The revision of the Network and Information Security Directive (NIS2) is the new European cybersecurity legislation. It will go into effect in the Netherlands by the end of 2024. The directive was adopted by the European Union. It aims to improve cybersecurity and the resilience of essential services in EU member states. Which sectors and organizations will NIS2 apply to? What are obligations for organizations? And how can organizations prepare?
The NIS2 directive will apply to industries and organizations(link to other website) that are vital to society. Think health care, transportation and energy providers. But also government services, food, water management companies and digital providers. The NIS2 introduces uniform rules for medium and large organizations.
What obligations must organizations abide by if they fall under the NIS2 directive?
Duty of Care: Organizations must conduct a risk assessment and take appropriate measures to secure their services based on that assessment.
Reporting requirement: Incidents must be reported to the regulator within 24 hours. A cyber incident must also be reported to the Computer Security Incident Response Team (CSIRT). This team can provide help and assistance.
Oversight: There will be an independent regulator looking at compliance with the directive's obligations.
What preparations can organizations make in advance? Start by complying with the Baseline Information Security Government (BIO).(link to other website) In addition, you can take measures to improve the security and resilience of processes and services. For example:
Identifying and analyzing risks. View the risk analysis roadmap(link to other website);
Establish an incident response plan(link to other website);
Work to raise awareness(link to other website) of staff for example through a phishing campaign(link to other website);
It is also wise to set aside budget and capacity to comply.
