Duty of care - The Directive contains a duty of care that requires entities to conduct their own risk assessment. On this basis, they take appropriate measures to safeguard their services as far as possible and protect the information used.
Duty to report - The directive requires entities to report incidents to the regulator within 24 hours. These are incidents that (may) significantly disrupt the provision of the essential service. A cyber incident must also be reported to the Computer Security Incident Response Team (CSIRT). This team can then provide help and assistance. Factors that make an incident reportable include the number of people affected by the disruption, the length of time of a disruption and the potential financial losses.
Supervision - Organizations covered by the directive will also come under supervision. The NIS2 Directive requires an independent regulator (outside of any inter-governmental supervision) to look at compliance with the Directive's obligations. Such as the duty of care and notification. We are currently considering under which supervisor the Government sector will fall (this is not yet known) and what the supervision will entail. The intention is to use existing accountability structures. Harmonization of these accountability structures is also being sought. Findings from studies on supervision commissioned by the Ministry of the Interior and Kingdom Relations in 2019(link to other website) and 2022(link to other website) are included herein.
Source: https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/, accessed May 6, 2024.
