|
|||
|
|
|
| Home |
| About |
| Hobbies |
| Software |
| Hardware |
| ICT Hotlist |
| Purpose |
React:
ICT-Hotlist Topic
Back to the ICT-Hotlist...Is the NIS2 Directive mandatory for my organisation?
Cyber attacks are not only among the fastest growing forms of crime worldwide, but are also growing in scale, cost and sophistication. The image of the lonely hacker who sits in the dark, dressed in his hoodie in his attic room behind his computer tapping on a keyboard has been replaced by professional, well-organized criminal organizations or persons or groups that act on behalf of a government or government agency (state actors). Ransomware will cost all victims worldwide around $265 billion (USD) per year by 2031, predicts Cybersecurity Ventures, with a new attack on a consumer or company every two seconds. As a result, organizations need to invest more to make cyberspace safer for themselves and their customers. Not only companies, but also citizens and entire countries are affected by cybercrime. The first known cyber attack on a country was in Estonia in April 2007, affecting the online services of banks, media outlets and government agencies for weeks. Since then, many other countries have suffered cyber attacks, including on critical infrastructure such as electricity infrastructure, hospitals or water treatment. Given the growing number and costs of cyber attacks, expenditure on information security is also increasing worldwide. Critical sectors, such as transportation, energy, healthcare and finance, have become increasingly dependent on digital technologies to carry out their core activities. While growing digital connectivity brings enormous opportunities and cost savings, it also exposes economies and societies to cyber threats. The number, complexity and scale of cybersecurity incidents are growing, as is their economic and social impact.
The Dutch government is working hard to implement the NIS2 (Network and Information Systems Security Directive) directive. The aim of this European directive is to improve the cyber security of governments, providers of ‘important’ and ‘essential’ processes and their suppliers. The NIS2 directive is an extension of the NIS directive. The NIS2 directive adds more, new sectors and rights and obligations. New sectors include food supply, healthcare, financial market infrastructure, drinking water, digital infrastructure, wastewater, government services, banking and space services.
The NIS2 directive has regulations for maintaining basic computer hygiene, employee training, the use of cryptography, asset management, access control, plus policies and (reporting) procedures in the event of incidents and crises.
Timeline
The political agreement was formally adopted by the European Parliament and subsequently by the European Council in November 2022. The regulation entered into force on January 16, 2023 and Member States have 21 months, until October 17, 2024, to transpose the measures into national law. https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf
The Dutch government has indicated that it will not meet this end date and assumes mid-2025. However, after the publication in the Staatsblad, essential organizations will have to comply within a few months. View the updated schedule here:https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uw-organisatie/planning-van-de-nis2-richtlijn (Dutch)
However, the introduction of the NIS2 directive can have a major impact on organizations. If you are required to comply, please allow sufficient time to set up, document, instruct and regularly evaluate security procedures, technology and business continuity. In any case, start the self-evaluation now.
Self-evaluation
The Dutch government offers a free self-evaluation.
With this self-evaluation you determine for the organization:
- Does the NIS2 directive apply to the organization?
- Is the organization Essential or Important?
- Is the organization under Dutch supervision?
For whom is this self-evaluation intended?
- The organization supplies products and/or services in the European Union
- The organization provides products and/or services in Sectors mentioned in Annex I and Annex II of the NIS2 (e.g. Energy Sector, Transport, Digital Services, Healthcare, Manufacturing, etc.)
- The organization has a certain minimum size (50 employees or more or an annual turnover and balance sheet total of €10 million or more)
- The organization may be designated under other legislation or have a specific exception.
It is important to know that organizations that covered by the NIS2 directive must also assess their supply chain. Your organization may therefore also indirectly covered by the NIS2 directive if, for example, you supply products or services to a government service or healthcare institution in Europe.
You can do the self-evaluation by means of a questionnaire at: https://regelhulpenvoorbedrijven.nl/NIS-2-NL/(Dutch)
Organisations based outside the EU
When your organisation supplies services or products that are regarded essential or important and your organisation does not have an (sales)office in the EU, you might be required to have a representation in one of the EU member countries of choice. Read more here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555#d1e3649-80-1NIS2 Quickscan
If the NIS2 directive applies to your organization, then:
- the organization must register, the manner in which will be determined on the basis of national legislation.
- the organization must comply with the obligations of national (Dutch) law.
Which obligations does the NIS2 directive impose?
Both essential organizations and important organizations must meet the same obligations regarding Duty of Care and Duty to Report. However, the method of supervision differs
Duty of care – The directive contains a duty of care that obliges organizations to carry out a risk assessment themselves. On this basis, they take appropriate measures to guarantee their services as much as possible and to protect the information used.
Duty to report – The directive requires organizations to report incidents to the supervisory authority within 24 hours. These are incidents that (could) significantly disrupt the provision of the essential service. A cyber incident must also be reported to the Computer Security Incident Response Team (CSIRT). This team can then provide help and assistance. Factors that make an incident reportable include the number of people affected by the disruption, the duration of a disruption and the possible financial losses.
Supervision – Organizations that are covered by the NIS2 directive will also come under supervision. The NIS2 directive prescribes that an independent supervisor (apart from any inter-administrative supervision) monitors compliance with the obligations under the directive. Such as the duty of care and reporting.
Education
The management of the organization is required to follow a training or course that enables them to properly assess cybersecurity risks for the organization. In addition, the staff must be instructed.
Take the free NIS2 Quick Scan here https://regelhulpenvoorbedrijven.nl/NIS2-Quickscan/(Dutch)
Sanctions
Organizations that do not comply with the NIS2 Directive can expect administrative fines of a maximum amount of EUR 10,000,000 or at least 2% of the total worldwide annual turnover in the previous financial year of the company to which the essential entity belongs, depending on which amount is higher. More about the sanctions can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555#d1e4370-80-1
The authority is given the power to temporarily prohibit a natural person with managerial responsibilities at the level of the general manager or legal representative in the essential organization from exercising managerial functions in that organization. (Article 32.5.b NIS2)
General Data Protection Regulation (GDPR)
If Personal Data has been “leaked” (Integrity Breach/Data Breach) and the organization is fined for this by the Data Protection Authority, then the authority competent for the NIS2 directive will not impose a fine for this (Article 35) but can impose enforcement measures.
Infographic
The EU provides an infographic that shows the differences between NIS and NIS2. Download it here
Disclaimer
Dutch legislation is still a work in progress and no rights can be derived from this text. The complete English-language European NIS2 directive can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555#d1e40-80-1
Scripts and programming examples disclaimer
Unless stated otherwise, the script sources and programming examples provided are copyrighted freeware. You may modify them, as long as a reference to the original code and hyperlink to the source page is included in the modified code and documentation. However, it is not allowed to publish (copies of) scripts and programming examples on your own site, blog, vlog, or distribute them on paper or any other medium, without prior written consent.Many of the techniques used in these scripts, including but not limited to modifying the registry or system files and settings, impose a risk of rendering the Operating System inoperable and loss of data. Make sure you have verified full backups and the associated restore software available before running any script or programming example. Use these scripts and programming examples entirely at your own risk. All liability claims against the author in relation to material or non-material losses caused by the use, misuse or non-use of the information provided, or the use of incorrect or incomplete information, are excluded. All content is subject to change and provided without obligation.
