What is NIS2?
NIS2 (Network and Information Security 2) is the updated EU cybersecurity directive, replacing the original NIS directive (2016). The NIS2 directive is designed to raise the level of cybersecurity among providers of essential and key services, mitigate risks to network and information systems, and ensure the continuity of these services to the fullest extent possible.
The NIS-2 guideline applies automatically to organisations in the sectors in the table below that meet the requirements in terms of number of employees or turnover/balance sheet total. Here a split has been made between ‘essential entities’ and ‘significant entities’.
Obligations
The main obligations of the NIS2 directive can be divided into four parts:
- Duty of care – The NIS2 directive contains a duty of care that requires entities to carry out their own risk assessment, on the basis of which they take appropriate measures to safeguard their services as far as possible and protect the information used.
- Registration requirement – Entities subject to the Cybersecurity Act are required to register in the NCSC’s Entity Register. Organisations to which NIS2 applies are not notified. Organisations should determine for themselves whether the directive applies to them.
- Duty to report – Incidents that could significantly disrupt provision of essential services should be reported within 24 hours. This in the case of a cyber incident to the Computer Security Incident Response Team (CSIRT) of the NCTV.
- Supervision – Organisations covered by the directive will also come under supervision, looking at compliance with the directive’s obligations, such as the duty of care and notification.
The NIS2 directive was published in December 2022. European member states had until 17 October 2024 to incorporate NIS2 into national legislation. Dutch implementation is expected to take place around 1 July 2025. This is because more time is needed to secure the NIS2 directive in the Network and Information Systems Security Act (Wbni). Implementation has already taken place in some surrounding countries.
The NIS2 directive states that fines can be imposed based on global turnover. For essential entities, the minimum fine is €10 million or two per cent of total turnover (whichever is higher. For significant entities, this fine is a minimum of seven million euros or 1.4 per cent of turnover. In addition, individuals at board level can be held personally liable at the time of non-compliance with their obligations under the directive.
Chain responsibility
Providers of essential and key services and digital providers should take measures to ensure the security of their supply chain. This includes evaluating suppliers’ security measures and taking appropriate action to ensure that the products and services provided meet security requirements.
Essential and key entities covered by the NIS2 Directive become responsible for the security of their supply chain. This means they must assess the risks posed by their suppliers and service providers and take appropriate measures to ensure the security of the entire chain. This logically only applies to parties in the supply chain that provide digital services or products and/or have access to network or information systems of the entity. ENISA (the European cybersecurity agency) has defined the following types of ICT suppliers:
- Manufacturers (hardware suppliers)
- System integrators
- ICT service management (MS(S)Ps).
- Providers of digital services (SaaS, PaaS, IaaS)
- External parties with access to networks or systems (including contractors)
Thus, the NIS2 Directive/ WBNI does not apply directly to chain partners (unless they themselves are classified as an essential or important entity). However, they can expect questions about information security measures taken. So although chain partners are not directly covered by NIS2, it is wise to work proactively on information security, for instance by setting up an ISO 27001-certified ISMS. This not only helps with compliance requirements from customers, but also increases resilience against cyber threats.
As an organisation, how can you prepare in advance for NIS2?
For both entities directly covered by NIS2 and their supply chain partners, setting up a certified Information Security Management System (ISMS) is a crucial step. ISO 27001 certification helps organisations demonstrate that their information security is structurally in place and risks are effectively controlled. This has become even more important with the introduction of NIS2, as essential and important entities are required to implement security measures and manage risks within their supply chain.
Setting up a certified ISMS is also an important recommendation for chain partners. After all, this certificate makes it easier to demonstrate that information security is appropriately set up and risks are mitigated, which NIS2 makes even more important for critical and important entities. Being able to present an ISO 27001 certificate reduces a large part of specific questions and supplier audits. Of course, this requires that the products or services purchased by the critical or important entity (and the processes required for this) are part of the scope of the management system.
By starting now to set up, implement and continuously improve an ISO 27001-certified ISMS, you will ensure that your organisation is ready for NIS2 as well as more resilient to cyber threats.
Wondering how we can help your organisation comply with NIS2? Feel free to contact us.
