The safety of our society and economy is increasingly under pressure. That is why the European Union has worked out the Network and Information Security (NIS2) directive. This directive is meant to strengthen the digital and economic resilience of the EU countries.
The NIS2 directive focuses on risks that threaten network and information systems, such as cyber security risks. The directive is meant to help achieve more European harmonisation and a higher level of cybersecurity among companies and organisations. The NIS2 directive is the successor to the first NIS directive. This directive, also known as the NIB, was incorporated in the Security of Networks and Information Systems Act (Wbni).
Besides the NIS2 directive, the European Commission has also established the CER directive. This directive focuses on the protection of public and private organisations against physical threats, such as the consequences of (terrorist) crimes, sabotage, and natural disasters. Both directives aim to increase European member states’ resilience and counter threats that could disrupt society.
What does the NIS2 directive mean for your organisation?
Public and private organisations within certain sectors will have a duty of care and a duty to report. Below, you can find a summary of the obligations imposed by the NIS2 directive and the sectors to which they will apply. EU countries have until 17 October 2024 to incorporate the NIS2 directive into national legislation.
Which sectors and organisations are covered by the NIS2 directive?
For the NIS2 directive sectors have been added to the sectors already covered by the first NIS directive. Thus, more public and private organisations will be covered by the NIS2 directive. Organisations covered by the NIS 2 directive are vital and important organisations in different sectors. These sectors are listed in Annexes I and II of the NIS2 directive.
Annex I of the NIS2 directive lists very critical sectors:
- financial markets infrastructure
- health care
- drinking water
- digital infrastructure
- ICT services management (business-to-business)
- waste water
- public administration
- space activities
Annex II of the NIS2 directive lists other critical sectors:
- digital providers
- postal and courier services
- waste management
- manufacturing, production, and distribution of chemicals
- production, processing, and distribution of food
Organisations active in one of these sectors that are ‘essential’ or ‘important’ entities are automatically covered by the NISA2 directive. This is an important distinction from the first NIS directive. Unlike the CER directive, for the NIS2 directive organisations are not designated by ministries.
What is an essential entity?
Essential entities are large organisations active in 1 of the sectors listed in Annex I of the directive (see above). An organisation is large if has more than 250 employees, or a net turnover of more than €50 million, and a balance sheet of more than €43 million.
What is an important entity?
Important entities are medium-sized organisations active in 1 of the sectors listed in Annex I, and organisations that are active in 1 of the sectors in Annex II of the NIS2 directive (see above). An organisation is medium-sized if it has at least 50 employees, or a balance sheet total of more than €10 million.
Outages of services of essential entities have more disruptive effects on the economy and society than outages of services of important entities. Supervision on essential services is stricter than on important entities. The government monitors essential entities’ compliance before and after an event. For important entities supervision is only ex post (after an event). For example if there are indications of non-compliance with the law, or if an incident has occurred.
In principle, most minor and small business are not covered by the NIS2 directive. However, some micro and small business do fall under the directive. And the minister can decide to designate a micro or small company. For example, if a risk assessment shows that their services are crucial to the Dutch economy or society. If so, these companies will be notified by the relevant ministry.
Micro and small business that are covered by the NIS 2 directive are:
- trust service providers
- top-level domain name registries
- domain name registration service providers
- providers of public electronic communication networks
- providers of publicly available electronic communications services
Government organisations active in the sectors listed above are also automatically covered by the NIS 2 directive.
Do you want to find out if your company is an SME or (medium-sized) large company? You can use the EU’s SME self-assessment questionnaire to check.
Which obligations does the NIS2 directive impose?
The obligations under the CER directive and the NIS2 directive are very similar. Important duties that the NIS2 directive dictates are:
- Duty of care – Companies must carry out a risk assessment themselves. Based on this risk assessment they should take measures to guarantee their provision of services as much as possible and protect their information.
- Duty to report – Companies have to report incidents to the supervising authority within 24 hours. It concerns incidents that (can) significantly disrupt the provision of the essential services. Does it concern of a cyber incident? Then this should also be reported to the Cyber Security Incident Response Team (CSIRT). The CSIRT can offer help and support. Whether an incident is subject to the duty to report depend on several factors. For example, the number of people affected by the disruption, the duration of the disruption, and the potential financial losses.
- Supervision – Organisations covered by the NIS2 directive will be under supervision. The supervisory body will look at compliance with the obligations of the directive, such as the duty of care and the duty to report. It is currently being worked out which sectors will fall under which supervisory body.
What can you expect the government to do?
The NIS2 directive requires EU countries to help critical, vital, and important organisations strengthen their resilience against digital risks. The directive requires a CSIRT to help these entities witch advice and support. Government support can include information sharing, guidelines, and tools to improve resilience. For example, tools to conduct a risk assessment.
How can organisations prepare?
Before the national legislation is ready, organisations can prepare for their duty of care. They can do so by taking measures to improve safety and resilience of their processes and services. The National Cyber Security Centre (NCSC) offers a guide to Cyber Security Measures (pdf) and the Digital Trust Center has listed a number of measures to help organisations protect themselves against the risks of and damage by cyber attacks. Organisations can also:
- Identify and analyse risks.
- Write business continuity plans and protocols for crisis management and organise incident response.
- Identify alternative supply chains.
- Create awareness among staff of risks and measures to take.
- Reserve budget and capacity needed to comply with the directive.
- businesses active in 1 of the sectors mentioned above and that, according to the criteria, are essential or important entities.
Around the summer of 2023 a six-week internet consultation period will start (in Dutch). It is expected the new law will enter into force at the end of 2024. From then on, organisations covered by the NIS2 directive have to fulfil the duty of care and duty to report.
It is not yet possible to answer all questions properly. Even so, the government would like to hear what questions your organisation has. Ask your question to the ministry responsible for the sector in which your company is active (in Dutch). This way, the government knows which questions companies have and need to be answered.
Please note: The effective date of this measure is not yet final. Entry into force is subject to its passing through the upper and lower houses of parliament or proclamation of the Order in Council (Algemene Maatregel van Bestuur, AMvB) or ministerial decree and publication in the Staatsblad or Staatscourant (Government Gazette, in Dutch).