nlenbe-nlseThe best software for quality and risk management.

NIS… what? The new European NIS2 guideline is the successor to the NIS (Network and Information Security Directive) and will come into force on 17 October 2024. Do you have an organisation in the UK with partnerships in Europe? This article is also applicable for you. 17 October 2024 may seem a long way off, but the new directive covers a lot more sectors than was the case with the old NIS directive. Do you fall under the important and essential sectors? If so, you will have to take stricter measures on information security, auditing suppliers and incident reporting. We take you through what the NIS2 guideline means, which sectors the new standard applies to, and how your organisation can prepare now thanks to a good risk and audit management system.

Perhaps, as an organisation, you have your cybersecurity completely in order. That would be quite unique, given the number of reports of cybersecurity incidents that continue to rise at a rapid pace. According to research by Positive Technologies, external cybercriminals can penetrate 93% of corporate networks.

What happens next can have dramatic consequences. Just think of the disruption of the production process or services, the (inability to) pay ransom and the breach of sensitive information. Cybercrime is also no longer only targeting large organisations: it also affects the ‘small ones’: 43% of cyberattacks target small businesses.

Cybersecurity Magazine gives some more worrying figures:

  • 30% of small businesses report that phishing is their biggest security threat;
  • 14% of small businesses consider their security policies ‘very effective’;
  • 83% of small- to medium-sized businesses are unprepared to recover from financial losses caused by an attack by cybercriminals;
  • 91% of small businesses are not insured against cyber attacks, even though they know they would not recover from an attack.

30%

of small businesses report that phishing is their biggest security threat.

14%

of small organisations consider their security policies ‘very effective’.

83%

of small- to medium-sized businesses are not prepared to recover from financial losses caused by an attack by cybercriminals.

91%

of small businesses are not insured against cyber attacks, even though they know they would not recover from an attack.

So organisations often know the threats exist, yet the step to actually deal with them is often too big. Fortunately, legislation on this subject is becoming increasingly strict. 

What is the NIS2-guideline?

Cybersecurity is incredibly important for the protection of our society. For this reason, the European Union introduced the Network and Information Security Directive in 2016. So now there will be a renewed directive – the NIS2 guideline – to protect and improve the cybersecurity and resilience of key businesses and services in the EU.

The reason is not hard to guess: in recent years, it became clear that several global developments threaten our society and economy. These include not only cyber threats, but also, for example, threats such as COVID-19, the war in Ukraine, more recently the reignited conflict in the Gaza Strip and climate change.

The NIS2 guideline aims to improve the digital and economic resilience of EU member states and is currently being transposed into national legislation. Meanwhile, the official deadline for implementing the NIS2 guideline is known: on 17 October 2024, the directive will take effect. Member states have until then to fix everything in their own legislation.

Europese Richtlijn NIS2 - Zenya

The NIS2 in a nutshell

Okay, but what exactly does the new guideline entail for you as a UK organisation conducting business in the EU? A 2023 survey by Intrakoop (healthcare purchasing cooperative) found that 60% of healthcare professionals surveyed had never heard of the NIS2 guideline…

It is important to be prepared and know what is expected of you. After all, what it says is not nothing. We therefore sum up for you the most important things you need to know about the NIS2.

  • NIS2 tightens cybersecurity requirements, with risk management playing an important role.
  • European member states are stepping up cooperation to improve security.
  • The NIS2 guideline covers a lot more sectors than the old NIS guideline.
  • Organisations are classified into two categories: are they important or essential to society? The big difference between these categories is in monitoring and compliance.
  • There will be more focus on the governing bodies of companies covered by NIS2. In other words, directors can be held liable if something goes wrong.
  • As an organisation, you will soon have to report incidents and there will be tougher sanctions if you fail to comply. Think suspensions and fines (up to ten million euros).
  • Not only must your own organisation comply with the NIS2 guideline, you must also identify the security risks at suppliers and thus your supplier chain.

For which sectors is the NIS2 directive important?

The old 2016 NIS guideline focused only on essential businesses for society, such as the healthcare and energy sectors. The new NIS2 guideline is much more comprehensive and includes companies that are important to society. Think of internet service providers and digital service providers, but also government agencies.

All organisations that will be covered by the NIS2 guideline will thus be categorised as ‘essential‘ or ‘important‘. The difference between the two categories is how they are enforced. Thus, if you are an organisation in an essential sector that does not comply with the rules, you will be penalised more severely than if your organisation falls under the ‘important’ category. Another difference is that essential entities will also face prior supervision.

What obligations does the NIS2 include?

Do you fall under one of the sectors mentioned above? Then you must comply with a duty of care and a duty of notification. Side note: with the exception of companies with fewer than 50 employees and an annual turnover and balance sheet total of less than EUR 10 million.

  • All organisations covered by the new directive have a duty of care. That means you have to adhere to a list of measures. You have to do your own risk assessment and take appropriate measures based on it to safeguard your services.
  • The reporting obligation means that you must report incidents to the regulator within 24 hours. These are incidents that could seriously disrupt essential services. Do you become a victim of a cyber incident? Then you must also report this to the Computer Security Incident Response Team (CSIRT). How do you know whether a report is necessary? That depends on factors such as:
    • The number of people affected by the disruption;
    • The potential financial implications;
    • How long the disruption lasts.

If you fall under the NIS2 guideline, you will additionally come under supervision. An independent regulator will ensure that your organisation complies with the duty of care and notification.

Risk management as an important part of the NIS2

NIS2 aims to improve the cybersecurity of European member states as well as organisations from other countries operating in the EU in several ways: by tightening security requirements, addressing supply chain security, streamlining reporting requirements, and so on.

Risk management is an important part of the NIS2. The word is mentioned no less than 144 times (!) in the final version of the NIS2. The risks described in the NIS2 are largely about digital threats, but it goes much further than that. The new guideline also names risks such as natural and man-made risks. Think natural disasters, terrorist attacks and emergencies such as pandemics.

Tooling such as Zenya RISK helps map these risks. Thanks to the software, you gain insight into key risks and can easily identify, control, monitor and demonstrate them. Because your colleagues need to understand what their role will be in complying with the NIS2, an up-to-date risk management system can help increase risk awareness in your organisation. In this way, risk management becomes something that is not only carried by those ultimately responsible for security, but by everyone in the organisation.

NIS2 Europese richtlijn - Zenya

A transparent supply chain

When NIS2 takes effect, it will no longer be enough for your organisation to be compliant. You also need to address the security risks in your supply chains and supplier relationships. Because even if you were completely secure yourself, an error by one of your essential suppliers could cause your services to come to a halt. This could have just as big an impact as if you made the mistake yourself.

Suppose you as a power producer purchase new wind turbines from a supplier to expand your capacity, and that supplier is hit by a ransomware attack. Then you, as a supplier of an essential service, cannot expand your capacity. So you also need to map out what you expect from suppliers. Do you just request the ISO 27001 certificate annually, and are they good? Do you send a questionnaire questioning them about their security measures? Or do you visit them yourself to audit? You will have to think about this carefully and document it when your organisation will soon be under NIS2.

Auditing key and essential suppliers

Fortunately, we at Infoland notice that awareness around the importance of suppliers to the core business is growing among organisations. Organisations are increasingly auditing suppliers, and we expect this to increase even more due to the NIS2 directive. The extent to which suppliers are audited depends on the importance of your organisation. The more important, the more intense and frequent you will have to audit them. Although the NIS2 is mainly about security, the directive is obviously much broader than that and you will therefore need to audit in that way as well.

With a smart audit management system, such as Zenya CHECK, you secure this process. You are supported by clear schedules, automatic task schedules including notifications and clear reports. With this audit management system, you can focus on a specific standard – such as the NIS2 directive – and be optimally compliant.

Conclusion

There is still a lot of work to do at most organisations. Even if you have good security software, even if the biggest risks have been identified and even if you regularly scrutinise suppliers – to comply with the new law, you will have to do more. Creating awareness among employees, for example, awareness of the new regulations needs to be raised.

Because you may know what it means, but a large proportion of your colleagues have never heard of the NIS2 or think it does not apply to your organisation. You can raise employee awareness by organising training and information sessions and by This way, learning stays fun and your colleagues are not overwhelmed by information.

Sources:

NIS2 Compliance. (2023, 10 october). NIS2 guideline cyber security directive – digital government https://www.dataguard.co.uk/nis2-compliance/

Business.gov.nl (2023, 18 october). Which sectors and organisations are covered by the NIS2 directive?  https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/

NIS 2 Directive. What is NIS2? https://www.nis-2-directive.com/

Nomios Belgium. (2023). What is NIS2 and what does it mean for your organisation? https://www.nomios.be/en/resources/what-is-nis2/

Want to learn more about Zenya?

Request the brochure to have all information conveniently at hand.

Download the brochure about Zenya Software - Software for Quality and Riskmanagement

Free demo available

Want to see what Zenya can do for your organisation? Request a free demo.

Want to know more about how Zenya can support your organisation?

Feel free to contact our experts without obligation. We will be happy to think along with you.