What does the NIS2 directive mean for your business?
The NIS2 Directive will come into force on October 18, 2024. Companies must take the appropriate measures to ensure their cybersecurity. Valéry Vander Geeten of the CCB and Bart Callens of Proximus NXT set out the preparations you should prioritize.
What exactly is NIS2?
The NIS2 Directive (Directive (EU) 2022/2555 of December 14, 2022) requires organizations to protect themselves from cyber threats and to adopt strict security of critical infrastructure and personal data. It aims to strengthen the security of network and information systems and ensure the resilience of society and the economy in relation to cybersecurity.
NIS1 expanding
As its name suggests, NIS2 succeeds the NIS1 directive from 2016. The differences are significant. “NIS2 requires a much larger number of organizations to implement a comprehensive cybersecurity risk management framework,” Valéry Vander Geeten, Head of Legal of the Center for Cybersecurity Belgium (CCB) says. “It adds 12 new sectors to the six sectors of NIS1. We distinguish between essential and important organizations.”
In addition to the nature of the activities, the size of the entity is also important. NIS2 applies to certain organizations operating within the 18 sectors as soon as an entity employs at least 50 employees or has an annual turnover (or balance sheet total) of more than 10 million euros.
So the fact that a company does not meet the general criteria of the scope of the law does not mean that it is automatically exempt from the NIS2 requirements.
- Bart Callens, Product Manager Cybersecurity Proximus NXT
Indirectly involved in NIS2 directive
NIS2 also provides a more comprehensive and incisive framework. “One significant new measure is that organizations covered by NIS2 regulations are supposed to oversee the quality of the cybersecurity of their direct suppliers and service providers. As a result, companies not within the scope of NIS2 will still be indirectly involved,” Valéry asserts.
Management indirectly involved in NIS2 guidelines
Bart Callens, Product Manager Cybersecurity Proximus NXT, notes that companies often present Proximus NXT with questions regarding involvement within the supply chain. “The fact that a company is not active in one of the sectors in the annexes to the law does not mean that it can ignore these obligations. In practice, a large number of companies need to be compliant.”
The NIS2 Act requires organizations to provide policies on risk analysis and information systems security. This includes internal training. That obligation particularly applies to members of governing bodies. “One of the most notable changes is the explicit liability that NIS2 imposes on management,” Bart continues. “That makes it important for directors to manage cybersecurity threats proactively and to stay alert to potential ones.” Bart notes that this means that NIS2 is not just an IT or security project, but pulls the entire C-level into the bathtub with it.
Essential and major organizations also have an obligation to report incidents that have a significant impact on the performance of their services. “An early warning must be issued within 24 hours of becoming aware of the incident and communication sent out within 72 hours,” Valéry points out.
Companies should not view NIS2 as a burden. It is there to help them increase their resilience.
Valéry Vander Geeten, Head of Legal of the Centre for Cybersecurity Belgium
NIS2 guarantees increased resilience
But just how far-reaching is NIS2 for an organization? “A great deal depends on the security maturity already in place. If a company is ISO 27001-certified, the step toward NIS2 will be much smaller compared to a company with a less structured security approach,” Bart asserts.
Valéry believes that “companies should not consider that path as a burden because, in fact it helps them increase their resilience with respect to cyber incidents.” According to Bart, the attitude towards NIS2 has changed among businesses. “There was some ambiguity initially: does my company fall under the scope or not, and what do we have to do? Now that the CCB has developed a clear framework and provided tools, such as the Cyberfundamentals Framework (CyFun ®), many companies see NIS2 as an important link toward an optimized security policy.”
External support
There is no single answer to the question whether or not a company should go down the route of NIS2. “A lot depends on internal capacity and knowledge, available time and procedures already in place,” Valéry says. Bart agrees. “The CCB offers several tools on its website to guide companies (see 7 steps to comply with NIS2 legislationNew window). At the same time, there is already a lot of off-the-shelf solutions for every CISO and CIO, but they can also opt for company-specific solutions. Consequently, external support can add value in many cases.”
Proximus NXT conducts full NIS2 assessments with the customer. “We work out the current security maturity score and point out actions to raise that level. This results in a practical and realistic roadmap towards NIS2, within the predetermined period. If desired, we guide and support the customer through its entire NIS2 compliancy process and ensure that it remains compliant. This guidance is provided by Proximus NXT experts with years of experience as CISO through the CISO-as-a-service service.”
NIS2 attestation and sanctions
Essential organizations must have their NIS2 implementation regularly reviewed and assessed by a conformity assessment body. They are supposed to achieve the assurance level basic or major by April 18, 2026, and the final level must be certified by April 18, 2027. Major organizations can also submit to regular conformity assessment. When audited, the appropriate label or certificate counts as a presumption of conformity. In the event of insufficient compliance with the NIS2 Act, sanctions can be imposed, including various administrative measures and administrative fines.
350 IT security professionals are ready to advise you, help outline your security strategy and implement your chosen security solutions.
Latest insights & stories
PROJECT OLIVIA
Every year, the amount of transport over water rises. The same is true for the number of jobs in the maritime sector, in multinationals, local start-ups and within the government. However, it remains a predominantly male sector. We want to change that with Project Olivia, by inspiring women to choose a job on, by or around the water. A goal that we share with many other countries and one which we are eager to cooperate on internationally.
AI will represent 10% of global IT spending by 2028: here's where to invest
As AI accelerates towards becoming 10% of global IT spending by 2028, the challenge lies in choosing the right areas for investment. Explore our insights on how to direct your AI budget towards high-impact, scalable projects that generate measurable business value. Unlock the strategies to turn potential into performance.
New wave flume at Hydraulic Laboratory opens doors for innovative coastal safety and climate impact research
The Hydraulic Engineering Laboratory (WL) of the Department of Mobility and Public Works (MOW) unveiled its new, larger, and modern wave flume. This research facility is designed to simulate complex wave and water movements in a controlled environment. The festive inauguration took place at the WL headquarters on Berchemlei in Antwerp. The new wave flume was built with the support of the Program for Innovative Public Procurement (PIO) and the Flemish Agency for Maritime Services and Coast (MDK).