Recent years have shown that our society is vulnerable to cyber incidents. Because of this, the EU is focusing on strengthening the cyber resilience of organizations with the NIS2 Directive, which will be known in the Netherlands as the Cyber Security Act and in Germany as the NIS 2 implementation law (NIS2UmsuCG).
This directive, an extension of the original NIS directive (the Network and Information Systems Security Act), strengthens the security of essential services and digital providers within the EU by expanding security obligations and notification requirements, and imposing stricter sanctions for non-compliance. The goal? To ensure a higher level of network and information security and protect critical infrastructures from cyber threats.
Currently, the NIS2 directive has not yet been transposed into national regulations in the Netherlands. The consultation was completed in early July 2024, and the government is in the process of processing this information. The legislation is not expected to be fully effective in the Netherlands until 2025. However, experience with previous legislation shows that this does not mean a delay for organizations that will eventually have to comply with the legislation.
BIO measures and NIS2 directive: similarities and differences
As for the BIO (Baseline Information security for the Government), there is already more clarity. The current BIO measures and the NIS2 directive both focus on strengthening cyber resilience. An initial gap analysis between the BIO and NIS2 has been conducted, and preparations for the BIO 2.0 are already underway. In addition, there are good practices available from the Dutch National Cyber Security Center (NCSC) and the Digital Trust Center (DTC) that can be useful for any organization looking to improve its cyber security.
Start implementing the NIS2 directive
Do you want to start implementing the NIS2 duty of care and duty of notification? If so, it is important to conduct a risk analysis based on good practices such as those from the Digital Trust Center. To make your implementation successful, there are three prerequisites to keep in mind:
- Creating ownership
- Analyzing impact
- Demonstrabiltiy “by design”
1. Creating ownership
It is crucial that responsibilities be clearly assigned within the organization. This can lead to discussions and concerns. Consider:
- How do you ensure that responsibilities are assigned and followed at the right level? Cyber resilience and security are organization-wide issues. The NIS2 emphasizes managerial responsibility, which can lead to new liabilities. Make sure the portfolio manager and top management are involved and kept abreast of risks and progress. Top tip: Start with board-level training. This contributes to ownership AND it is a NIS2 requirement.
- How do you deal with ownership of organization-wide topics, such as 3rd party risk management? Managing organization-wide topics requires direction. Create a central structure that supports decentralized owners without taking over their responsibilites. Subject matter experts offer a helping hand without taking over the owner’s responsibilities. Provide standardization and automation to facilitate this process.
Top tip: Ensure standardization in implementation and guide owners with clear processes.
2. Analyzing impact
It is important to understand the impact of measures and incidents on the organization:
- For duty of care: Is there a consistent record of the outcomes of measures and controls? Demonstration starts at the same time as implementation when it comes to measures and controls. Deciding how controls and measures will be demonstrated as part of the implementation process makes it easier to demonstrate them in practice. Top tip: Make sure demonstrability is incorporated and standardized as a part of the implementation process.
- For the duty to report: Are there clear records of incident response? Using crisis management methods for decision making during major incidents ensures that the decisions and actions taken are clearly administrated if the duty to report is applicable. Top tip: Use the same incident response method as for crisis management to ensure clear decision-making and recording of activities.
3. Demonstrability “by design”
The NIS2 directive increases the requirements for demonstrability:
- For duty of care: Is there a consistent record of the outcomes of measures? Demonstration starts at the same time as implementing the measure. When you figure out at the beginning how you are going to demonstrate it, it is easier to do so in practice. Top tip: Make sure demonstrability is incorporated and standardized during implementation.
- For the reporting requirement: Are there records of incident handling?Linking the incident response method to the crisis management method ensures that the choices and actions taken remain clear if it is eventually found that the duty to report is applicable. Top tip: Use the same incident response method as for crisis management to ensure decision-making and recording.
Conclusion
The NIS2 directive is of great importance to the EU, especially given the current cyber threats. The key to successful implementation lies in collaboration, both within organizations and with 3rd parties. Start implementation now and keep the prerequisites for success in mind.