The new NIS2 law will be introduced in the summer of 2024 and has serious consequences for many organizations. By enforcing this law, the European Union wants to improve the digital resiliency of Europe. At least eleven industries have to comply to these new measures, which entail strict requirements for (cyber)security and reporting. Don’t let these new rules surprise you and prepare for the NIS2 implications in time. Throughout this blog, we’ll explain the contents of this new law and what they will mean for organizations.
NIS2 follows the NIS law from 2016, where NIS stands for Network and Information Systems. This law was introduced in The Netherlands in 2018 under the name of ‘Wet beveiliging netwerk- en informatiesystemen’.
The EU describes NIS2 as ‘measures for a high common level of cybersecurity across the European Union’. This means that, by enforcing this law, the union wants to improve the European digital resiliency. To do that, from 2024 forward organizations have to comply to stricter security and reporting requirements. The detailed NIS2 policies can be found on this page.
This involves, for instance:
- an obligation to follow-up on security incidents,
- security of network and information systems,
- complying to the basic rules of cyber hygiene,
- multi factor authentication and secured communication.
The current NIS law only applies to six critical industries: finance, energy, water, healthcare, transport, and digital infrastructure. The implications of NIS2 will be broader because the law concerns more industries. These are at least eleven: the guideline doesn’t just apply to government organizations and essential companies, but also to important organizations such as postal delivery, manufacturers of medical tools and organizations in the food industry.
The industries mentioned above are determined by the EU. The Dutch government is given leeway to add more industries to the national law – because they are important to Dutch society, for example.
The law only applies to organizations who have more than fifty employees, with the company having a yearly turnover of more than ten million euros. Still, NIS2 could also come your way when it doesn’t apply to your organization. If you are, for instance, a supplier for an organization that has to comply with these guidelines, your partner could demand that you also keep to the NIS2 rules.
The Dutch NIS2 law will take effect from 2024 forward. From that moment on all organizations involved are legally required to report important security incidents within 24 hours. After 72 hours they have to execute a detailed assessment. This is normal procedure for the GDPR law, but that isn’t the case for cybersecurity. Right now, organizations are still allowed to keep security incidents quiet.
Organizations risk expensive fines when they don’t comply to the guidelines: ten million euros for essential organizations (or 2% of the yearly turnover) and seven million for important organizations (or 1.4% of the yearly turnover). The law will be enforced through random checks, audits, scans, and information requests. Moreover, the ceo of an organization is not only personally responsible but also personally liable when an incident takes place.
To not get caught by surprise by these new guidelines, it’s vital to make a timely estimate of the NIS2 readiness of your organization, and to get properly advised. Avit can assist with the technical implications of NIS2, such as basic rules for cyber hygiene and securing your network and information systems.