Since January 16, 2023, the NIS2 directive has entered the stage, bringing about significant changes to cybersecurity rules. Directive (EU) 2022/2555, which came into effect on that date, marks a new phase with considerable consequences for digital security in the European Union. For Belgian companies navigating the complex waters of this digital revolution, it is crucial to discover what NIS2 entails and when this directive will be fully enforceable.
Note that Belgium is tasked with implementing new provisions to replace the current NIS legislation by October 17, 2024, and preparations for this are already underway. Prepare for a new era of cybersecurity.
What is NIS2?
Imagine: November 2022, the month when the European Union introduces NIS2, a revised version of the Network and Information Systems (NIS) Directive. NIS1 took the first step toward a unified approach to cybersecurity in various member states. But the path of a pioneer comes with challenges. NIS2 is the key to enhanced security, streamlined reporting, and more intensive supervisory measures and sanctions. Consider it your digital guardian ready to act against threats in the online domain.
Which companies are affected?
NIS2 has a broad impact on various sectors, aiming to improve cybersecurity. This directive targets medium-sized (more than 50 employees or a turnover of more than 10 million euros) and large companies (more than 250 employees or a turnover of more than 50 million euros) in various critical sectors. In contrast to NIS1, where member states had to designate providers themselves, NIS2 provides clearer guidelines, renames sectors, and expands their number.
The rule is simple: all organizations within an essential sector with more than 50 employees and a turnover of more than 10 million euros are considered essential providers. However, member states have the option to designate organizations with fewer than 50 employees and less than 10 million in turnover within this sector as essential providers as well.
The sectors include not only 'essential sectors' but also introduce a new category, the 'important sectors.' The distinction between 'essential' and 'important' lies in the level of supervision, with essential entities falling under proactive supervision and important entities under reactive supervision. This significantly expands the scope of companies covered by this regulation.
Original sectors:
Healthcare
Transport
Banking
Financial market infrastructure
Digital infrastructure
Water supply
Energy
Digital service providers
Essential sectors:
Energy
Transport
Banking
Financial market infrastructure
Healthcare
Drinking water supply
Wastewater
Digital infrastructure
ICT (B2B) management
Public sector
Space
Critical sectors:
Post and courier services
Waste management
Chemical industry
Food industry Production
Digital service providers
Research
What are the main changes from NIS1?
In addition to the expansion of sectors and providers, there are differences in the requirements for security between NIS1 and NIS2.
Mandatory reporting: At the core of NIS2 is the obligation for specific entities within critical sectors and essential service providers to report significant cybersecurity incidents to designated national authorities. This proactive reporting mechanism facilitates the rapid identification of significant breaches, enabling quick response strategies that limit potential damage.
Expanded scope: While NIS1 focused on operators within sectors such as energy, transport, banking, financial markets, and healthcare, NIS2 broadens its scope. It now includes an even wider spectrum of industries, including digital infrastructure services, online marketplaces, and selected cloud computing services.
Stricter security measures: NIS2 raises the bar for security measures, emphasizing risk management, robust security protocols, and comprehensive incident response plans. This enhanced framework enables organizations to effectively resist cyber threats and protect their digital ecosystems.
What is the countdown to the implementation of NIS2?
The journey to NIS2 began in December 2020 with the proposal, and by November 2022, the EU gave the green light. Between now and 2024, it is time for each member state to align its cybersecurity measures.
The countdown to the implementation of NIS2 has begun. By the year 2024, each member state must align its cybersecurity measures. Expected laws are anticipated to come into effect by the end of 2024, following parliamentary deliberation. Organizations falling under the NIS2 directive must comply with duty of care and reporting obligations from that point forward.
What are the sanctions associated with NIS2 compliance?
Curious about the consequences of non-compliance with NIS2? It's a path best avoided as the penalties can be quite severe. These repercussions include the withdrawal of certifications, strict compliance deadlines, fines, and potential legal liability.
Member states must ensure that organizations under NIS2 take appropriate measures and report incidents, which can be enforced through external audits and inspections. In Belgium, these member states include the CCB (Center for Cybersecurity) and the BIPT (Belgian Institute for Postal Services and Telecommunications).
Competent authorities have various means, ranging from warnings to fines, to enforce compliance. Fines for breaches of risk management measures vary depending on the entity:
Essential entities: up to 10,000,000 euros or 2% of the global annual turnover, whichever is higher.
Important entities: up to 7,000,000 euros or 1.4% of the global annual turnover, whichever is higher.
Government agencies may be exempt from fines, but other sanctions remain valid. Member states also have the authority to impose penalties for compliance, and natural persons in top management are liable for non-compliance with the directive.
In addition to fines, possible sanctions include:
Imposing deadlines for compliance or vulnerability and incident remediation.
Public disclosure of non-compliance. Mandatory cessation of services or activities.
Suspension of the CEO or legal representatives.
For detailed information on sanctions, refer to articles 31-37 of the directive.
Prepare your organization for the NIS2 directive
Whether your organization is already well-prepared or at the beginning of the journey, the requirements of the NIS2 directive are inevitable. Belgium must adopt new provisions to replace the existing NIS law by October 17, 2024, based on the new directive. Especially in the areas of PKI and certificate management, companies must review their strategies, tools, and processes to protect critical infrastructure and maintain trust in the vast IT and IoT landscape.
While the new obligations will only take effect at the end of the implementation period, it is wise for companies to start now in elevating the level of cybersecurity. The CCB has published the Cyberfundamentals framework, a tool that can help companies bring their security to an appropriate level now.