TIOZ Howest

Howest Logo

Increase your company's digital resilience with NIS2

NIS2 is a European directive ("Directive (EU) 2022/2555", adopted on 14 December 2022), aimed at improving the cybersecurity of critical infrastructure and digital service providers in the European Union.

Its purpose is to extend, strengthen and harmonize the implementation of the existing cybersecurity framework for Network & Information Security (NIS). NIS2 therefore replaces the former NIS directive. In passing, we would like to mention that there is also a Digital Operational Resilience Act (DORA), which focuses specifically on the financial sector (including banks, investment firms, insurers, accountancy firms, trading platforms) but also their critical ICT providers. In this article, however, we will limit ourselves to a discussion of NIS2.

Download the NIS2 presentations

Cover image

Quick facts

  • /

    NIS2 Deadline: 18th of October 2024

  • /

    NIS2 seriously expands the scope

  • /

    NIS2 mandates faster and more detailed incident reporting

  • /

    Tough penalties for non-compliance, also for executives

Europe's goal is clear: the cybersecurity bar must be raised

But what exactly does the NIS2 directive entail? Here are some key points:

  • All EU Member States must ensure that their essential and important entities (more on the difference between essential and important below) take appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks on networks and information systems, and to prevent or minimise the impact of incidents.
  • By 17 October 2024 at the latest, member states must adopt and publish the measures from the NIS2 Directive. In the meantime, the Dutch government has announced that it will not meet that deadline for the introduction of the national law. In Belgium, this has been achieved thanks to the expertise and decisiveness of the Center for Cybersecurity Belgium (CCB). As a sidenote, we would like to explain the difference between a directive and a regulation: a European regulation is immediately applicable in all member states after it enters into force, while directives must first be transposed into national law. GDPR and DORA are regulations, NIS2 is a directive, hence the translation into national legislation.
  • NIS2 greatly expands the number of companies that will be affected by these regulations. This includes both essential service providers (such as e.g.healthcare institutions, energy companies, drinking water and food supply) and major digital service providers (such as cloud providers and online marketplaces). The Directive applies to both public and private entities. There is an exception for public authorities that primarily carry out activities in the areas of national security, public safety, defence or law enforcement, but public organisations that carry out activities that are indirectly related to national security are covered by the Directive and must have an equal level of resilience.
  • The focus is very much on the security of supply chains and supplier relationships. Businesses rely heavily on their IT supply chain to deliver their services, and this has led to an exponential expansion of businesses' digital attack surface. When it comes to security, think not only of classic IT security, but also of securing operational technology (OT) such as production systems, IoT devices, industrial networks, building management, access control, cameras, elevators, air conditioning, etc. which are nowadays often connected to the company network, and can sometimes even be controlled and monitored from outside the company.

The full Dutch text of the NIS2 law and a lot of background information can easily be found via https://ccb.belgium.be/nl/nis2.

To which sectors does NIS2 apply?

NIS2 focuses on various sectors, including:

  1. Energy companies and energy distribution companies that are essential to society
  2. Transport by rail, water, road and air
  3. Healthcare facilities and services, such as hospitals, pharmacy services, and medical devices
  4. Digital infrastructure: Organizations that provide digital services, such as internet service providers, digital service providers, and cloud computing service providers
  5. Drinking water and wastewater management: Companies that are essential for privacy and environmental health
  6. Government agencies that are essential to society, such as ministries, municipalities and provinces

Companies in the above (and a few more) sectors are called essential entities. Besides these, there are also a lot of companies which are important entities, and fall in these categories:

  1. Chemical sector: Companies that produce, distribute and use chemicals
  2. Food: Businesses that produce, distribute and sell food
  3. Manufacturing: Companies that manufacture, distribute, and sell products
  4. Digital services, such as providers of domain name registrations and electronic communication services
  5. Postal and courier services, from national postal services to small courier companies with niche markets
  6. Research sector, because they deal with a large volume of sensitive data, including personal health information, genetic data, and intellectual property

These are the sectors most "targeted" by NIS2 because they are important or even essential for society and the economy.

SMEs are also questioning NIS2

The most frequently asked question we get is "Does our company fall under the NIS2 legislation?", and in line with a positive answer: "Are we an essential or an important entity?" because the impact is slightly greater with the first category. But even without answering the question, according to the spirit of the law, it's important to examine your cybersecurity policies, conduct risk assessments, and raise awareness among employees. The message is to act proactively.

Here are 10 concrete steps SMEs can take to improve their digital security:

  • Perform a risk analysis to identify the vulnerabilities in your IT systems and business processes.
  • Establish a cybersecurity plan with clear responsibilities, procedures, and measures to mitigate risk.
  • Provide strong passwords, two-factor authentication, and regular software updates to keep systems up-to-date and secure.
  • Back up critical data and regularly test whether this works properly in the event of an emergency.
  • Limit access to systems and data to what is strictly necessary for employees.
  • Train your staff on cyber awareness so they can spot phishing, malware, and other threats.
  • Explore cyber insurance to cover financial risks in the event of an incident.
  • Collaborate with experts to improve your security and stay on top of new threats.
  • Create an incident response plan so you know how to act in the event of a data breach or cyberattack.
  • Invest in digital tools such as firewalls, antivirus, encryption, and monitoring to protect your systems.

By taking these steps, SMEs can significantly increase their digital resilience and reduce the likelihood of successful cyberattacks. Cyber security is a continuous process that requires the continuous attention of the entire company.

NIS2 starts at the top of the company!

In addition to the many technical security measures you can take as a company, it is also important to take actions in risk and incident management, corporate responsibility, reporting readiness and business continuity.

Relatively new and still fairly unknown, NIS2 requires company management to oversee, approve and receive training on the entity's cybersecurity measures, and address cyber risks. Breaches can result in fines for management, including liability and a possible temporary ban on management positions.

How can Howest help you with NIS2?

It is crucial to be well prepared for the NIS2 Directive: know what it contains, whether you are covered by it, and what measures you need to take. But even if you are not directly subject to the legislation, there is a very good chance that you will be asked by suppliers from your supply chain what cybersecurity measures you are taking, and whether you have your "cyber resilience" in order. When your supply chain partners have the choice, they may choose the suppliers that least increase their cyber risk.

Through Howest you can work with a number of neutral experts to gain knowledge and advice on NIS2. We have knowledge of both the ISO 27001 standard and the CyberFundamentals (CyFun) framework of the CCB. The latter is particularly interesting, as it has been developed specifically for NIS2, and is also seen as a very useful tool outside Belgium. We will therefore delve deeper into this at Howest, so that we can guide companies with knowledge and advice in both ISO27001 and CyFun certification.

We also offer a large number of relevant cybersecurity training courses:

On 23 May 2024, Howest organised a free meetupNIS2 in de Praktijk”, and you can still download the presentations of this meetup via https://forms.microsoft.com/e/zC8HAMb0uD

Authors

  • /

    Patrick Van Renterghem, AI, CyberSecurity, Web3, Quantum, ... Community Builder

Want to know more about our team?

Visit the team page