What is NIS2 and what does it mean for your organization?

16 February, 2023

Maarten de Bakker

16 February, 2023

Maarten de Bakker

Cyber security is constantly changing. In 2022, the number of ransomware attacks increased by as much as 300% compared to 2021, and SMEs are increasingly being targeted. Cybercrime is the main growth market for criminals, and developments such as remote working and bring-your-own-device are playing into their hands. For many SMBs, keeping their data and assets secure while allowing employees to work when and where they want, with any device, is a challenge.

As we become increasingly reliant on digital facilities and networks, phishing, ransomware attacks and malware can have a major impact on a society. This has not gone unnoticed by lawmakers in Brussels either, and cybersecurity is now high on the agenda. Therefore, the European Parliament has decided to revive the existing NIS directive and is coming up with the NIS2.

What is the NIS2?

NIS2 in brief

What does this mean for your organization?

Preparation for NIS2

What is the NIS2?

The Network and Information Security (NIS) Directive is the first piece of EU cybersecurity legislation, and aimed to achieve a common level of cybersecurity across European member states. Its implementation turned out to be really complicated. Meanwhile, digitization continues to advance and the number of cyber attacks increases. Therefore, the European Commission has submitted a proposal to replace the NIS directive on network and information security. The NIS2 will tighten security requirements, address supply chain security, streamline reporting requirements, and strengthen oversight and enforcement requirements, including harmonized sanctions across the EU.

NIS2 expands the scope and requires more entities and sectors to take measures. This is with the goal of raising the level of cybersecurity in Europe in the longer term. The political agreement was formally adopted by the European Parliament in November 2022 and then by the European Council. It went into effect on Jan. 16, 2023. Member states have until Oct. 17, 2024, to transpose its measures into national law.

NIS2 in brief

The European Cyber Security Directive
Has tightened security requirements
Applicable to more organizations
The NIS2 imposes sanctions for failure to comply
Member states have until 17-10-24 to transpose directive into national law

What does this mean for your organization?

Whereas with the NIS1 focused only on the larger organizations and institutions that provide specific community services, such as energy or water, the NIS2 is broader. The NSI2 directive could have significant implications for healthcare facilities, food, transportation, certain business service providers and the manufacturing industry, for example.
-The penalties for non-compliance are not amiss and are similar to those of the AVG. Fines can reach 10 million euros, or two percent of annual sales.

Preparation for NIS2

So the most important advice is to prepare and not wait for the directive to take effect. So contact our cybersecurity specialists for a full consultation tailored to your situation. We assess whether you fall under the NIS2 guideline, analyze what, if any, deficiencies there are in your current cybersecurity strategy, determine what measures are needed, and help you implement them.

Does the NIS2 not apply to your organization? Still, it may then be interesting to follow the guideline. After all, its essence is about improving your cybersecurity approach, including: