but now extends to other sectors including government and digital service providers. This means that a wider range of organizations are now within its scope and must comply with the new cyber security standards.
Supply Chain Responsibility
Companies covered by NIS2 must also take measures to ensure that the security of their suppliers and partners is secured. We call this supply chain responsibility. This could have a major impact on suppliers to these sectors. In practice, we will see that under the NIS2, sectors will place more requirements on their suppliers and it will become a testing criteria in procurements.
Obligations
Core obligations under the NIS2 include a duty of care and incident reporting. Organizations are required to conduct their own risk assessment and take appropriate measures based on that assessment to protect their services and information. For incidents that (may) significantly disrupt service delivery, there is a duty to report within 24 hours to the supervisor. Furthermore, cyber incidents must also be reported to the CSIRT for help and assistance.
Supervision and enforcement
The NIS2 Directive provides for independent monitoring of compliance with its obligations. It is important for management to understand who the regulators are and how enforcement will be implemented in practice, including the potential fines and penalties for noncompliance.
Preparing for NIS2
Preparation is critical to comply with the NIS2 guideline. This includes updating existing cybersecurity policies and procedures, strengthening incident response plans, and ensuring sufficient resources and expertise to meet its obligations. The basis for preparing for NIS2 can be found in existing information security frameworks, such as the Government Information Security Baseline (In Dutch Baseline Informatiebeveiliging Overheid, or BIO) for government agencies.
Communication and training
The people in your organization are one of the most important aspects when it comes to preventing successful cyber attacks. It is therefore essential that management ensure broad awareness and understanding of NIS2 obligations within the organization. This can be achieved through training, information sessions and ongoing communication about the changes brought about by NIS2.
In short…
The NIS2 directive brings new obligations and challenges that require a proactive approach from management. A thorough understanding of the directive, its obligations and the potential consequences of noncompliance is critical to ensuring cyber resilience and minimizing risk. By taking action now and creating a solid plan, organizations can position themselves to not only comply with the NIS2 directive, but also to strengthen their overall cyber security posture in light of the evolving cyber threat landscape.
NIS2 brochure
Detailed information about NIS2 can be found in our NIS2 brochure. It can be downloaded at the bottom of this page.
developments concerning NIS2
Geplaatst op: 29 January 2024
The NIS2 Directive is a European Union initiative that aims to improve cybersecurity and the resilience of essential services in EU member states. This directive is an extension of the earlier NIS directive and covers more sectors, sets stricter security standards and introduces incident reporting requirements. No surprise, then, that it has become a major topic in many a board meeting.
Most important developments:
- Comprehensive sectoral coverage:
The NIS2 directive will apply to industries and organizations vital to society such as healthcare, transportation, energy providers, government services, food, water management companies and digital providers. - Obligations and supervision:
Within the NIS2 Directive, entities are required to conduct a risk assessment and, based on that assessment, take appropriate measures to protect their services and information. Incidents that (may) significantly disrupt services must be reported to the supervisor within 24 hours. The NIS2 Directive also provides for monitoring of compliance with its obligations by an independent regulator. - Transition to national legislation:
The EU has adopted the NIS2 directive and it is now being translated into Dutch law, with details being worked out about which organizations are covered and what the exact obligations will be.
Information sessions and preparation
OpenSight organizes several information sessions that take a deeper look at how the legislation fits together and how it corresponds to other frameworks such as BIO, ISO27001, NEN7510 and NIST. The obligations of the NIS2 directive are largely aligned with existing information security frameworks, which provides an interesting point of reference. OpenSight will begin hosting this session in the first quarter of the new year. Want to receive an invitation when the date of this session is known?
Click here to submit your interest!
From our experience in implementing frameworks, it is good to begin preparations in a timely manner. It takes an average organization about 12 months to implement a new framework to the point where it works well and is part of its daily operations.
NIS2 obligations
The NIS2 Directive imposes several obligations on entities to strengthen cyber security and resilience of essential services in EU member states. A core obligation is the duty of care, which requires entities to conduct their own risk assessment and, based on that assessment, take appropriate measures to safeguard their services as much as possible and protect the information used.
It further introduces a reporting duty for incidents. Entities must report incidents that (may) significantly disrupt the provision of the essential service to the supervisor within 24 hours. Cyber incidents must also be reported to the Computer Security Incident Response Team (CSIRT), which can then provide help and assistance. The factors that make an incident reportable include, for example, the number of people affected by the disruption, the duration of a disruption and the potential financial losses.
Finally, the NIS2 Directive requires oversight of covered organizations. An independent supervisor will be appointed to monitor compliance with the directive’s obligations, such as the duty of care and notification. The exact details of oversight, including which regulator will be responsible for the government sector, are still being determined, with the intention of using existing accountability structures and seeking to harmonize them.
NIS2 brochure
Detailed information about NIS2 can be found in our NIS2 brochure. It can be downloaded at the bottom of this page.
ISO 27001 certified? Then you’re almost certainly NIS2 compliant too!
Geplaatst op: 24 January 2024
There are several ways for organizations to improve their information security management, including with an ISO 27001 certification and NIS2 compliance. ISO 27001 certification is the international standard for information security. Since many organisations are currently wondering whether achieving ISO 27001 certification means they are also NIS2-compliant, we briefly explain the answer in this blog post.
What are the NIS2 and ISO 27001?
ISO 27001 is an international standard for information security. It is a framework that provides guidelines for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). An ISMS is a set of policies, procedures, technologies as well as physical measures that an organisation uses to protect information from various threats such as hackers, malware and human error.
NIS2, or the European Directive on Security of Network and Information Systems, on the other hand, is a European Union legislative initiative aimed at ensuring the security of networks and information systems. It sets minimum security measures for organisations operating in vital sectors such as energy, healthcare, transport and financial services. Among other things, organisations covered by these guidelines must conduct risk assessments, implement security measures and report incidents to national authorities.
ISO 27001 certified? Then the NIS2 is an easy next step
Having an ISO 27001 certification means that an organisation has implemented a comprehensive information security management system (ISMS) that meets international standards for information security. Since NIS2 compliance requires the same set of rules and actions from organisations, achieving an ISO 27001 certification is almost a guarantee of NIS2 compliance.
Are there any differences between ISO 27001 and NIS2?
While there is some overlap between ISO 27001 and NIS2, there are also some differences. For example, NIS2 requires organisations to implement certain technical measures, such as monitoring and detection systems and incident response plans, which are not explicitly required by ISO 27001. Moreover, NIS2 is aimed at specific sectors and organisations, while ISO 27001 applies to all types of organisations. So if you have properly implemented all the measures that apply to ISO 27001, including the purchase of monitoring and detection systems as mentioned above, you do not need to worry about whether you are NIS2 compliant.
Benefits of an ISO 27001 certification
Achieving an ISO 27001 certification helps organisations easily meet NIS2 requirements and eases the path to NIS2 compliance. Many of the procedures and processes required for ISO 27001 certification, such as risk assessments, security reviews and audits, are also important for NIS2 compliance. By having already implemented these procedures, you will be better prepared for the NIS2.
If your organisation does not yet have an ISO 27001 certification and you want to focus on NIS2 compliance too, OpenSight can help. OpenSight is specialized in NIS2 compliance. Our experts will therefore be happy to help you implement the technical measures and prepare the required documentation and procedures for the NIS2. Contact us or download our NIS2 brochure below for more information.
NIS2: new European directives for cyber security
Geplaatst op: 24 January 2024
From January 2023, new European directives for cybersecurity, the Network and Information Security 2 (NIS2), will apply. These guidelines have major implications for companies and organizations in Europe, including the Dutch business community. This is because the NIS2 guidelines apply to a wide range of sectors, not just the vital sectors as with the predecessor NIS.
It’s important that companies comply with the NIS2 directives. Not just to avoid high fines that amount to 2% of annual sales, but more importantly, to ensure digital security and prevent cyber attacks. The NIS2 directives require companies and organizations to take their digital security to a higher level and adapt to increasing cybercrime threats.
On this page (and in more detail in our brochure at the bottom of this page) you can read about what the NIS2 entails, which sectors are covered by the directives, the consequences of non-compliance and how to prepare for the NIS2 as a company or organization.
What’s NIS?
The NIS regulation is the first cybersecurity regulation in Europe (and has been in effect in the Netherlands since 2018). The purpose of the NIS is to ensure a common level of security for network and information systems within the European Union. This is achieved by requiring member states to adopt and implement appropriate security measures that reduce the risks of cyber attacks and limit their consequences.
NIS focuses on companies and organizations operating in vital sectors, such as energy, transportation, healthcare, and financial services. Sectors that are critical to keeping our economy and society running and therefore need a higher level of security.
Another goal of the NIS is to strengthen cooperation among EU member states on cyber security. The directive requires member states to designate a national NIS authority and have it cooperate with other European authorities.
In short, the purpose of the NIS directive is to improve the cyber security of the EU’s vital sectors and strengthen cooperation among member states in the field of cyber security. But with the increase in cyber attacks, the NIS no longer appears to provide sufficient security. Therefore, in 2020, the European Commission introduced NIS2 as the new EU security strategy.

Difference between NIS and NIS2
Whereas the NIS focuses on large enterprises in vital sectors, the NIS2 goes beyond that. That means the NIS2 will have a major impact on European business community. The NIS2 focuses on three pillars of security:
- Security risk mapping;
- Protection and detection to mitigate risks;
- And mitigating the consequences of cyber incidents.
Where companies previously could get away with simply complying with the GDPR (AVG) and other basic rules, with the introduction of the NIS2, they must pull out all the stops to comply with the new guidelines. It’s therefore important for companies to be aware of the NIS2 and prepare accordingly in order to improve their cyber security to reduce the impact of cyber attacks.
Although the NIS directives are still relatively young, research by the EU Agency for Cybersecurity (ENISA) indicates that implementation of the NIS directive in Europe has already led to significant improvements in cybersecurity. Some facts and figures from this study are:
- 96% of member states have implemented national legislation to transpose the NIS Directive into national law.
- 92% of national authorities have dealt with at least one cybersecurity incident.
- 83% of organizations covered by the NIS Directive have implemented security measures to reduce cybersecurity risks.

To whom does the NIS2 apply?
The NIS2 is intended for all member states of the European Union. So all organizations and companies based in these member states that offer digital services or provide essential services must start complying with the NIS2. This covers a wide range of sectors, including energy, transportation, healthcare, finance, digital infrastructure and more. Unlike the original NIS directive, the NIS2 has a much broader scope and applies to a wide variety of organizations and businesses including:
- Providers of essential services (e.g., energy, transportation, banking, healthcare, drinking water supply, digital infrastructure).
- Digital service providers (e.g., online marketplaces, search engines and cloud computing providers).
- Government agencies (both national and local).
The specific criteria for which organizations and companies are covered by the NIS2 vary by state. The specific criteria for which organizations and companies are covered by the NIS2 vary by state. In the Netherlands, the central government has defined the sectors to which NIS2 applies; these can be found online Download the brochure to discover the full list of sectors.
An important difference from the first NIS Directive is that organizations are automatically covered by the NIS2 Directive if they are active in any of the above sectors and can be characterized as an “essential” or “significant” entity according to the criteria below. Unlike the CER Directive, the NIS2 Directive does not involve designation by ministries.
Transitioning to NIS2
The National Cyber Security Centre (NSCS) has drawn up a timeline for translating the CER and NIS2 guidelines into national legislation. You can see this full timeline in our brochure at the bottom of the page.
Why OpenSight ?
Calling in a specialist is the wisest choice and saves a lot of time. The knowledge and experience of a specialist ensure a worry-free process. By taking OpenSight as a partner, you can be sure that the knowledge and experience is there to ensure the best possible process.
Knowledge
OpenSight has been dealing with cybersecurity for companies for years. Originated out of an interest, developed into a passion and eventually formed into a company with helping services.
Experience
Numerous companies have previously partnered with OpenSight and as a result have achieved great successes regarding cybersecurity. From improved business processes to certifications and from consulting to implementations.
Documentation
Clear and accurate documentation is the foundation of cybersecurity. From the plan of action to checkpoints to recording calamities that have occurred and been resolved. In fact, most documentation is necessary for achieving and maintaining certifications. It also increases visibility into the progress and status of the management system.
Time Saving
With compliance software and help from OpenSight, you can minimize the pressure on the organization which saves an enormous amount of time. For example, the scheduling of regular tasks that happen automatically according to the set frequency and other automations.
Integrations
Integrations with Microsoft Teams or Slack are frequently requested options. This allows tasks arising from management to be distributed within the organization. Uit onze ervaring blijkt dat veel organisaties baat hebben bij het gebruik van dergelijke integraties en het onderhouden van bijvoorbeeld hun NIS2 managementsysteem. NIS2 is one of the frameworks that can be chosen to guide monitoring. OpenSight can provide these valuable integrations.
Download the NIS2 brochure
With OpenSight’s service you can easily follow the NIS2 guidelines. You get access to experienced experts, independent advice and practical support in implementing security measures and management systems. Enter your details below to download the brochure and find out how our NIS2 service can help your organization.
NIS2 is here, now what? Here’s what it means for your company
Geplaatst op: 2 January 2024
New European directives for cybersecurity have been in effect since January 2023: The Network and Information Security 2 (NIS2). These directives are applicable to a wide range of sectors. It’s very important for companies and organizations to comply with these directives. In this blog you’ll read what exactly the NIS2 means, which sectors are covered by the directives and how organizations should prepare for the NIS2.
What is NIS2?
The NIS2 legislation is an extension of the NIS legislation and aims to guarantee a higher level of security of network and information systems within the European Union. This is achieved by requiring Member States to adopt and implement appropriate security measures. The goal? Reducing the risks of cyberattacks and limiting their consequences. The NIS2 targets companies and organizations operating in vital sectors, such as energy, transportation, healthcare, and financial services, as well as other sectors that are critical to keeping our economy and society running.
Why is NIS2 compliance important?
Companies and organizations subject to the NIS2 have a very important task in the coming period: to be NIS2 compliant. Het niet naleven van de NIS2 leidt namelijk tot hoge boetes die kunnen oplopen tot wel 2% van de jaaromzet. But more importantly, NIS2 compliance is necessary to ensure digital security and prevent cyberattacks. The NIS2 directives require companies and organizations to take their digital security to a higher level and adapt to increasing cybercrime threats.

What if you don’t belong to the mentioned sectors?
Although the NIS2 directives mainly focus on companies and organizations operating in vital sectors, it is well worth remembering that these directives can also affect companies and organizations that do not qualify as a vital sector. For example, companies that supply to companies that do fall under these sectors may also be asked to comply with the NIS2 directives in order to continue to deliver. It’s important for companies to consider the impact of the NIS2 directives on their customers and suppliers and to take timely measures to comply with these requirements.
How can you prepare for NIS2 as a company or organization?
As a company or organization, you can prepare for the NIS2 by first determining whether the directives apply to your company or those of your customers or partners. On our website, we previously posted a blog with information about these guidelines. Next, it’s important to identify what measures are needed to become NIS2 compliant. This can be done by identifying security risks, limiting these risks and limiting the consequences of cyber incidents.

Not yet NIS2 compliant? These are the consequences:
There’s no exact number available of EU companies that are already fully compliant with the NIS2 directives. However, companies that fall under the mandatory sectors must be NIS2 compliant. This applies not only to large companies, but also to small and medium-sized enterprises. It’s important to realise that the NIS2 directives aren’t optional and there are high fines for non-compliance.
In addition to the financial consequences, it can also lead to reputational damage if a cyberattack occurs due to non-compliance with the NIS2 directives. You should not only strive to be NIS2 compliant to avoid fines, but also to ensure digital security and maintain the trust of customers and partners.
How to become NIS2 compliant
Although the NIS2 went into effect back in January, organizations and companies still have some time to prepare for it. According to the planning of the National Cyber Security Center (NCSC), the NIS2 legislation won’t fully come into force until 2024. In the meantime, organizations can use different tools like the Risk analysis roadmap of the Digital Trust Centre. In addition, it’s wise to appoint a NIS2 compliance officer who is responsible for the implementation and compliance of the NIS2 directives within the company. This is because the NIS2 has major consequences for companies and organizations in Europe, including the Dutch business community.
The most simple solution for NIS2
Do you want simplicity and certainty? Choose the help of OpenSight! With the help of Cyberday, our experts get to work on your cyber security Cyberday offers transparency for you as a company, expertise for cybersecurity solutions and necessary documentation and logging to comply with cybersecurity standards such as NIS2. All this in combination with the help, advice, and watchful eye of cybersecurity experts from OpenSight.
Please feel free to contact us for a consultation. We are happy to help!
Or download the NIS2 brochure.
Does the NIS2 apply to your company? Here’s what you need to arrange
Geplaatst op: 2 January 2024
As of January ’23, all companies and organisations within Europe have to comply with the new NIS2 directives. A major difference with previous legislation is that the NIS2 includes sanctions and the board can be held accountable if insufficient action has been taken in the area of Cyber Security. Because the guidelines of the NIS2 apply to considerably more sectors and branches, it’s important that SMEs in the Netherlands and in other European countries get their act together. In this blog you can read what you as a company must comply with and what exactly the NIS2 entails.
What is NIS?
NIS is short for Network and Information Security and is the first legislation in Europe in the field of cyber security. (The NIS has also been in force in the Netherlands since 2016 and has been converted in the Netherlands into the Wet Beveiliging netwerk- en informatiesystem [WBNI]. This guideline motivates companies and organizations to organize and tighten their digital security.) With the sharp increase in cyber-attacks, the European Commission presented a new EU security strategy in 2020: the NIS2.
Where the NIS is limited to only the large companies in vital sectors, like drinking water supplies and telecom, the NIS2 goes a step further. The NIS2 definitely will have a bigger impact on EU business. This mature version of the NIS focuses on three pillars of security:
- Security risk mapping;
- Protection and detection to mitigate risks;
- Limiting the consequences of cyber incidents.
With the NIS, many companies still get away with complying with the GDPR (AVG in the Netherlands) and other ‘basic rules’. But now that the NIS2 guidelines are in force, many companies really have to pull out all the stops when it comes to cybersecurity.

As of January ’23, all companies and organisations within Europe have to comply with the new NIS2 directives. A major difference with previous legislation is that the NIS2 includes sanctions and the board can be held accountable if insufficient action has been taken in the area of Cyber Security. Because the guidelines of the NIS2 apply to considerably more sectors and branches, it’s important that SMEs in the Netherlands and in other European countries get their act together. In this blog you can read what you as a company must comply with and what exactly the NIS2 entails.
What is NIS?
NIS is short for Network and Information Security and is the first legislation in Europe in the field of cyber security. (The NIS has also been in force in the Netherlands since 2016 and has been converted in the Netherlands into the Wet Beveiliging netwerk- en informatiesystem [WBNI]. This guideline motivates companies and organizations to organize and tighten their digital security.) With the sharp increase in cyber-attacks, the European Commission presented a new EU security strategy in 2020: the NIS2.
Where the NIS is limited to only the large companies in vital sectors, like drinking water supplies and telecom, the NIS2 goes a step further. The NIS2 definitely will have a bigger impact on EU business. This mature version of the NIS focuses on three pillars of security:
- Security risk mapping;
- Protection and detection to mitigate risks;
- Limiting the consequences of cyber incidents.
With the NIS, many companies still get away with complying with the GDPR (AVG in the Netherlands) and other ‘basic rules’. But now that the NIS2 guidelines are in force, many companies really have to pull out all the stops when it comes to cybersecurity.

Do you want to know more about how to approach this, or are you curious how compliant your organization is at the moment? Our experts are ready to answer your questions!
Or download the NIS2 brochure.