Boost your security with an NIS2 assessment

With the Network and Information Security (NIS2) directive, the EU aims to enhance the cybersecurity and resilience of essential services against cybercrime in member states. NIS2 will come into force in Belgium in October. Under this new legislation, companies and organisations in critical industries must meet strict IT security requirements and implement thorough processes to manage risks. Companies that fail to comply can be fined.

NIS2 is not just relevant to large companies. The measures it imposes are standard requirements that should be implemented by all companies, regardless of size, to ensure the effectiveness of their cybersecurity strategy. Even if your company doesn’t operate in a critical industry, you may still have to deal with NIS2, for instance through customers that are subject to the new directive. After all, a customer who is required to comply with NIS2 will impose measures on its suppliers – including you – to secure its supply chain.

Shared responsibility

“It is important to note that NIS2 is not exclusively an IT responsibility,” says Ruben Cools. As an independent consultant, he carries out assessments for companies who want to know where they stand in terms of information security. He points out that NIS2 is an issue that concerns every level of a company’s organisation. “Information security is the responsibility of every employee. NIS2 holds management accountable for taking the right measures and ensuring the necessary follow-up, but individual employees must also be aware of the impact of their actions on company security. This means that mere technical solutions are not enough. Awareness campaigns about phishing and other risks, adapted business processes and an efficient incident response plan are at least as important.”

Greater cybersecurity maturity

So how do you set about making your organisation NIS2 compliant? You start by mapping out your cybersecurity as a whole. “It isn’t until the shortcomings become apparent that we can determine which steps you need to take to comply with NIS2,” says Cools.

Today, most companies still have to make major strides to boost their cybersecurity maturity, with an initial focus on meeting the minimum requirements of NIS2. The other recommendations are tailored to each company. “Ultimately, the question is: what risks are you running and which ones are acceptable? This is always a financial consideration as well,” Cools says.

The NIS2 guideline places great importance on risk analysis, the results of which are different in every organisation. The final report of an NIS2 assessment always includes such an analysis, so the organisation understands the risks it is facing and can identify the areas it needs to prioritise to meet the directive’s complex requirements. This helps them avoid fines and sanctions while strengthening their cybersecurity.

If an assessment reveals that an organisation lacks the in-house knowledge to independently raise its level of cybersecurity and be NIS2 compliant, it can always call on the expertise of Orange Belgium. We provide support as companies take the next steps and roll out the appropriate technical solutions to make their organisation more resilient against cybercrime.