Stricter cybersecurity rules within the EU
The European Union adopted a new cybersecurity law, the NIS 2, in November 2022. This directive must guarantee a high standard of cybersecurity within the EU. The law increases the scope and fines for violations of the 2016 NIS Directive. The new law is a response to the growing number of digital threats and cyber-attacks. When the directive officially becomes active, the Netherlands will have two years to turn the guidelines into national law. This means that from 2024 onwards, some Rotterdam entrepreneurs will have to comply with new and more strict cybersecurity rules.
To which entrepreneurs will the directive apply?
The directive applies to all medium-sized and large organizations that the EU considers essential or important. Essential sectors include energy, transport, banking, financial market infrastructures, healthcare, drinking water and wastewater, digital infrastructure, public administration and aerospace. Important sectors are postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, processing industry and digital providers.
All organizations with more than 50 employees and a turnover of more than 10 million euros are included within these new guidelines. Other companies are in principle excluded, unless these companies meet special criteria that indicate a key role in a certain sector or type of service. For example, if they are a public authority or the sole provider of a service in a member state or region. They are therefore seen as an essential or important organization. The EU member states will determine which companies these are in the near future.
What will change?
The NIS 2 directive imposes more mandatory measures on companies to manage cybersecurity risks. For example, it will be mandatory to carry out risk analyses and policy on the security of information systems. And to take measures to secure relationships with suppliers. In addition, there is a more strict reporting obligation for cyber security incidents that have a major effect on the service (report within 24 hours instead of 72 hours). The guidelines thus impose more strict enforcement obligations on companies.
The national supervisor will also be given more agency. This body approves companies’ cybersecurity risk management measures and monitors their compliance with security requirements and incident reporting. The guidelines thus ensure more supervision and enforcement. If essential companies fail to comply with their obligations, fines of up to EUR 10 million or 2% of total global annual turnover will apply. For major companies, this is a maximum of 7 million euros or 1.4% of the total global annual turnover.
What you can already do at this point
- Find out whether your company is seen as a medium-sized or large organization and will therefore fall directly under the new guidelines (or whether it meets these requirements halfway through 2024).
- If so, you can now already find out which new obligations regarding information security you will have to implement later:
- Risk analysis and security policy for the information system: assess the level of risk of cyber-attacks in the organization.
- Prevention, detection and response to incidents: from the risk analysis, identify the vulnerabilities in the company and draw up plans to prevent cyber-attacks.
- Business Continuity and Crisis Management: Establish backup solutions in a cloud storage to ensure the business can continue in the event of a cyber-attack.
- Supply Chain Security: Organizations must consider the vulnerabilities of each vendor and service provider.
- Use of cryptography: the use of cryptography to protect the corporate network.
- Vulnerability Disclosure: Using open-source testing to uncover security vulnerabilities and share them with the regulator and other organizations.
- Policies and Procedures to Assess the Effectiveness of the Organization’s Cybersecurity Risk: Implementing policies to monitor cybersecurity on a regular basis.
- It is also useful to prepare for the obligation to report cybersecurity incidents and threats within 24 hours. The duty to report currently falls under the Network and Information Systems Security Act. View this fact sheet [in Dutch] from the National Cyber Security Center to see exactly how the duty to report works.
For more information, please visit:
- Risk Ledger – What Is The New NIS 2 Directive and What Does It Mean For You?
- Podcast Euractiv: NIS2 – All you need to know