But what exactly does the NIS2 directive entail? Here are some key points:

• All EU Member States must ensure that their essential and important entities (more on the difference between essential and important below) take appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks on networks and information systems, and to prevent or minimise the impact of incidents.
• By 17 October 2024 at the latest, member states must adopt and publish the measures from the NIS2 Directive. In the meantime, the Dutch government has announced that it will not meet that deadline for the introduction of the national law. In Belgium, this has been achieved thanks to the expertise and decisiveness of the Center for Cybersecurity Belgium (CCB). As a sidenote, we would like to explain the difference between a directive and a regulation: a European regulation is immediately applicable in all member states after it enters into force, while directives must first be transposed into national law. GDPR and DORA are regulations, NIS2 is a directive, hence the translation into national legislation.
• NIS2 greatly expands the number of companies that will be affected by these regulations. This includes both essential service providers (such as e.g.healthcare institutions, energy companies, drinking water and food supply) and major digital service providers (such as cloud providers and online marketplaces). The Directive applies to both public and private entities. There is an exception for public authorities that primarily carry out activities in the areas of national security, public safety, defence or law enforcement, but public organisations that carry out activities that are indirectly related to national security are covered by the Directive and must have an equal level of resilience.
• The focus is very much on the security of supply chains and supplier relationships. Businesses rely heavily on their IT supply chain to deliver their services, and this has led to an exponential expansion of businesses' digital attack surface. When it comes to security, think not only of classic IT security, but also of securing operational technology (OT) such as production systems, IoT devices, industrial networks, building management, access control, cameras, elevators, air conditioning, etc. which are nowadays often connected to the company network, and can sometimes even be controlled and monitored from outside the company.

The full Dutch text of the NIS2 law and a lot of background information can easily be found via https://ccb.belgium.be/nl/nis2.

To which sectors does NIS2 apply?

NIS2 focuses on various sectors, including:

1. Energy companies and energy distribution companies that are essential to society
2. Transport by rail, water, road and air
3. Healthcare facilities and services, such as hospitals, pharmacy services, and medical devices
4. Digital infrastructure: Organizations that provide digital services, such as internet service providers, digital service providers, and cloud computing service providers
5. Drinking water and wastewater management: Companies that are essential for privacy and environmental health
6. Government agencies that are essential to society, such as ministries, municipalities and provinces

Companies in the above (and a few more) sectors are called essential entities. Besides these, there are also a lot of companies which are important entities, and fall in these categories:

1. Chemical sector: Companies that produce, distribute and use chemicals
2. Food: Businesses that produce, distribute and sell food
3. Manufacturing: Companies that manufacture, distribute, and sell products
4. Digital services, such as providers of domain name registrations and electronic communication services
5. Postal and courier services, from national postal services to small courier companies with niche markets
6. Research sector, because they deal with a large volume of sensitive data, including personal health information, genetic data, and intellectual property

These are the sectors most "targeted" by NIS2 because they are important or even essential for society and the economy.

SMEs are also questioning NIS2

The most frequently asked question we get is "Does our company fall under the NIS2 legislation?", and in line with a positive answer: "Are we an essential or an important entity?" because the impact is slightly greater with the first category. But even without answering the question, according to the spirit of the law, it's important to examine your cybersecurity policies, conduct risk assessments, and raise awareness among employees. The message is to act proactively.

Here are 10 concrete steps SMEs can take to improve their digital security:

• Perform a risk analysis to identify the vulnerabilities in your IT systems and business processes.
• Establish a cybersecurity plan with clear responsibilities, procedures, and measures to mitigate risk.
• Provide strong passwords, two-factor authentication, and regular software updates to keep systems up-to-date and secure.
• Back up critical data and regularly test whether this works properly in the event of an emergency.
• Limit access to systems and data to what is strictly necessary for employees.
• Train your staff on cyber awareness so they can spot phishing, malware, and other threats.
• Explore cyber insurance to cover financial risks in the event of an incident.
• Collaborate with experts to improve your security and stay on top of new threats.
• Create an incident response plan so you know how to act in the event of a data breach or cyberattack.
• Invest in digital tools such as firewalls, antivirus, encryption, and monitoring to protect your systems.

By taking these steps, SMEs can significantly increase their digital resilience and reduce the likelihood of successful cyberattacks. Cyber security is a continuous process that requires the continuous attention of the entire company.

NIS2 starts at the top of the company!

In addition to the many technical security measures you can take as a company, it is also important to take actions in risk and incident management, corporate responsibility, reporting readiness and business continuity.

Relatively new and still fairly unknown, NIS2 requires company management to oversee, approve and receive training on the entity's cybersecurity measures, and address cyber risks. Breaches can result in fines for management, including liability and a possible temporary ban on management positions.