NIS2 - Blog banner - 2560x1100
IT Security
Anastasia Timmermans
IT Security
5 min

NIS2 – What is it? And what should you do with it?

5 min

Normally our blogs are a warm bath full of network technical ideas and solutions. This time we are jumping under a cold shower of regulations.
There is no way around it, because in October 2024 NIS2 will play a role in the cyber life of your organization.

NIS2 - Start preparing on time

(In collaboration with Aart de Wit)

NIS2 aims to increase the digital resilience of the EU member states and limit the damage caused by cyber attacks as much as possible. All EU member states have been given two years since 2022 to transpose the NIS2 directive into national law. We can therefore expect new legislation in the Netherlands from October 18, 2024. In the Netherlands, the NIS2 directive will be implemented in the form of the Cybersecurity Act. When the Cyber Security Act is adopted, it will replace the current Network and Information Systems Security Act (Wbni).

In this blog we explain as briefly as possible what NIS2 entails and what you need to do for it. Yes, the wall of text below has been kept as short as possible... And spoiler alert; it is dry matter. But if you care about the cyber life of your organization and want to keep it healthy, you will have to go dive in to it.

Unfortunately we can't make it more fun, but hopefully it will be a little more clear.

The NIS2 Directive of the EU: What is it?

 The NIS2 Directive, or the Second Directive on the Security of Network and Information Systems, is an important instrument of the European Union (EU) to strengthen digital security and prevent cyber incidents. It is a directive that focuses on the security and resilience of network and information systems in the EU through regulations.

NIS2 versus NIS – a very brief piece of history

NIS2 builds on the first NIS guideline, which was introduced in 2016. The main difference between NIS and NIS2 lies in the scope of the guideline. More sectors have been added and the new directive also sets stricter security standards and incident reporting requirements.

While NIS only applied to essential services, such as energy, transport and finance, NIS2 has a broader scope. It now also includes digital service providers such as cloud service providers, online marketplaces and search engines. This places the protection of network and information systems in a broader context.

To whom do the NIS2 guidelines apply?

Both government agencies and companies in various sectors must comply with the NIS2 guidelines.

Government agencies have a dual task: they must not only comply with the guidelines themselves, but also monitor the companies that provide essential services. They are responsible for checking whether organizations take the correct security measures and whether they report incidents correctly.

On the other hand, companies that fall under the NIS2 directive must adequately secure their systems and report incidents to the competent authorities. In this way, effective cooperation between government and business is promoted to, yes, we are talking about it again, increasing digital resilience.

Whether the NIS2 guideline also applies to your organization depends on the sector in which your organization is active and the size of your organization.

For a self-evaluation, you can complete an online quiz on the Regulation Help of the RVO (Netherlands Enterprise Agency).

NIS2 guideline – What are the prescribed obligations?

The NIS2 sets more extensive requirements for cybersecurity than its predecessor, which ultimately comes down to ensuring cybersecurity. The most important points of the new requirements are:

  • Duty of care: Organizations must carry out their own risk assessment and take appropriate measures to protect their services and information.
  • Reporting obligation: Organizations must report incidents that could significantly disrupt the provision of essential services to the supervisory authority within 24 hours. Cyber incidents must also be reported to the Computer Security Incident Response Team (CSIRT). Factors such as the number of people affected, duration of the disruption and possible financial losses determine whether an incident is reportable.
  • Supervision: Organizations that fall under the NIS2 directive are subject to supervision by an independent supervisor. Supervision focuses on compliance with obligations, such as the duty of care and reporting. The exact supervisory mechanism and regulator for the Government sector are yet to be determined, but efforts are being made to use existing accountability structures.

Well prepared for NIS2 – What can you do?

A list of obligations. But what should you pay attention to to increase cyber resilience? What can you do to prepare for NIS2?
Here too, an overview that is as concise as possible.

To be well prepared for NIS2 you must take both organizational and technical measures, such as:

  1.  A risk analysis and security of information systems;
  2.  Security aspects in the field of personnel, access policy and asset management;
  3. Business continuity measures, such as backup management and contingency plans;
  4. Incident handling;
  5. Basic cyber hygiene and cybersecurity training;
  6. Security in the processing, development and maintenance of network information systems, including the response to and disclosure of vulnerabilities;
  7. Supply chain security;
  8. Policies and procedures on the use of cryptography and encryption;
  9. The use of multi-factor authentication, secure voice, video and text communications and secure emergency communications systems;
  10. Policies and procedures to assess the effectiveness of cybersecurity risk controls.

Well prepared for NIS2 – Technical measures

What you can and must do across the entire IT chain is now too extensive to include in this blog. That is why we stick to our expertise – ICT Infrastructure – and give you a brief overview of technical measures below.

To secure your ICT infrastructure, you should consider the following network technical measures or solutions:

*Next generation firewall

 The Next Generation Firewall, a must in every IT network. A powerful network security appliance that adds extra security to the traditional firewall by:

  1. Hacking prevention,
  2. Application and user visibility,
  3. SSL Inspection,
  4. Detection of unknown threats.

Blocks network traffic, services, network ports, and protocols except those expressly permitted and defined as appropriate and necessary for the organization. Of course, purchasing the latest NGFW is not enough. After all, every firewall functions only as well as the set policies... And the most recent software version. So keep track of patching as if the cyber life of your organization depends on it. Because it does.

*Identity and access control solution (IAM)

Tooling for access management to the organization's data and resources through the application of identity and role- and/or attribute-based access control.

*ZTNA (Zero Trust Network Access)

Check before access to the ICT network is granted

  • User identity
  • Device health
  •  Appliance of the devices
  • Checking and validation is performed per session.

*Asset Management

Automatically a comprehensive, accurate inventory of all hardware and software in your IT/OT environment to proactively tackle vulnerabilities.

*Centralization monitoring and alerting

Monitor and correlate signals from across the network, identifying and investigating suspicious activity on the network infrastructure to optimize cyber defense.

ISO 27001 certified – isn't that enough?

ISO 27001 is the globally recognized standard in the field of information security. The standard describes how to process information security, with the aim of ensuring the confidentiality, availability and integrity of information within your own organization. The standard contains a system of control measures to take cybersecurity and privacy protection to a higher level.

The control measures of ISO 27001 correspond to the measures of NIS2, as far as we now know the elaboration of the NIS2 guideline. However, the duty of care, reporting obligation and supervision are not stated as such in the standard. The measures taken in the context of ISO 27001 must be tested and, if necessary, adjusted.

National Government NIS2 Self-evaluation NL:
The online quiz to test whether the NIS2 guideline applies to your organization.

Digital Government – NIS2 Directive:

Digital government – European legislation and regulations:

Information brochure Cyber Security Act: law-informatiebrochure

Finally: states:

“The NIS2 law does not exist because it is officially called the European NIS2 Directive. In the course of 2024, the NIS2 will be integrated into the Dutch Wbni. So that is Dutch law. Because everyone is talking about the NIS2, we use that terminology to avoid confusion. The new Wbni content has not yet been widely announced but is expected to be in line with the NIS2 guideline.”

Follow us on our LinkedIn page and find valuable information about cybersecurity and network technology on your timeline every week.