The new NIS2 directive on cyber security

In November 2022, the European Union adopted a new and improved version of the Network and Information Systems (NIS) Directive. NIS2, as this new and improved directive is called, is aimed at enhancing cyber security in a number of critical sectors across the EU and could very well be a game-changer for a lot of Belgian and international companies. In this article, we’ll tell you what NIS2 means, when it will be implemented and what it entails for your company.

The new NIS2 directive on cyber security: what does it mean for Belgian companies?

In November 2022, the European Union adopted a new and improved version of the Network and Information Systems (NIS) Directive. NIS2, as this new and improved directive is called, is aimed at enhancing cyber security in a number of critical sectors across the EU and could very well be a game-changer for a lot of Belgian and international companies. In this article, we’ll tell you what NIS2 means, when it will be implemented and what it entails for your company.

What does NIS2 mean?

NIS2 is a new and improved version of the Network and Information Security (NIS) Directive that was implemented back in 2018. NIS was the first piece of EU-wide legislation on cyber security and it was aimed at creating a common level of digital security across the Member States.

Although NIS had some obvious merits, its implementation proved difficult and the success was fragmented. As cyber attacks and hacks are a growing threat, the Commission proposed to replace NIS by a stricter and more committing directive: NIS2.

By strengthening security requirements, streamlining reporting obligations, and introducing more stringent supervisory measures and harmonised sanctions, NIS2 is focused on creating safer and more resilient digital environments and increasing the level of cyber security across all European member states.

Why do we need NIS2?

As cyber-attacks are among the fastest-growing form of crime worldwide, businesses and government bodies simply have to invest in creating safe digital environments for themselves and their customers. In the past decade, many countries have already suffered cyber attacks, including on critical infrastructure, such as on electric power systems, banks, hospitals or water plants.

As some of our most critical sectors, such as transport, energy, health and finance, have become increasingly reliant on digital technologies to run their core business, they are also becoming more vulnerable to a growing number of digital threats. As cyber security incidents become increasingly large and complex and often have a severe economic and social impact, NIS2 is aimed at providing a secure framework to protect economies and societies.

When will NIS2 be implemented?

The first proposal for a new and improved NIS Directive was entered back in December 2020 and in November 2022, the EU approved NIS2. It will be implemented across all member states by 2024.

In the coming 21 months, the NIS2 Directive will be adopted by the CCB, the Belgian Centre for Cyber Security, resulting in a new national policy on cyber security prevention and digital safety. The new federal law will take effect in the second half of 2024.

Does NIS2 affect all Belgian Companies?

NIS2 is aimed at medium-sized (+50 employees or turnover of + 10 million euros) and large companies (+250 employees or turnover of + 50 million euros) in a number of critical sectors. These sectors are:

  • Energy
  • Transport
  • Banking and finance infrastructure
  • Health care (including labs and research on pharmaceuticals and medical devices)
  • Drinking water
  • Waste water (only if it is the main activity)
  • Digital Infrastructure (Telecom, DNS, TLD, data centers, trust services, cloud services)
  • Digital services (search engines, online markets, social networks)
  • Space
  • Postal and courier services
  • Waste management
  • Chemicals (production and distribution)
  • Food (Production, processing, and distribution)
  • Manufacturing (specifically, but not limited to, medical, computer, and transport equipment)
  • Public authorities

Small companies and micro enterprises fall outside the scope of NIS2, unless the Belgian authorities consider them essential.

What do companies have to do to be compliant with NIS2?

In order to be compliant with the new NIS2 Directive, there’s a number of things organizations need to do. Most importantly, they will have to implement an efficient cyber security policy, with appropriate operational, organizational and technical measures. Companies will need to build a cyber security roadmap with incident handling procedures and business continuity measures, meaning they will also need to invest in risk analyses, security awareness and incident management.

NIS 2 also streamlines the reporting obligations with regards to cyber security threats and breaches. All organizations must notify all significant incidents to the relevant supervisory authorities within 24 hours after noticing the incident. An intermediate report has to be sent to the authorities within 72 hours and the final report of the incident is due within a month after the initial notification.

Organizations will also need to focus on knowledge sharing. They will share information on cyber security risks and measures with each other and with the local government through communities and automatized tools. This will help to create a centralized European ‘vulnerability register’ of ICT products and services, for which every member state will have a dedicated point of contact.

Does NIS2 involve sanctions for non-compliant organizations?

Every member state designates a number of authorities that will exercise supervision. In Belgium, the monitoring bodies will be, among others, the CCB (Centre for Cyber Security) and the BIPT (Belgian Institute for postal services and Telecommunication). Organizations that fail to comply to the regulations set forth by NIS2, are subject to a number of possible sanctions, such as:

  • Imposing of deadlines for compliance
  • Withdrawal of certification
  • Mandatory discontinuation
  • Fines or administrative sanctions
  • Administrative liability

Administrative sanctions may add up to a maximum of 10 million euros for so-called essential entities (2% of global revenue) and 7 million euros for important entities (1,4% of global revenue).

How can BowTie Security help you to comply with NIS2?

On your way to become NIS2-compliant, but unsure how to get to your goal? The cyber security experts at Uptime Security can inform you and assist you in every step you take. Together with a number of our specialized IT-partners within De Cronos Group, we will look at what needs to be done and we’ll draft made-to-measure solutions and successful action plans.

Want to learn more about cyber security, NIS2 and creating a safe digital environment? Subscribe for our webinar, and discover what the new European directives on cyber security means for your organization.

More insights

Cybersecurity challenge: training instead of magic

Facing the cybersecurity challenge requires proactive training and collaboration, not just relying on magic. Learn about the complexities of protecting data....
Read more

Cyber security in healthcare: why is the sector at risk?

In recent years, cyber security has become increasingly important for healthcare organizations all over the world. As the industry undergoes intensive digitization, there is a growing need to ensure continuity...
Read more

Supply chain cybersecurity: relevance of third-party risk

Discover why third-party risk should be a concern for NIS2-compliant companies. Download our whitepaper for practical insights on supply chain cybersecurity....
Read more