Ready for NIS.2?

The 2016 NIS directive only concerns a limited number of crucial organizations, so your company shouldn’t bother? Ooooops, with NIS.2 you might be very, very wrong! So check out this presentation.

Though the initial NIS directive (on Security of Network and Information Systems) has not yet run its first full cycle (with the first external audits not until 2023), its limitations are already clear: too limited in scope; too many differences in national approaches and variations in resources; and not enough information sharing. So a NIS.2 proposal has been introduced.

Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating its impact on their security posture today. And no better place to start than the presentation “NIS2: NIS with teeth? Or biting off more than we can chew?” by Pieter Byttebier of the Center for Cybersecurity Belgium (CCB). As International Relations Officer, he is deeply involved in the discussions around the NIS.2 proposal.

The proposal rests on three pillars: member state capabilities; risk management; and cooperation and information exchange. In his presentation, Pieter Byttebier touches upon five key questions, with ‘will NIS.2 apply to my organization’ foremost among them. And let’s be clear, an overview of ‘essential’ and ‘important’ entities as listed in the Annexes of the NIS.2 proposal illustrates the much broader scope of this directive. As an example, take ‘important entities, sector manufacturing, subsector manufacture of machinery and equipment n.e.c.’ as referred to in ‘section C division 28 of NACE Rev.2’: not many companies in this subsector will evade NIS.2… Micro companies with fewer than 50 personnel and less than 10 million euro annual turnover will be exempted, but national authorities could even include them selectively.

One other question refers to the ‘teeth’ of NIS.2. Indeed, entities will run not only a gamut of e.g. warnings and administrative fines. Management must sign off on cyber security measures, and in ‘essential’ entities, management will be held liable, including temporary bans against managers.

Again, this NIS.2 proposal is still very much a work in progress. So Pieter Byttebier is inviting input from organizations on all aspects of this proposal. Start with his presentation, and do contact him. And find out whether NIS.2 ‘as is today’ applies to your organization, so you can start to prepare. That is not wasted effort, as any measures you take, make your company more secure and act as business enablers.

Useful links: 

NIS.2 proposal


NACE Rev.2


Other blog posts

How do data protection rights fare in Corona times?

In this GDPR anniversary webinar, three privacy experts focus on the challenges they face when assessing and implementing government measures adopted in the fight against COVID19. The Corona pandemic has risen awareness of the importance of privacy, not only in our private life but also in the employer-employee relationship, and the need for a broader democratic testing of privacy threatening technologies.

EU Cybersecurity Act: moving forward

One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.

Share this useful content with friends: