Information security safeguards in preparation of NIS2 and Cybersecurity act?

The Network and Information Security Directive (NIS2 Directive) was adopted by the European Union at the end of 2022. The Directive aims to strengthen the digital and economic resilience of European member states and is currently being transposed for the Netherlands into the Cyber Security Act. With the introduction of this European cybersecurity directive, the European Union wants to force companies to put their information security in order.

In the Netherlands, implementation of the NIS2 Directive takes place in the Cyber Security Act (in Dutch: Cyberbeveiligingswet). When the Cyber Security Act enters into force, it will replace the current Network and Information Systems Security Act. The NIS2 Directive should actually have been transposed into national law by 17 October 2024, but the Netherlands was late with the implementing hereof. The entry into force of the Cyber Security Act is currently expected in Q3 2025.

In the intervening time, a special situation applies where organisations covered by the Directive already have rights but not yet legal obligations. This blog aims to make organisations aware of the scope of NIS2 and enable them to adequately prepare for the arrival of the Cyber Security Act.

 The NIS2/Cyber Security Act do not apply to my organisation…or does it?

The NIS2 and Cyber Security Act focus on critical organisations and sectors where failure of their services could cause social and economic disruption. These Essential Sectors’ include: banking and financial market, energy, transport and government sectors, healthcare, digital infrastructure and ICT service operators. ‘Critical Sectors’ include: waste management, food sector, postal and courier services and digital providers (such as online marketplaces). To assess whether an organisation falls under the NIS2 scope, the government has prepared a self-assessment tool (in Dutch), you can find it here.

Organisations may be inclined to think that they do not fall within the scope of the NIS2/Cyber Security Act, for example because they are ‘small’ (<10 employees). However, it is important to consider that everyone in the supply chain will also have to comply with the requirements. In short, the NIS2 and Cyber Security Act focus on the entire supply chain. Even organisations that do not themselves qualify as ‘essential’ or ‘important’, but do supply products or services to those parties, will thus have to deal with the requirements pursuant to the NIS2/Cyber Security Act. As a result, if you are a startup or SME providing an AI tool to a financial (i.e. essential) service provider or an inventory management system to a supermarket chain (i.e. important), you will be affected by this legislation.

 

The NIS2/Cyber Security Act applies to my organisation, now what?

Complying with NIS2 and Cyber Security Act requires knowledge of the requirements of the law, as well as an understanding of the management and possible data, information security and compliance risks.

Compliance with NIS2 and Cyber Security Act does not only have a technical perspective, but also a legal perspective. Thus, the person or group of persons who becomes responsible for implementation preferably has both technical and legal background knowledge. In addition, management experience is desirable. After all, with the advent of NIS2, ‘chain responsibility’ and ‘individual liability for directors’ will also be baked into the new law. This therefore also requires managerial competence, because the person(s) responsible must also be able to manage teams, play internal politics, spar with supervisors and take decisions at board level, or hold directors to account.

Every organisation should ask itself the following 4 questions:

1. Will my business be affected by the NIS2/Cyber Security Act?
2. Is our information security and risk management at the right level for compliance with NIS2/Cyber Security Act?
3. Is my company able to report cybersecurity incidents correctly and in a timely manner?
4. What is the status of my company’s supply chain risk management when it comes to information security?

Organisations that are covered by the Cybersecurity Act will have to consider the existence of (among other things) a duty of care, a registration- and a notification obligation.

Duty of care

The legislative proposal for the Cyber Security Act contains a duty of care that requires organisations to conduct their own risk analysis, based on which they take appropriate and proportionate measures to secure their network and information systems. The organisation’s board must approve the measures and oversee their implementation.

In Article 21, the Cyber Security Act prescribes ten duty-of-care measures that organisations must comply with as a minimum.

• Measure 1: Make a risk analysis based on a policy plan
• Measure 2: Strengthen security in the areas of personnel, access and asset management
• Measure 3: Create a Business Continuity Plan (BCP)
• Measure 4: Provide an Incident Response Plan (IRP) in case of incidents
• Measure 5: Ensure cyber hygiene is in order (internal policy and training)
• Measure 6: Create policies on the security of network and information systems
• Measure 7: Make the supply chain secure
• Measure 8: Create policies on data encryption
• Measure 9: Use MFA or other secure authentication solutions
• Measure 10: Provide policies and procedures to assess the effectiveness of measures

Penrose is able to advise and support your organisation in preparing and drafting the necessary policies and other related documentation.

Registration obligation

Important and essential services and organisations within Europe are required by law to provide data for the entity register. This includes organisational and network data. By doing so, the European Union increases the visibility of digital resilience. In the Netherlands, this registration will take place at the National Cyber Security Centre (NCSC).

The registration obligation will apply as of the effective date of the Cyber Security Act. However, as of 17 October 2024, it has been possible to voluntarily register your organisation.

Notification obligation

Under NIS2 and soon the Cyber Security Act, important and essential organisations have a duty to report ‘significant incidents’. These are incidents that (may) cause serious operational disruption to services or financial losses to the organisation. They also include incidents that (may) result in significant material or immaterial damage to other organisations. The exact thresholds for significant incidents are still being worked out. In addition, entities are invited to make voluntary reports of non-significant incidents or near failures.

The report must be made to the Computer Security Incident Response Team (CSIRT) and the regulating authority. This can be done through a central reporting point with the NCSC.

A phased reporting obligation applies. The first report is an early warning that takes place as soon as possible, at least within 24 hours, after the incident occurred. Moreover, should your organisation also fall under the scope of the Digital Operational Resilience Act (DORA), an exception applies and incidents must be reported even within 4 hours. The second report should be made within 72 hours after the incident, with an assessment of the (expected) severity and consequences of the incident. Further information may be requested by the sectoral CSIRT or relevant regulator upon request. A final report should follow no later than one (1) month after the incident. This will include a detailed description of the incident, the cause, consequences and risk reduction measures. Should the incident still be ongoing after one month, a progress report will suffice and the final report will follow later.

 Beware of fines!

If your organisation fails to prepare adequately and it turns out that you fall under the scope of the NIS2/Cyber Security Act as a qualified ‘essential’ or ‘important’ organisation, you will face administrative fines. The applicable fines aren’t trivial and range from up to €10 million or up to 2 percent of total annual global turnover (whichever is higher) for ‘essential’ companies. And of up to €7 million or 1.4 percent (whichever is higher) for ‘important’ companies.

So…don’t wait and take action!

Step 1: Assess whether your organisation is covered by the NIS2/ Cyber Security Act.

Step 2: Make a risk analysis based on a policy plan including assessment against the 10 duty-of-care measures.

Step 3: Improve or implement requirements and areas of concern and ensure processes are in place for the purpose of mandatory reporting obligations.

More information?

If you have any questions about the applicability or obligations under the NIS2 /Cyber Security Act or are looking for legal support in implementing the requirements, please contact Chantal Bakermans at E:c.bakermans@penrose.law or T: +31(0)619304389.