On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.
The NIS.2 Directive: NIS with teeth? Or biting off more than we can chew?
9 June 2021 – Cyber Security Coalition
Ready for NIS.2?
The 2016 NIS directive only concerns a limited number of crucial organizations, so your company shouldn’t bother? Ooooops, with NIS.2 you might be very, very wrong! So check out this presentation.
Though the initial NIS directive (on Security of Network and Information Systems) has not yet run its first full cycle (with the first external audits not until 2023), its limitations are already clear: too limited in scope; too many differences in national approaches and variations in resources; and not enough information sharing. So a NIS.2 proposal has been introduced.
Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating its impact on their security posture today. And no better place to start than the presentation “NIS2: NIS with teeth? Or biting off more than we can chew?” by Pieter Byttebier of the Center for Cybersecurity Belgium (CCB). As International Relations Officer, he is deeply involved in the discussions around the NIS.2 proposal.
The proposal rests on three pillars: member state capabilities; risk management; and cooperation and information exchange. In his presentation, Pieter Byttebier touches upon five key questions, with ‘will NIS.2 apply to my organization’ foremost among them. And let’s be clear, an overview of ‘essential’ and ‘important’ entities as listed in the Annexes of the NIS.2 proposal illustrates the much broader scope of this directive. As an example, take ‘important entities, sector manufacturing, subsector manufacture of machinery and equipment n.e.c.’ as referred to in ‘section C division 28 of NACE Rev.2’: not many companies in this subsector will evade NIS.2… Micro companies with fewer than 50 personnel and less than 10 million euro annual turnover will be exempted, but national authorities could even include them selectively.
One other question refers to the ‘teeth’ of NIS.2. Indeed, entities will run not only a gamut of e.g. warnings and administrative fines. Management must sign off on cyber security measures, and in ‘essential’ entities, management will be held liable, including temporary bans against managers.
Again, this NIS.2 proposal is still very much a work in progress. So Pieter Byttebier is inviting input from organizations on all aspects of this proposal. Start with his presentation, and do contact him. And find out whether NIS.2 ‘as is today’ applies to your organization, so you can start to prepare. That is not wasted effort, as any measures you take, make your company more secure and act as business enablers.
Other blog posts
So, your company has decided to make ICT life easier by migrating to the cloud. Easy pie, just ring a reputable cloud provider? Unfortunately, there may be some data protection and privacy hurdles to jump, as we learned at the 2021 Belgian Cyber Security Convention.
The fast changing threat landscape is countered by an equally fast changing security. So what is today’s ‘state-of-the-art’ security technology, and what more can we expect? At the 2021 Belgian Cyber Security Convention, top companies drew a picture of today’s security ‘art’.
Cyber security remains an urgent and complex challenge for companies of all sizes. But how to instill this urgency in top-management and board levels, with appropriate information? Who better to answer this question than top-cyber security practitioners, at the 2021 Belgian Cyber Security Convention ?
The second webinar of the Privacy Focus Group on the subject of ‘Artificial Intelligence’ (AI) tackles a major challenge: how to reconcile the use of AI with the demands of GDPR, particularly regarding data protection? It is still very much unknown territory for developers, users and privacy protection officers. This webinar helps you find your way!