The NIS2 directive will soon come into force in the Netherlands. It is the successor to NIS Directive and focuses on risks that threaten network and information systems, such as cyber security risks. Organisations covered by the NIS2 directive will have to comply with the duty of care and notification obligations from then on. In this blog, lawyer Anne-Mieke Dumoulin-Siemens discusses what the directive entails, what it means for your organisation and what preparations your organisation can already make.
Cyber security deserves attention
Companies are facing increasing digitalisation and cyber incidents. At EU level, cybersecurity challenges are being addressed with a range of new regulations. For instance, the NIS 2 Directive has been in force for some time. The Network and Information Security Directive 2 (NIS2) aims to improve the cyber security and digital resilience of organisations in EU member states. The NIS2 Directive contains minimum requirements and must be implemented in Dutch legislation by 17 October 2024 at the latest. From that date, sectors designated in the directive must comply with the obligations in the NIS2 directive as they will then be laid down in Dutch legislation.
NIS2 directive has wide scope of application
NIS2 directive applies to a wide range of sectors, such as healthcare, transport and energy providers. Supermarkets, water management companies and digital providers should also prepare for the obligations in the NIS2 directive. The NIS2 directive includes sectors of high criticality and other critical sectors. There are 11 sectors of high criticality: energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure, ICT services management, public administration and space. In addition, the NIS2 directive has seven other critical sectors: postal and courier services, waste management, chemical industry, food industry, manufacturing industry, digital providers, research. Organisations that fall under any of these sectors must implement risk management measures and comply with cybersecurity reporting requirements.
How do you know if your organisation is covered by the NIS2 directive?
The organisation must belong to one of the sectors of high criticality or other critical sectors. In addition, the size of the organisation is important and whether the organisation plays a key role in society. If it turns out that the NIS 2 directive applies, you need to consider whether your organisation is an ‘essential’ or ‘important’ organisation. The Dutch government has prepared an online self-assessment NIS 2 Self-assessment NL (regelhulpenvoorbedrijven.nl). you may wish to use this self-assessment to determine whether the NIS 2 directive applies to your organisation.
What measures are we talking about?
In short, organisations should take appropriate technical, operational and organisational measures to improve their organisation’s cyber security and digital resilience. Organisations should identify cyber risks and adjust the security level of their network and information systems accordingly. For instance, large companies exposed to high risks should take more measures than a small business where the likelihood of an incident with high social and economic impact is small. Cyber security measures should include incident handling, back-up management, supply chain security, cyber hygiene, staff training, access policies and policies to measure the effectiveness of these measures.
What other obligations does the NIS 2 Directive impose?
Governance
The NIS 2 directive leaves the responsibility for cyber measures to the directors. The governing bodies of essential and important organisations must approve the security measures taken and oversee their implementation. Directors can be held personally liable for breaches of security obligations. Directors must undergo training to acquire sufficient knowledge to identify cyber risks and assess their consequences.
Reporting obligations/reporting obligation
Essential and important organisations must report without delay any incident that has a significant impact on the provision of its services. This could include incidents that cause or may cause serious operational disruption of services or financial losses to the organisation concerned. Consideration could also be given to incidents that cause or may cause significant material or financial damage to other (legal) persons. An initial notification must be made to the competent authorities within 24 hours, followed by an update no later than 48 hours after the initial notification. Note that reporting is also required if an incident may have significant consequences.
What preparations can organisations make in advance?
The Dutch government is in the process of transposing the NIS2 directive into Dutch law. A bill has not yet been published. At the moment, it is only clear which minimum requirements will have to be met, as these are apparent from the NIS2 directive.
Pending embedding in national legislation, the following steps could be taken:
- Use the self-assessment NIS 2 Self-assessment NL (regelhulpenvoorbedrijven.nl) to determine whether your organisation falls under the scope of the NIS2 directive.
- Map to which extent the board meets its governance obligations.
- Establish the quality of existing technical, operational and organisational security measures, including monitoring mechanisms.
- Determine whether the organisation can comply with reporting requirements and notification obligations.
Questions or advice on the NIS2 Directive and implementation?
If you need further clarification on the governance obligations or if you have questions on the reporting obligations and notification requirements, please contact Anne-Mieke Dumoulin-Siemens.