Home > Blogs & News > The NIS2 Directive: which steps should I take right now?

The NIS2 Directive: which steps should I take right now?

The NIS2 Directive: what does this mean for my organization?

With NIS2, Europe is significantly tightening cybersecurity regulations. This is because the number of digital attacks on companies and (government) institutions is increasing year after year. In a recent report on global financial stability, the International Monetary Fund points out that the number of cyber attacks worldwide has doubled since the start of the corona pandemic in 2020. This trend also continues in Belgium. That is why parliament recently converted the European NIS2 directive into national legislation, which sets stricter requirements for cyber security. This new law, which will come into effect from October 18, 2024, brings significant changes and obligations for a wide range of organizations. This article provides an overview of what the NIS2 directive entails, what impact it has on your organization and what first steps you should take.

Expansion of scope

The NIS2 directive significantly expands the number of sectors and organizations that must meet strict cybersecurity standards. The directive now covers 18 critical sectors, including energy, healthcare, digital infrastructure, but also new sectors such as postal and courier services, wastewater treatment and the chemical industry. In addition to the existing obligations for ‘essential’ companies, ‘important’ entities, such as smaller companies (located in a specific sector) with more than 50 employees or an annual turnover of more than 10 million euros, must now also comply with these rules.

Increased responsibilities and sanctions

One of the most striking aspects of the NIS2 directive is the increased personal liability of directors and managers. They are held personally responsible for adhering to cyber security standards and, in extreme cases, can even be temporarily banned from working if they do not follow the rules. In addition, fines for non-compliance have been significantly increased. Larger companies can face fines of up to 2% of global annual turnover, with a maximum of 10 million euros.

Mandatory reports and audits

Under the new legislation, it is mandatory to report cyber incidents to the Belgian Center for Cybersecurity (CCB). This body will also conduct unannounced security scans and audits to ensure compliance with legislation. Ignoring CCB recommendations can lead to heavy fines and further sanctions.

Preparation and compliance

With the introduction of the NIS2 Directive, it is crucial for all organizations involved to review and strengthen their cybersecurity measures. Companies should be aware of their classification – small, basic, important, essential under the new guidance and implement required measures such as setting up robust backup systems, training staff and approving cybersecurity plans by management.

 

Tip: view the Cyberfundamentals framework and map your organization to the correct classification: CyberFundamentals Framework | CCB Safeonweb

NIS2: now what?

A lot may still need to be done for many organizations. These are the first 3 essential steps you can take towards NIS2 compliance:

1. Determine whether your organization is impacted by NIS2

The first and most crucial aspect is determining whether your organization falls under the new directive. This depends on various criteria, such as the sector in which your organization operates, the number of employees, and the annual turnover. The NIS2 Directive applies to a wide range of sectors and has specific size thresholds. Consult Annexes I and II of the NIS2 Directive and the recommendations of the European Commission to determine whether your organization meets these criteria.

 

Tip: Spotit developed its own ‘NIS2 decision tree’, a useful tool to determine which NIS2 category your organization falls under. Use this tool via Decision tree | Spotit

2. Inform the board and management loud and clear

Given the increased responsibilities and potential personal liability under NIS2, it is critical that directors and management are fully informed of the implications of the directive. They need to understand what specific obligations the directive entails and how these affect their responsibilities within the organization. Workshops, training sessions and strategic meetings can be effective in transferring this knowledge. Also important for the board to know is that by October 18, 2024, companies – and therefore also the CEO – must be able to prove that they have taken the necessary measures included in Articles 30 and 31 of the NIS2 directive.

 

Tip: ask about spotit’s tailor-made CxO cybersecurity workshops via [email protected]

3. Follow closely all communication from Center for Cybersecurity Belgium (CCB)

Organizations that fall under the NIS2 Directive will have to register with the CCB from October 18, 2024. This registration allows the CCB to monitor and provide support where necessary. It is important to review the specific registration requirements provided by the CCB and ensure that all necessary information is communicated correctly. The CCB also acts as the reporting point for cybersecurity incidents, which is part of compliance under NIS2. We advise you to follow closely all communication coming from CCB .

NIS2 next steps: implementation and ongoing compliance

After these initial steps, organizations should develop a detailed action plan to meet all the requirements of the NIS2. This includes implementing adequate cybersecurity measures, drawing up incident response plans, and regularly training staff. Regular audits and updates to these plans are also essential to keep security up to date and meet the dynamic nature of cyber threats.

 

Compliance with the NIS2 Directive is not only a legal obligation, but also an essential step in protecting your organization against increasing cyber threats. It requires an organized and proactive approach to cybersecurity, with organizational leadership deeply involved in monitoring and implementing effective cybersecurity practices. It is important that you can count on a professional partner who advises and guides you and your organization and allows you to further grow in NIS2 cybersecurity maturity. Contact spotit to discuss a NIS2 collaboration.

Hooray, more protection!

The NIS2 Directive sets a new standard for cybersecurity in the EU and has significant implications for a wide range of organizations in Belgium. It is essential that businesses are aware of these new rules and take the necessary steps to ensure full compliance. This is not only a legal obligation, but also a crucial step to ensure the security of your organization in a digitally connected world. We are already fans of NIS2, our team of experts is ready to support you where you deem it necessary.

More NIS2 news and resources…

There is now a lot of information available about NIS2. For the most recent news and/or more detailed information, you can certainly visit the website of the Center for Cybersecurity Belgium. We found the following sources very interesting and recommend that you also take a look:

  1. NIS2 | Centrum voor Cybersecurity België (belgium.be)
  2. De NIS2-richtlijn : wat betekent dit voor mijn organisatie? | Centrum voor Cybersecurity België (belgium.be)
  3. CyberFundamentals Framework | CCB Safeonweb
  4. Belgische NIS 2-wet goedgekeurd in federaal Parlement: Agoria beantwoordt uw vragen! | Agoria
  5. Tot 10 miljoen boete voor onaangepaste cyberbeveiliging – Computable.be
  6. ‘Veel kmo’s beseffen nog niet dat ze boetes riskeren voor zwakke cyberveiligheid’ | De Tijd
  7. Decision tree | Spotit