Since Jan. 16, 2023, the so-called Network and Information Systems Directive (NIS2 Directive) has been in effect. The NIS2 directive aims to improve the cyber security and resilience of organizations and builds on the earlier NIS1 directive. As of Oct. 17, 2024, this directive must be implemented in Dutch law and organizations must comply with this new legislation. It is advisable to begin preparations in a timely manner, Osborne Clarke advises.
The NIS2 guideline addresses an increasingly digital world, in which cybersecurity has become a major concern. As technology evolves, so do digital threats. This makes it critical for organizations to protect against cyber attacks and comply with changing regulations.
NIS2 is seen as an important step forward in strengthening cybersecurity resilience in the European Union (EU). Compared to the current cybersecurity regulations, NIS2 includes new obligations that, due to its broader scope, apply to many more organizations. Organizations within the financial sector - as under NIS1 - remain covered by the directive's application.
In a recent opinion, law firm Osborne Clarke (1) discusses the obligations of NIS2, and what steps have already been taken in several EU member states to implement the directive into national law. Osborne Clarke also sets out in the opinion what measures can already be taken by organizations to comply with the directive.
NIS2 applies to both public and private entities operating within the EU, categorized as essential or significant. Financial service providers with more than 250 employees and an annual turnover of more than €50 million and/or a balance sheet total of more than €43 million, in any case fall within the scope of NIS2.
New obligations will apply to organizations that fall within the scope of NIS2. For example, NIS2 includes obligations for incident reporting, and it affects the liability structure within an organization's management. It also increases opportunities for national cybersecurity compliance oversight.
Osborne Clarke identifies a number of key steps that organizations can take now to comply with NIS2 as well as to stay as ahead of any cyber threat as possible:
Cybersecurity risks should be analyzed continuously and thoroughly; a thorough incident response plan should be created; contracts should be reviewed, to ensure that all links in the supply chain meet the required security standards.
Systems and processes should be designed based on the "security-by-design" principle; employees should be trained on cyber security awareness; and NIS2 developments and requirements should be closely monitored and regularly reviewed
Because NIS2 is a European directive, the rules do not have direct effect in Europe. Member states will therefore first have to transpose the NIS2 directive into national law.
In the Netherlands, a bill will be published in the summer of this year. Subsequently, citizens, organizations and government agencies will have six weeks to comment on this bill. Outgoing Minister of Justice and Security Dilan Yeşilgöz hopes to present the bill to the House of Representatives after this consultation period. This is expected to be sometime this fall.
It is therefore likely that the Netherlands will not meet the implementation deadline of Oct. 17, 2024. Delays in implementation will mean that the Dutch regulator will not yet intervene if organizations do not yet meet the obligations on Oct. 17, 2024, since compliance will not yet be legally enforceable at that time.
Organizations that foresee or suspect that they will fall under the scope of NIS2 would be wise to prepare well in advance, according to the law and notary firm. The Dutch government also advises all organizations to which NIS2 will apply to start implementing cyber security measures and NIS2 in advance.
Even though the implementation deadline is unlikely to be met, it is advisable to keep an eye on developments regarding NIS2 to avoid unnecessary compliance risks.
"By conducting risk assessments, developing incident response plans and fostering a culture of cybersecurity awareness, organizations are well on their way to meeting the new obligations," Osborne Clarke said.
(1) https://www.banken.nl/partners/osborne-clarke
