NIS2: Improve your Cybersecurity by 18 Oct 2024
In 2016, the NIS Directive (Directive 2016/1148) was adopted by the EU. “NIS” stands for “Network and Information Systems” as the primary objective of the directive was to establish a framework for cybersecurity and digital resilience in the EU. However, the implementation of the directive varied greatly between member states. The European Commission decided to revise the Directive and to clearly define which organisations are covered and what their specific requirements are. It also introduced stronger penalties in case of non-compliance. This led to the adoption of the Network and Information Security Directive (Directive 2022/2555 or “NIS2”).
In short, NIS2 compels companies and organisations to put in place specific measures to raise the overall cybersecurity level in the EU.
Belgium has transposed the NIS2 Directive into national law through the “NIS2 Law” of April 24 th, 2024, which will take effect on 18 October 2024.
Economic sectors concerned
NIS2 expands the scope of organisations that must comply with its strict cybersecurity standards, from water supply, energy, digital infrastructure, banking, financial market infrastructure, health, and transport, to public administration (public entities involved in national security, public security, or law enforcement are however exempted), digital providers, space, research, postal services, waste management, foods, chemical products and manufacturing, with an additional focus on medium-sized and large organisations.
These sectors are divided into two categories:
- Essential entities: These are businesses in sectors critical to the economy and society, such as energy, transport, water supply, healthcare, and financial markets (see Annex I of the NIS2 Directive).
- Important entities: These are businesses that might not be critical but still provide significant services, such as digital infrastructure providers, cloud computing providers and domain name service (DNS) providers (see Annex II of the NIS2 Directive).
Depending on the category and their size, companies will have more or less stringent obligations. In addition, companies that are not in the scope of NIS2 but that form part of the supply chain of companies falling under the scope of NIS2 will also have to comply with some of the obligations (and it is those latter that will have to ensure that their suppliers or subcontractors comply with these obligations).
Measures to implement
A series of specific obligations apply to both essential and important entities, ensuring that they adopt adequate cybersecurity measures.
The first thing to do is to find out whether you fall within the scope of NIS2. If you do, you must register with the Centre for Cybersecurity Belgium within 5 months of the law coming into force or face a fine.
Secondly, you will need to comply with the obligations imposed by NIS2. For this, you will have to implement internal measures and procedures, for example:
- establish comprehensive risk management policies to mitigate cybersecurity risks (Risk Analysis and Security Policies, Incident Handling, Supply Chain Security,etc.)
- establish an Incident Reporting policy, in particular to be able in the event of an incident to notify the National Cybersecurity Authority without undue delay and in any event within 72 hours of becoming aware of the significant incident. This authority is the primary body responsible for monitoring compliance, conducting audits, and enforcing the law. It also has the power to issue binding instructions, initiate audits,
and impose sanctions where necessary - ensure the integrity and confidentiality of sensitive data, in particular through cryptography
- evaluate the effectiveness of your cybersecurity measures through internal and external audits
- establish, maintain and regularly update incident response plans; etc.
Applicable Sanctions
The NIS2 Law introduces a tiered system of administrative fines and penalties for non- compliance. Administrative fines can range from €500 to €10,000,000 or up to 2% of the entity’s global turnover, whichever is higher, for essential entities or, for important entities, from €500 to €7,000,000 or up to 1,4% of the entity’s global turnover, whichever is higher.
Additionally, authorities may suspend certifications or prohibit managers from exercising their functions as long as the concerned entity fails to address security deficiencies.
eMotio.law can assist you
NIS2 represents a significant regulatory shift, particularly for entities operating in critical sectors. The broader scope and stricter requirements of NIS2 mean that many entities will need to reassess their compliance status, especially regarding supply chain security, incident handling, and reporting mechanisms.
eMotio.law can assist you in navigating the complexities of these new obligations and mitigate the potential risks of non-compliance. Our team of experts can help you assess your organisation’s legal situation, implement legal processes, conduct compliance audits, and ensure that your organisation’s incident reporting systems meet the legal requirements.
Contact us for more information.
Related news
Stay informed with our latest news and insights. Discover expert analysis and updates on key developments.
