New NIS 2 Cybersecurity Directive: who should act on it?
New NIS 2 Cybersecurity Directive: who should act on it?
Anne Sophie Dil
Co-founder of NAALA
Published on 19 January, 2023
By: Anne Sophie Dil – Co-founder of NAALA
Published on 19 January, 2023
Last December, the European Commission adopted a revamped cybersecurity directive: Network and Information System (NIS) 2 Directive. This directive succeeds an earlier NIS Directive (called NIS (1) in this blog), as cyber threats developed faster than organisations and legislation were prepared for.
Cybersecurity includes protecting systems, networks, devices and data from cyber attacks such as ransomware, malware and phishing. What is the difference between cybersecurity and information security? Information security does include cybersecurity, but also includes security of non-digital data such as paper-based information.
In this blog, we provide an introduction to NIS (1), explain what changes NIS 2 will bring and provide you with what your organisation can do to comply with the legislation.
- NIS is short for Network and Information Systems. It refers to the security of networks and information systems. The NIS Directives (NIS (1) and NIS 2) are European legislation.
- The aim of NIS (1) is to make Europe more digitally secure by strengthening resilience to cyber incidents and mitigating the consequences of cyber incidents.
- NIS 2 is an update of NIS (1) and will eventually replace the latter. It aims to ensure a higher level of cybersecurity and to eliminate differences in the level of cybersecurity between EU-countries. The rules will apply to more sectors and companies than under NIS (1).
- European directives must be transposed into national legislation before they can be enforced. Each EU country must make a national law, making the provisions of European directives specific.
- NIS (1) has been transported into the Dutch “Wet beveiliging netwerk- en informatiesystemen” (Wbni). With the advent of NIS 2, the Wbni will also have to be updated.
- NIS (1) applies to vital providers and digital services. Vital providers are, for example, energy suppliers in the healthcare sector.
- NIS 2 will apply to more sectors and organisations. Its scope has been extended relative to NIS (1) to sectors that are important to the economy and society. Examples include healthcare, research, financial market infrastructure and digital infrastructure and digital providers.
- The new version of the Dutch implementation of NIS 2, the Wbni, will define exactly what type of organisations will be covered by the scope of the rules.
- In this regard, the European Commission has already stated that medical device manufacturers, for example, must at least comply with the rules.
- For digital service providers who want to determine whether they fall within the scope of the Wbni, the Dutch regulator Rijksinspectie Digitale Infrastructuur has developed a self-assessment tool. Organisations can use it to determine for themselves whether the provisions of the Wbni apply to them.
- NIS 2 was published on 14 December 2022. It entered into force 20 days later. This means the timeframe has started for EU countries to develop national legislation specifying the rules.
- By 17 October 2024, countries must have national legislation available. From the following day, that legislation will apply, and companies will have to start complying.
- In the Netherlands, this means that the Wbni must be updated by October 2024. The Wbni will further specify which organisations have to comply with the rules. Furthermore, it will establish whether and what fine can be imposed if an organisation fails to comply with the legal provisions.
- NIS 2 requires an all-hazards approach to risk management. The directive includes a list of minimum basic security elements to be applied.
- Recital 79 of NIS 2 mentions that the cybersecurity risk-management measures should be in line with ISO 27001 and ISO 27002. This provides a state-of-the-art framework for information security. It focuses on controlling the availability, integrity, confidentiality and authenticity in networks and information systems.
- Furthermore, organisations must have a procedure for handling and reporting cybersecurity incidents. To this end, safeguards must be implemented to ensure the availability, integrity, confidentiality and authenticity of network and information systems (RDI).
- RDI’s self-assessment tool not only provides support to determine whether the Dutch implementation of NIS, the Wbni, applies to a certain digital service provider. In addition, the tool gives an indication of the extent to which the safeguards already in place are in line with the objectives of the duty of care that follows the law. This duty of care means that organisations to whom the Wbni applies must ensure that cybersecurity incidents are prevented.
- Organisations that will be covered by NIS 2 should implement ISO 27001 and 27002. This provides a comprehensive framework for risk management, incident management and other measures to achieve an maintain appropriate levels of (cyber) security. Correct implementation of the standards leads to a management system, ensuring continuous compliance without restricting day-to-day activities.
Feel free to get in touch!
Questions? We are happy to discuss your specific case.
Related
Freeday provides digital employees to take over human tasks and interactions. NAALA assisted Freeday with implementing ISO 27001 and NEN 7510. Applications already available within Freeday were used for this purpose. Since every employee used the applications daily anyway, making employees aware of information security activities took little effort. As a result, Freeday has a certified and integrated information security management system.
With security threats arising in all sectors, companies are more and more aware of the need to upgrade their information security management. Are you looking for a way to structure your security management efforts in a uniformly recognisable way? ISO 27001 provides organizations with guidance for the implementation of an information security management system.
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.