What is the NIS2?

    The Network and Information Security directive, or NIS2 directive, is intended to improve the cybersecurity and resilience of essential and important services in EU member states. This directive is currently being transposed into national law and will enter into force sometime in 2025 and will apply to governments and at least 30,000 companies.

    Table of Contents

    Duty of care

    The duty of care requires that your organization has a number of measures in place. An overview of the measures to be taken can be found below, together with a brief description.

    Risk management

    It is mandatory to do a risk assessment yourself. Based on this, you take appropriate measures to guarantee your services as much as possible and to protect the information used.

    Incident and data breach management

    This includes protocols and procedures that must be followed when managing data breaches and incidents. It is  important to develop procedures for detecting, monitoring, resolving and reporting incidents. This way you can respond quickly and adequately when your organization is affected. NIS2 entities are obliged to report incidents to the central reporting point and the supervisor. The reporting requirements must be anchored in the business processes. Drawing up an incident response plan can help with this. 

    Business Continuity

    Business continuity refers to an organization's ability to continue its essential functions and core activities even in the event of unexpected and severe disruptions or emergencies. These disruptions can range from natural disasters and power outages to cyber attacks, such as Distributed Denial of Service (DDoS) attacks. A disruption can lead to reputational damage, downtime and loss of revenue, additional costs and recovery time, legal and regulatory consequences.

    Supply Chain Management

    To make the supply chain NIS2-proof, you need to assess the weaknesses of your supplier or service provider. You can think of, for example:

    1. Specific weaknesses of each direct supplier and service provider.
    2. Quality of the products and the cybersecurity habits of their suppliers and service providers.
    3. Secure procedures for developing products and services.

    Measuring policy effectiveness

    To measure the effect, the security measures must be tested and evaluated. In order for this to take place in a structured and systematic manner, the assessment must be included in the organization's policy. One of the ways to test the effectiveness of measures is through a security test or an audit.

    Cybersecurity awareness and trainings

    NIS2 and security awareness are closely linked because NIS2 is not only focused on technical measures, but also on promoting a culture of awareness within organizations. It emphasizes the essence of employee awareness and training. Security awareness not only includes understanding potential threats and recognizing suspicious activities, but also acting correctly in the event of possible cyber attacks. NIS2 therefore emphasizes the obligation for organizations to invest not only in technological security of systems, but also in training and informing staff about risks and best practices in the field of cybersecurity.

    Policies and procedures regarding cryptography

    Rules have been defined and implemented for the effective use of cryptography and for the management of cryptographic keys.

    The purpose of cryptography and encryption policies and procedures is to ensure the confidentiality, integrity, non-repudiation, authenticity and authentication of data. In a cryptography policy document you describe the policy and techniques you have used to ensure the confidentiality and integrity of information. Components to include in the policy document are configuration and key management, effectiveness and management.

    Authorization management

    To maintain control over the availability, integrity and confidentiality of your network and information systems, it is important to set up a good access policy. In an access policy you determine who has access to which systems and with what roles and rights. Because every organization has to deal with new employees, departing employees or job changes, careful administration of access rights is essential.

    Multi-factor authentication and other secure login or communication methods

    Secure business processes require that users, devices, and other assets be authenticated using multiple authentication factors or continuous authentication mechanisms to access the organization's networks and information systems. The extent and strength of authentication should be appropriate to the classification of the assets to be accessed. You have identified which access is highly classified in the risk analysis or the business impact analysis (BIA).

    The use of additional authentication prevents an attacker from gaining access to an account by guessing or discovering the password through, for example, social engineering or a successful phishing attack.

    Security in network acquisition, development and maintenance (plus vulnerability response and disclosure)

    The NIS2 guideline states that an organization must have a policy on the security of acquiring, developing and maintaining the network. In addition, the organization must also have a policy on how it deals with vulnerabilities.

    Policy on the security of network and information systems covers a large number of topics, such as network security, configuration, change, vulnerability management, secure development life cycle and purchasing policy. After drawing up and establishing a policy for the security of your organization's network and information systems, you can map the network. Only if you know and understand the network can you make the right decisions to improve the digital resilience of these systems.

    Human resources security aspects (rights management)

    Organizations that attach importance to their cybersecurity pay attention to security aspects of personnel, access policies and asset management (hardware and software). Who has access to what and with what rights? By taking these security aspects seriously and implementing appropriate measures, you improve cybersecurity in this first line of defense and increase the resilience of network and information systems.

    Personnel, access policy and asset management

    The duty of care under the NIS2 guideline requires measures in 3 areas: security aspects of personnel, access policy and asset management.

    Obligation of registration

    Entities that fall under the NIS2 directive are required to register. This registration should provide a Europe-wide picture of the number of entities under NIS2.

    Duty to report

    The guideline requires entities to report incidents to the supervisory authority within 24 hours. These are incidents that (could) significantly disrupt the provision of the essential service. In the event of a cyber incident, it must also be reported to the Computer Security Incident Response Team (CSIRT), which will then provide help and assistance. Factors that make an incident worth reporting include the number of people affected by the disruption, the duration of a disruption and the possible financial losses.

    Supervision

    Organizations that fall under the directive will also come under supervision. Compliance with the obligations under the directive, such as the duty of care and reporting, is examined.