nlenbe-nlThe best software for quality and risk management.

Stay up to date with the new European NIS2 guideline

Cybercriminals can penetrate 93% of corporate networks. Not surprisingly, then, Europe created the new NIS2 guideline. This security directive aims to ensure greater cyber security and resilience for essential businesses in the EU. A while back, we wrote a blog about the essence of NIS2. Meanwhile, more is known about the new directive. For instance, the Dutch government has indicated that it will not meet the deadline for the NIS2 legislation. Curious about the latest developments? Then read on quickly!

Had you heard of the NIS2 guideline a year ago? Was your organisation actively working on it back then? Chances are the answer is ‘no’, but that was true for most organisations then. Meanwhile, the cybersecurity directive regularly appears in the news. Did you miss these posts anyway? We briefly recap the most important basics about the NIS2 for you:

What is the NIS2 guideline? A brief overview

  • The NIS2 guideline is the successor to an earlier European directive from 2016. NIS stands for 'Network and Information Security'. Did your organisation already fall under this and therefore already took NIS measures? If so, there is a good chance that this is partly in line with the new directive.
  • The NIS was created to protect and improve the cyber security of essential businesses and services in the EU. Member states should cooperate more to improve security.
  • All member states must translate the cybersecurity directive into national legislation by 17 October 2024. The Dutch government has now indicated it will not meet this deadline.
  • NIS2 tightens cybersecurity requirements, with risk management playing an important role.
  • The new directive covers many more sectors than the old NIS directive. Further in this article, you can check whether your organisation will soon be covered by it.
  • Organisations can be classified into two categories: 'important' or 'essential'. The big difference between these categories is in monitoring and compliance. You can read more about this below!
  • Will your organisation soon be covered by the NIS2 guideline? Then you will have to comply with a duty of care and a duty of notification. There will also be an independent regulator to monitor whether organisations comply with their obligations.

Good to know: many NIS2 measures are part of the basic information security measures that your organisation is probably already taking part in. These measures are also included in other (inter)national standards, such as ISO27001.

Want to know more about what the NIS2 guideline is, what your obligations are and who it applies to? You can read about that here.

Delayed implementation of NIS2 in the Netherlands

What does the NIS2 guideline mean for the Netherlands? As briefly touched upon above, European member states will get until 17 October 2024 time to implement the NIS2 guideline into national legislation. In late February, outgoing Justice and Security Minister Dilan Yeşilgöz-Zegerius informed that Netherlands will not meet this deadline. The reason? The legislative process and matter is more complex than expected.

This is one of the reasons why, as an ‘important’ or ‘essential’ organisation, you should see this as a signal not to sit back: the complexity. Outgoing minister Yeşilgöz also calls on organisations to continue preparations anyway. It is better to start today and keep up the pace, because good preparations take time.

Many Dutch companies have ‘no idea yet’ what to expect. According to ‘Samen Digitaal Veilig’ the new European directive affects more than 50,000 Dutch companies. Only a small minority are aware of the new requirements. This could have major consequences for Dutch businesses. Thousands of companies risk losing customers if they start working on NIS2 implementation too late. Germany in particular is leading the way and attaches great importance to compliance.

Yet another reason to start working on the NIS2 legislation (if you still needed it)… Internationally, the European legislation is simply being implemented as planned. So definitely don’t wait if your organisation has international offices or customers.

Uitstel implementatie NIS2 in Nederland

Label ‘essential’ or ‘important’’

Anticipating the NIS2 guideline is, according to Thierry van Delden, Compliancy & Privacy Offer at Infoland, not just a matter of wanting to comply with new legislation. “Compliance is a strategic step to properly arm yourself as an organisation against cyber threats. And even if the level of your cybersecurity is as good as it is, if you fall under the NIS2 guideline, you will have to take a lot of additional measures.”

Think about setting up the policies and procedures with which you shape the duty to report, but also the identifying and safeguarding risks. This is not just about the security risks in your own organisation – the NIS2 guideline clearly describes that you should also ensure security within your supplier chain.

Which measures you should take when the directive takes effect depends on which label your organisation gets: ‘essential’ or ‘important’. The labels were not yet included in the old 2016 NIS directive.

The number of sectors has been expanded, as there are far more cyber attacks today than in 2016.For example, the National Cyber Security Centre (NCSC) reports that there are more than 10,000 cyber incidents between March 2022 and February 2023 have been reported. So the NIS guideline needed to be tightened up, the ‘essential’ and ‘important’ labels help.

Organisations critical to keeping Dutch society running are labelled ‘essential’. If such an organisation came to a standstill due to a cyber-attack, it would have a serious impact on the country. Consider power plants, airports, banks or hospitals.

If organisations labelled ‘important’ were to drop out, it might not have a direct impact on society, but it could have a major impact on our lives and the Dutch economy. Examples of ‘important’ organisations are telecoms or internet providers, postal and parcel services or waste management companies.

“Essential or key organisations will soon be subject to the same cybersecurity management requirements; they all have a duty of care,” says Thierry. “The main difference between the two labels is the level of compliance monitoring.”

  • Essential organisationsfall under proactive supervision. So they actively check whether they have implemented and comply with the rules correctly.
  • Important organisationscan expect surveillance only after a cyber incident has occurred, and only if there is evidence of it.

So when you fail to comply as an essential organisation, the consequences are greater. For instance, you could face fines of at least €10 million or 2% of your annual turnover. Are you not complying with the NIS2 guideline as a key company? Then you could face an fine of up to €7 million or 1.4% of your annual global turnover.

Ga nu met de NIS2-implementatie aan de slag

Get started with the NIS2 implementation now

Insufficient awareness of the new directive could cost Dutch businesses dearly. To prevent this, Digital Secure Together (SDV) has been established. With this collaboration, 63 industry and umbrella organisations are joining hands. SDV’s aim is to help suppliers of NIS2 organisations get their cybersecurity in order. According to SDV, you can no longer wait to get started with NIS2. According to them, the Netherlands is among the laggards. A concerted effort is needed!

The central government also advises organisations to take steps to better ensure business process continuity. In part, these are also the measures included as duty of care and notification in the NIS2 legislation.

Although Zenya is not a security solution, our software can indeed help your organisation secure the measures. Zenya RISK can be used to map your cyber security risks. It allows you to easily identify, control, monitor and demonstrate them. Zenya CHECK allows you to audit key suppliers for compliance with the NIS2 guideline. The extent to which you will need to do this depends on the label your organisation and suppliers fall under (essential or important).

Let us help you set up a total ISMS solution

Our experts are happy to work with you on how you can apply Zenya for information security.

  • Zenya offers a user-friendly, intuitive solution that anyone can work with. You always have up-to-date information.
  • Real-time dashboards give you insight into the status of security risks and measures. Proactively identify potential risks and weaknesses in your information security.
  • Zenya facilitates clear ownership of assets, security risks and measures. This is how you comply with laws and regulations.

Want to learn more about Zenya?

Request the brochure to have all information conveniently at hand.

Download the brochure about Zenya Software - Software for Quality and Riskmanagement

Free demo available

Want to see what Zenya can do for your organisation? Request a free demo.

Curious about how Zenya can help you secure the NIS2 guideline?

Contact our experts without obligation. We will be happy to think along with you.