Digital transformation has led to more cyber incidents. Having a cybersecurity plan in place is crucial for any business.
From October 2024, the European NIS2 Directive will become national law in Belgium. This directive requires a wider range of enterprises to better secure themselves against cyber attacks. What does this mean for your organization? Let's take a look at the key points:
1. Purpose of NIS2
- The NIS2 regulations aim to strengthen IT security of essential services, such as energy, transportation, health, manufacturing, finance, water and digital services within the EU.
- It goes beyond technological measures and imposes strict generally accepted security principles and risk management measures.
2. Impact on Enterprises.
- NIS2 applies to critical industries, but the impact will be broader. Companies not directly covered by NIS2 will also be affected.
- Applies to medium and large companies (more than 50 employees or more than 10 million euros annual turnover).
- Organizations cooperating with companies covered by the NIS2 directive must implement similar security measures.
3. Measures
Essential and key covered entities must take appropriate and proportionate measures to manage the risks to the security of their network and information systems, and to prevent incidents or mitigate the effects of incidents on the recipients of their services and on other services.
At a minimum, these measures include:
- risk analysis and information systems security policies
- incident handling
- business continuity, such as backup management and contingency plans, and crisis management
- supply chain security, including security-related aspects related to the relationships between each entity and its direct suppliers or service provider security in acquiring, developing and maintaining network and information systems, including vulnerability response and disclosure
- policies and procedures to assess the effectiveness of cybersecurity risk management measures
- basic cyber hygiene practices and cyber security training
- policies and procedures on the use of cryptography and, where appropriate, encryption
- security aspects regarding personnel, access policies and asset management
- when appropriate, the use of multifactor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems within the entity
4. Fines and Liability.
Unlike its predecessor NIS1, fines and liability are now also linked to NIS2.
Violations of risk management measures or incident reports can be penalized:
- for essential entities: with administrative fines of up to 10 000 000 euros or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
- for significant entities: with administrative fines of up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the significant entity belongs, whichever amount is higher.
To sensitize top management, natural persons representing essential entities may be held liable for failure to comply with the obligations in this Directive.
Don't wait to start a cybersecurity improvement project. Make cybersecurity your priority, too.
Learn more about NIS2 here.
