Cybercriminals can penetrate 93% of corporate networks. Not surprisingly, then, Europe created the new NIS2 guideline. This security directive aims to ensure greater cyber security and resilience for essential businesses in the EU. A while back, we wrote a blog about the essence of NIS2. Meanwhile, more is known about the new directive. For instance, the Dutch government has indicated that it will not meet the deadline for the NIS2 legislation. Curious about the latest developments? Then read on quickly!
Had you heard of the NIS2 guideline a year ago? Was your organisation actively working on it back then? Chances are the answer is ‘no’, but that was true for most organisations then. Meanwhile, the cybersecurity directive regularly appears in the news. Did you miss these posts anyway? We briefly recap the most important basics about the NIS2 for you:
Good to know: many NIS2 measures are part of the basic information security measures that your organisation is probably already taking part in. These measures are also included in other (inter)national standards, such as ISO27001.
Want to know more about what the NIS2 guideline is, what your obligations are and who it applies to? You can read about that here.
What does the NIS2 guideline mean for the Netherlands? As briefly touched upon above, European member states will get until 17 October 2024 time to implement the NIS2 guideline into national legislation. In late February, outgoing Justice and Security Minister Dilan Yeşilgöz-Zegerius informed that Netherlands will not meet this deadline. The reason? The legislative process and matter is more complex than expected.
This is one of the reasons why, as an ‘important’ or ‘essential’ organisation, you should see this as a signal not to sit back: the complexity. Outgoing minister Yeşilgöz also calls on organisations to continue preparations anyway. It is better to start today and keep up the pace, because good preparations take time.
Many Dutch companies have ‘no idea yet’ what to expect. According to ‘Samen Digitaal Veilig’ the new European directive affects more than 50,000 Dutch companies. Only a small minority are aware of the new requirements. This could have major consequences for Dutch businesses. Thousands of companies risk losing customers if they start working on NIS2 implementation too late. Germany in particular is leading the way and attaches great importance to compliance.
Yet another reason to start working on the NIS2 legislation (if you still needed it)… Internationally, the European legislation is simply being implemented as planned. So definitely don’t wait if your organisation has international offices or customers.
Anticipating the NIS2 guideline is, according to Thierry van Delden, Compliancy & Privacy Offer at Infoland, not just a matter of wanting to comply with new legislation. “Compliance is a strategic step to properly arm yourself as an organisation against cyber threats. And even if the level of your cybersecurity is as good as it is, if you fall under the NIS2 guideline, you will have to take a lot of additional measures.”
Think about setting up the policies and procedures with which you shape the duty to report, but also the identifying and safeguarding risks. This is not just about the security risks in your own organisation – the NIS2 guideline clearly describes that you should also ensure security within your supplier chain.
Which measures you should take when the directive takes effect depends on which label your organisation gets: ‘essential’ or ‘important’. The labels were not yet included in the old 2016 NIS directive.
The number of sectors has been expanded, as there are far more cyber attacks today than in 2016.For example, the National Cyber Security Centre (NCSC) reports that there are more than 10,000 cyber incidents between March 2022 and February 2023 have been reported. So the NIS guideline needed to be tightened up, the ‘essential’ and ‘important’ labels help.
Organisations critical to keeping Dutch society running are labelled ‘essential’. If such an organisation came to a standstill due to a cyber-attack, it would have a serious impact on the country. Consider power plants, airports, banks or hospitals.
If organisations labelled ‘important’ were to drop out, it might not have a direct impact on society, but it could have a major impact on our lives and the Dutch economy. Examples of ‘important’ organisations are telecoms or internet providers, postal and parcel services or waste management companies.
“Essential or key organisations will soon be subject to the same cybersecurity management requirements; they all have a duty of care,” says Thierry. “The main difference between the two labels is the level of compliance monitoring.”
So when you fail to comply as an essential organisation, the consequences are greater. For instance, you could face fines of at least €10 million or 2% of your annual turnover. Are you not complying with the NIS2 guideline as a key company? Then you could face an fine of up to €7 million or 1.4% of your annual global turnover.
Insufficient awareness of the new directive could cost Dutch businesses dearly. To prevent this, Digital Secure Together (SDV) has been established. With this collaboration, 63 industry and umbrella organisations are joining hands. SDV’s aim is to help suppliers of NIS2 organisations get their cybersecurity in order. According to SDV, you can no longer wait to get started with NIS2. According to them, the Netherlands is among the laggards. A concerted effort is needed!
The central government also advises organisations to take steps to better ensure business process continuity. In part, these are also the measures included as duty of care and notification in the NIS2 legislation.
Although Zenya is not a security solution, our software can indeed help your organisation secure the measures. Zenya RISK can be used to map your cyber security risks. It allows you to easily identify, control, monitor and demonstrate them. Zenya CHECK allows you to audit key suppliers for compliance with the NIS2 guideline. The extent to which you will need to do this depends on the label your organisation and suppliers fall under (essential or important).
Our experts are happy to work with you on how you can apply Zenya for information security.
Request the brochure to have all information conveniently at hand.
Want to see what Zenya can do for your organisation? Request a free demo.
Contact our experts without obligation. We will be happy to think along with you.