NIS2 is coming, what does this mean for your company?

NIS2; new legislation on the horizon

New legislation is on the horizon: the European Network & Information Security Directive (NIS2). It will officially come into force on October 17, 2024, but has been delayed in the Netherlands until early 2025. The directive concerns the improvement of digital resilience among European member states. It’s a significant law, especially for the digital sector.

What is NIS2

In Dutch, the NIS2 directive is known as the Network and Information Security Directive (NIB2). It’s a law that sets higher cybersecurity standards for larger users of digital techniques. Currently, we have NIS1, which in the Netherlands has been implemented as the Network and Information Systems Security Act (Wbni) and applies to large governments and ‘vital’ companies. With the new law, this target group will be greatly expanded. Many more sectors and also medium-sized companies will fall directly under it. Additionally, you will be indirectly affected if your customer falls under this law. This also applies to small companies that supply to large (re)organizations.

Impact for larger companies but also for small companies that service large organizations

Organizations may be subject to the NIS2 regulations in two ways: directly or indirectly. You fall directly under NIS2 if you are in a (sub)sector to which NIS2 sets requirements. For the digital sector, this includes the ‘Digital Infrastructure’, ‘ICT Service Managers’ (Managed Service Providers and Managed Security Providers), and ‘Digital Providers’. These definitions are very broad, but in short you can say that is impacts most of the digital sector.
Additionally, you must have a minimum size of 50 employees, or a turnover and balance sheet total of at least 10 million euros. Or you must be specifically designated by a ministry. Final clarity on this will come with the Dutch implementation of the law.
You can also fall under NIS2 indirectly. This happens if you are a direct supplier to an organization that falls under NIS2. They are required to translate the requirements of NIS2 to their suppliers. During inspections, they must then be able to demonstrate that outsourced activities to suppliers comply with those requirements. In this case, you will not be under supervision yourself, but you will need to provide all the information to your customer to demonstrate that your services are sufficiently secure.

Supervison for important and essential organizations

Under NIS2, there are two categories of companies: important and essential. The distinction between these categories is whether you are subject to active (ex ante) or passive (ex post) supervision. For the digital sector, this means: You are considered essential if you are active in the ‘Digital Infrastructure’ or ‘ICT Service Managers’ sector definitions and have at least 250 employees, or an annual turnover of at least €50 million and a balance sheet total of at least €43 million. If you do not fall under that, you are considered important if you are active in the ‘Digital Infrastructure’, ‘ICT Service Managers’, or ‘Digital Providers’ sector definitions and have at least 50 employees, or an annual turnover and balance sheet total of at least €10 million.
If you fall under either of these two definitions, you must comply with a duty of care, a reporting obligation, and you will be subject to active or passive supervision by the regulatory authority of the sector you fall within. Passive supervision (ex post) means that the regulating authority only performs inspections after security incidents or when they receive a report that your organization is not complying with the law. Active supervision means that the regulating authority can conduct inspections at any time.

Be prepared for NIS2

For many digital companies, the NIS2 will not represent a significant shift. The duty of care requirements from NIS2 largely align with well-known standards such as ISO27001, which many companies already meet. This means that as an organization, you are required to conduct your own risk assessment. Based on this analysis, you must take appropriate measures to ensure the continuity of your services as much as possible and to protect the information used. This analysis, the reasoning behind the measures, and the measures taken must also be well documented and demonstrable.

The law includes a minimum of 10 measures

  • Incident handling
  • Policy on Risk Analysis and Security of Information Systems
  • Business Continuity plan
  • Supply Chain Security
  • Security in the acquisition, development, and maintenance of network and information systems
  • Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks
  • Basic practices in the field of cyber hygiene and training in cybersecurity
  • Policies and procedures regarding the use of cryptography
  • Security aspects regarding personnel, access policy, and asset management
  • When appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communication.

How Universal Security as a Service can help you prepare for NIS2 is a leading provider of security as a service (SECaaS) solutions that help you protect your data, devices, and applications from cyber threats. We use the CIS Critical Security Controls (CIS Controls) as a framework to guide our security services and ensure that you meet the highest standards of cyber security and compliance. In addition to the CIS Controls, we align our services with the NIS2 Directive, the EU’s latest network and information security standard. This ensures a higher level of security across network and information systems within the EU. Our commitment to the NIS2 standard means we are constantly updating our practices to adhere to the evolving security requirements and resilience strategies.

Book your free Security Quickscan today

The Security Quickscan is the first step to secure your business with our SECaaS solutions. It gives you a clear picture of your current security level and gaps. It also helps you customize your SECaaS plan according to your budget and needs. The result is a valuable document that you can use to implement the solutions yourself, or outsource (partially or fully) the controls to the Universal Cloud security experts. The Quickscan is free and easy to book. Don’t wait any longer. Find out where you stand and schedule your Quickscan today!

Universal Cloud’s Security as a Service equips organizations with robust cybersecurity measures

Share this:



Recently Posted