Is NIS2 on the radar of your organisation?

At anDREa, we are heavily invested in the security of our platform and your data in the interest of all stakeholders. Since September 2022, we are ISO27001 certified and have passed the first control audit with flying colors. Moreover, we have transparently published our information security policies and Statement of Applicability, greatly improving our customer’s Security Impact Assessments (SIAs). It is therefore no surprise that we have kept a close eye on the NIS2 legislation. This law needs to be ready in October 2024 and will replace (or add on to) the Wet beveiliging netwerk- en Informatiesystemen (Wbni) in The Netherlands.

Based on the meetings we attended (and maybe a bit of gut feeling), we see that NIS2 is not gaining a lot of attention in The Netherlands. Let alone that organizations are preparing for it. The penalties for non-compliance however, are not something to think lightly of. The penalties include administrative fines as high as €7.000.000 for important sectors and €10.000.000 for essential sectors as well as criminal sanctions for management. 

Organizations that do want to prepare are unfortunately often staggered by the uncertainty of how the law is going to look like or by the uncertainty whether their organization has to comply with NIS2. At anDREa we recognize this last category: we are a small company that does not tick all the boxes for the criteria. 

In short, NIS2 is applicable to essential (>250 employees; >50 million euros annual turnover) and important sectors (50-250 employees; 10-50 million euros annual turnover). Small and micro entities are not involved, EXCEPT if they are identified as essential or important by national authorities. It is certainly possible that anDREa might fall in this category. And if not, it is not unthinkable that our customers might impose these NIS2 requirements on us, as supply chain security is an important aspect of NIS2. However, we cannot ignore the number of users, the number of studies with privacy sensitive data, and the grants involved.

In the hope of gaining more insight, we attended the cybersecurity congress organized by Ziekenhuis Oost-Limburg (ZOL) and the Centre for Cybersecurity Belgium (CCB) in Genk, Belgium. The CCB is involved in writing and preparing for NIS2 in Belgium and it would be interesting to listen to insights directly from the source.

What did we learn?

With the ever-growing news of data breaches and attacks by malicious actors, that are just a tip of the iceberg, there is enough reason and traction to push NIS2 into legislation. What did we learn from our colleagues in Belgium?

For starters, do not get scared off by the October 2024 deadline. This is when the law has to be ready and not when you have to be fully NIS2-compliant. The law will differ slightly in each of the EU Member States, however do not wait with your preparations until the last moment as the process of getting ready might take time depending on your security posture. The NIS2 helps to drive the internal change to be able to fight the fast growing number of malicious attacks; be prepared otherwise it is for sure not an IF but a WHEN and sooner than you might have hoped. 

1. Start by determining whether your business is impacted by NIS2. Even if you are not directly categorized as essential or important, you might still be impacted by NIS2 as part of the supplier chain. 

2. Get your management team on board. In NIS2, there is a great responsibility (and liability) for the management team so it is essential to have them on board and understand all of the requirements and penalties for non-compliance. Moreover, management is essential for acquiring the needed resources.

1. Management:

1. Must approve all cybersecurity measures.

2. Must oversee the implementation of cybersecurity measures.

3. Need to follow cybersecurity training

4. Is liable for implementation.

5. Offers cybersecurity training to all employees on a regular basis.

3. Next, it would be a good idea to assess your security posture: where do you stand? For the absolute minimum, there are ten minimum requirements that are mandatory:

1. Risk assessments and security policies for information systems.

2. Policies and procedures for evaluating the effectiveness of security measures.

3. Policies and procedures for the use of cryptography and, when relevant, encryption.

4. A plan for handling security incidents.

5. Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities.

6. Cybersecurity training and a practice for basic computer hygiene.

7. Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.

8. A plan for managing business operations during and after a security incident.

9. Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems. 

10. Security around supply chains and the relationship between the company and direct supplier. companies must choose security measures that fit the vulnerabilities of each direct supplier.

4. If these requirements seem familiar to you, then you are right. This is mostly covered in ISO27001. With the right scope and Statement of Applicability, you are already off to a good start in your preparations. If you are wondering how we set up our Information Security Management System (ISMS), you can find that here: ISO27001 overview.

5. Look into cybersecurity training both for all employees (including management) and certify if there will be a NIS2 certification.

Is ISO27001 enough to be prepared for NIS2?

The short answer is no.