Boost your security with an NIS2 assessment

With the NIS2 Directive (Network and Information Security), the EU obliges its member states to enhance their maturity in cybersecurity. Organisations that are active in critical industries must meet strict IT security requirements. In October 2024, NIS2 will come into force in Belgium and organisations that fail to comply with the directive will be fined.

Even if your company doesn’t work in a critical industry you may still have to deal with NIS2, for instance through customers that are subject to the directive. Moreover, the measures should be implemented by all companies for a good cybersecurity strategy.

Shared responsibility

“It is important to note that NIS2 is not exclusively an IT responsibility,” says Ruben Cools. As an independent consultant who carries out assessments, he feels NIS2 is an issue that concerns every level of a company’s organisation.

“Information security is a responsibility we all share. NIS2 holds management accountable, but individual employees must also be aware of the impact their actions have on company security. This means that mere technical solutions are not enough. Awareness campaigns, adapted business processes and an efficient incident response plan are also important.”

Greater cybersecurity maturity

How do you embark on the journey to making your organisation NIS2 compliant? First, you need to determine the existing level of cybersecurity. “Only when the shortcomings become apparent can we determine what steps you need to take to comply with NIS2,” says Cools.

In most organisations, there is plenty of room for improvement. The minimum requirements of NIS2 must be met and the rest of the recommendations are tailored to the company. “Ultimately, the question is: what risks are you running and which ones are acceptable? This is always a financial consideration as well,” Cools explains. The NIS2 guideline focuses heavily on risk analysis, and that looks different in every organisation. The final report of an NIS2 assessment always includes a risk analysis so the organisation knows what it is facing and can determine what it needs to meet the complex NIS2 requirements. This helps them avoid sanctions while strengthening their cybersecurity. 

If an assessment reveals that an organisation lacks the knowledge to independently increase their cybersecurity and be NIS2 compliant, it can always call on the expertise of Orange Belgium. We provide support with the next steps.