On Oct. 17, 2024, the new European Network and Information Security Directive (NIS2 Directive) will come into force. The European NIS2 Directive will be implemented in national legislation, the Cybersecurity Act (Cbw). The Cbw is expected to enter into force in the third quarter of 2025. The consequences of the failure to transpose the NIS2 Directive into the Cbw on time was the subject of a parliamentary letter issued today.
Between October 17, 2024 and the date of entry into force of the Cbw, the duties, such as the duty of care, duty of notification and duty of registration, do not yet apply. However, organizations covered by law under the NIS2 Directive will have some rights during that period due to the direct effect of certain provisions of the Directive.
The NCSC will have the role of National and Sectoral CSIRT under the Cbw, and in that context, we are already performing a number of tasks and activities as of Oct. 17. We are doing this for our current target groups covered by the Wbni, including CSIRT-DSP organizations. New for us are the organizations that do not currently fall under the Wbni, but will soon fall under the Cbw. For the latter category, we take a risk-based approach. This means that we provide our services on request and depending on the risk and the impact on digital resilience. This concerns the following activities and services.
On-demand monitoring of network and information systems. The NCSC also provides advice to organizations on how to set up their own monitoring of systems;
Provide assistance in the event of an incident. The specific assistance varies per situation and depends, among other things, on the (potential) impact. The focus at all times is on limiting damage and providing advice for smooth recovery;
Receive and process reports of incidents or near incidents. The reporting requirement only applies from the effective date of the Cbw. Nevertheless, organizations are expressly invited to make reports so that other organizations can also better arm themselves against external digital attacks. Reporting will be possible from Oct. 17 via a web form at www.ncsc.nl, soon after via a central reporting functionality at my.ncsc.nl;
Provide early warnings and share information on cyber threats, vulnerabilities and incidents. NIS2 entities can register at my.ncsc.co.uk for automated data feeds with vulnerability information, target and victim notification, threat information and security advisories. The security advisories include information about specific incident and, where possible, an action perspective for organizations. The NIS2 registration requirement does not take effect until the enactment of the Cbw.
Although the national law is not yet in effect, the NCSC recommends always working on the digital resilience of the organization. After all, the threat remains as high as ever. Organizations that take action now will not only secure themselves against these existing risks, but will soon be better prepared for the arrival of the Cybersecurity Act. See here what steps you can already take.
