Deadline NIS2 approaches: is your company ready?
April 2024 - The number of cyber-attacks and incidents has been rising sharply in recent years. Moreover, hackers are becoming increasingly creative, threatening companies with ransomware, data breaches, phishing, CEO fraud or reports on the dark web.
To address this worrying phenomenon and make European member states more digitally and economically resilient, the European Union made work of the new NIS2 directive. This regulation is the successor to the NIS1 directive adopted in 2016. NIS stands for Network and Information Security Directive.
NIS1 versus NIS2
Under NIS1 ? which was converted into a Belgian NIS law on 7 April 2019? Companies in specific sectors (called "essential companies") had to take minimum security measures and report serious cyber incidents. NIS2 raises the bar a lot higher, with more companies that will have to take action to guard against unwanted digital visitors.
The European NIS2 directive has been in force for all member states within the European Union since 16 January 2023. All member states, including Belgium, must transpose it into law by 17 October 2024.
As a company, how do you properly prepare for any NIS2 implementation?
Raising awareness
First, raising awareness is essential. You will need to invest in comprehensive training for employees at all levels to make them aware of potential cyber threats and NIS2 requirements. This includes recognising phishing attacks, handling sensitive information securely and understanding the role each individual plays in ensuring cyber security.
Risk management
Risk management is another crucial pillar in preparation for NIS2. Your company should conduct a thorough risk analysis to identify vulnerabilities in the network and information systems. Based on this, you should implement appropriate security measures to reduce or eliminate these risks. This includes regularly updating software, implementing strong access controls and monitoring network activity.
Reporting to authorities
Reporting to authorities is mandatory under NIS2. Companies must develop procedures to detect, record and report incidents to the relevant authorities within established timeframes. This requires a clear understanding of the reporting requirements and an effective incident response plan.
Business continuity
Business continuity is vital to minimise the impact of cyber attacks. Your company should establish robust backup and recovery plans to mitigate operational disruptions and recover quickly from incidents. This includes regularly testing recovery procedures and updating plans to meet changing threats and business environments.
Suppliers
Finally, collaboration with suppliers is essential. Invest in security measures to evaluate your suppliers and establish contractual agreements to ensure they comply with NIS2 requirements. This includes defining responsibilities and regularly reviewing supplier compliance.
Avoiding sanctions
If, after verification, these rules are not correctly applied or complied with, the Centre for Cybersecurity Belgium (CCB) can impose sanctions.
· For essential entities, the CCB can impose administrative fines of up to a maximum of 10 million euros or at least 2% of the total annual global turnover, whichever amount is higher.
· For significant entities, the fine can be up to a maximum of €7 million or at least 1.4% of total annual global turnover, whichever amount is higher.
Taking into account the fast approaching NIS2 deadline and associated action points, it is a wise move to take action for successful implementation of the NIS2 action points.