With NIS-2, a powerful directive is at the starting blocks as the successor to the first European cyber law. An important renewal, because since the introduction of NIS(1) in 2016, cyber threats have increased significantly and the digital landscape has changed dramatically due to the acceptance of cloud storage, mobile devices, and SaaS services.
The chance that your organization will also have to comply with NIS-2 is relatively high. While NIS-2 already applies to ‘essential companies’ (as was previously the case for NIS1), the scope of organizations is broadened to ‘important companies’. Organizations are ‘important’ if they provide products or services to vital service providers or offer digital services to businesses or consumers. This means that many medium-sized and large organizations in the Netherlands will have to comply with the directive, spread across various sectors.
NIS-2 is characterized by a range of minimum security requirements that are imposed on an organization to meet the ‘duty of care’ standard; an example of this is applying detection (security) to your network. In addition, there is an obligation to report (serious) security incidents to the relevant supervisory authority within 24 hours and to use a framework for further follow-up and handling.
Eventually, NIS-2 will mainly become known in the Netherlands under a different name. In this country, the Cybersecurity Act (Cbw) is the translation of NIS-2 into Dutch legislation. Where Europe previously gave the Dutch authorities until October 17 this year to translate and implement the legislation, it is now clear that this deadline will not be met. It is expected that a date in 2025 will be announced in the coming months when the Cybersecurity Act will become active.
Organizations that are seen as vital will be informed about this by the responsible ministry. But this does not apply to the group of ‘important’ companies. When are you important? In close consultation with involved ministries and supervisory authorities, the National Inspectorate for Digital Infrastructure (RDI) has made available a questionnaire with which organizations can check for themselves whether they fall under NIS-2/Cbw. (Completing this quick scan takes 5 to 10 minutes.)
Then the follow-up. If your organization is seen by the EU as ‘essential’ or ‘important’, it is important to achieve NIS2 compliance before the legislation comes into force sometime in 2025. If your organization does not yet use a certification or framework for cybersecurity, NIS2 certification forms a good starting point for setting up a compliance process.
Interstellar can help organizations by conducting a Gap analysis to identify (potential) shortcomings in cybersecurity measures, in relation to the conditions prescribed by NIS-2. Once established, Interstellar is able to provide appropriate technical measures via a roadmap to comply with NIS2. This could include a SOC service via its specialized party Pinewood or Sovereign Cloud (where you don’t lose control of your data) via Fundaments.
An IT environment is complex and contains many information systems to map this out and take appropriate measures takes time. Despite the fact that we don’t yet know exactly when the NIS2 directive will come into force in the Netherlands under the name of the Cybersecurity Act, a lot of information is available from the NIS-2 Directive and from ‘Best Practices’. We are happy to help you with this.