NIS2

What is NIS2?

NIS2 is a European directive focused on the security of Network and Information Systems (NIS2) and contains a set of regulations to ensure the security and resilience of these systems throughout the European Union (EU). This directive seeks to improve cybersecurity in the EU in several ways. These guidelines are an extension of the existing NIS guidelines (since 2016), but also extended to other sectors.

With EU countries adopting the NIS2 directive by the end of 2022, member states still have two years to transpose it into national legislation.

Compliancy NIS2

The NIS2 directives apply to critical (important) as well as very critical (Essential) entities and services. Companies between 50 and 250 employees are considered “important” entities, while entities with more than 250 employees fall under “Essential.” Smaller entities fall outside this scope, but may still be determined as critical or very critical by our government. Especially in the Supply Chain, larger entities may have higher security requirements for their “smaller” suppliers. That is why it is important to inform yourself well with the National Cyber Security Centrum (https://www.ncsc.nl/)

An important element within these directives is top management accountability. Thus, top management is required to undergo additional training to master the content of these NIS2 directives. In the event of an incident, management can be held liable for this. Awareness among its own personnel must also be updated on a regular basis.

CyberFundamentals Framework

The CCB also refers to the Cyberfundamentals Framework which is based on the well-known ISO27001 framework. This framework consists of 5 core functions :

1. Identify: Know key cyber threats to your most valuable assets. Essentially, you can’t protect what you don’t know exists. This function helps to
   develop an organizational understanding of how to manage cyber security risks related to systems, people, assets, data and capabilities.
2. Protect: The protect function focuses on developing and implementing the safeguards needed to mitigate or contain a cyber risk.
3. Detect: The purpose of the Detect function is to ensure that cyber security events are detected in a timely manner.
4. Response: revolves around the controls that help respond to cyber security incidents. The Respond function supports the ability to contain the impact of a potential cyber security incident.
5. Recover: focuses on the safeguards that help maintain resilience and restore services affected by a cyber security incident.

This cyberfundamentals framework is already being used as a framework for both the important and essential entities. In short, any company that qualifies for the NIS2 directives will need to apply these 5 core functions of the framework.

For example, we at Kappa Data are already seeing many questions coming in about the various solutions for both Detect and Response requirements.

The NIS2 legislation will be a challenge for many companies. Beyond applying additional security technologies, company management will have to perform risk assessments on every part of its business. Thus, numerous procedures and regulations will have to be established, which will require a lot of time and administration from the company.

Timeline implementation NIS2

The timeline for the implementation of the NIS2 directive in the Netherlands is as follows:

Past

On November 28, 2022, the NIS2 Directive was adopted by the European Council and published in the Official Journal of the European Union on December 27, 2022. From January 2023, the implementation period of 21 months began, during which the directives had to be incorporated into national legislation.

Present

In May 2024, a 6-week Internet consultation period begins during which citizens, businesses and government agencies can provide feedback on the draft legal texts of the new legislation. After the Internet consultation, the responses will be processed and the Ministry of Justice and Security will publish a report. The draft legal texts will then be further developed into an Order in Council (AmvB), followed by another 6-week consultation period.

Future

In 2025, the Ministry of Health, Welfare and Sport (VWS) will draft sector-specific regulations for healthcare in the form of a ministerial regulation. Ministries will designate organizations for each sector to be covered by the CER Directive. Healthcare organizations designated as critical entities will be notified and must comply with the law within 10 months. The laws are expected to take effect in 2025, and from then on organizations must comply with all obligations under the law, such as duty of care, duty of registration and duty of notification.

It is important for organizations to take measures now to mitigate risks and prepare for the new legislation.

More information about NIS2 solutions

Missed one of our webinars, but would still like more info on how Kappa Data can help your business? No worries, send your question to the email address below: [email protected]

Conclusion

Enacting legislation around cybersecurity will make businesses more resilient to massive cyber-attacks by hackers. However, this legislation will cause quite a few headaches for many business owners. There are quite a few challenges to raising awareness within companies, establishing procedures and ISMS systems. Therefore, we at Kappa Data offer our knowledge and solutions to IT Partners to solve issues around total network visibility, vulnerability management, detect-response-recover solutions, Network Access Control and many other technologies considered necessary within the NIS2 legislation.

As a Value Added Distributor, we recommend that our partners reach out to their customer base themselves and start the conversation, how they can unburden their customers with technology. Would you like to learn more about one or more solutions? Then contact your Account Manager, to set up a meeting. We are happy to help our partners implement technology solutions for the NIS2 requirements with their customers.