NIS2: more security for the EU and for businesses

The EU’s Network and Information Security (NIS2) directive aims to oblige member states to enhance their cybersecurity maturity by imposing a series of IT security requirements on organisations in critical sectors. NIS2 – an expansion of the existing NIS directive – will have to be transposed into Belgian law by the end of 2024

Even if your company isn’t active in a critical sector, you will still be faced with NIS2, for instance through customers who are subject to the new directive. Moreover, most of the measures cover generally accepted security principles that every organisation should be implementing anyway.

We discussed NIS2 with Jan De Bondt, Director Audit & Business Consultancy at Orange Cyberdefense Belgium. His message? Don’t wait too long to implement the new directive – but don’t do it just because you have to. Only a well-considered security policy can adequately protect your organisation.

The previous NIS directive was only issued in 2016. Why is the EU already launching its successor?

NIS was a step in the right direction but it also had a number of important shortcomings. Hospitals and companies active in IT service management such as Orange dodged the bullet: they were not considered providers of essential services. Also, the security requirements were not transparent and strict enough. Fortunately, the evolutionary nature of the IT world was factored in from the start and frequent market surveys were organised. The results indicated that businesses are still not doing enough to ensure a proper level of cybersecurity, leading the European Commission to design and implement the NIS2 directive. It has a broader scope of implementation and imposes stricter requirements on organisations.

How much will change for companies?

That depends for the most part on their maturity. In the financial sector, for instance, significant efforts have long been made in the area of cybersecurity, with regard to both business processes and technological solutions. Financial institutions already have to comply with a multitude of other regulations, so for them, NIS2 will not bring any sweeping changes. However, the new directive will have a major impact in those sectors with little or no IT security legislation. 

In which areas is a catch-up effort most needed?

The main thing is how organisations handle security incidents. The ultimate goal of NIS2 is to make the EU more resistant to cyberattacks. That’s why, from now on, reporting security incidents to the competent national authorities will be mandatory. In Belgium, this is the Centre for Cybersecurity Belgium (CCB). The member states share their knowledge of reported security incidents with each other so they can respond faster to emerging trends. In addition, organisations must develop a well-thought-out incident management policy.

So this is more of a business issue than a technical issue?

That’s correct, and that also goes for a number of demands within NIS2. The new directive places particular emphasis on a risk-based approach, which is a first for many businesses. Risk analysis is at the heart of an information security management system. Organisations must ask themselves how to ensure business continuity when their IT systems break down. Do they replicate the infrastructure across two data centers or should they invest in a backup system? That decision is closely linked with the existing operational processes. A risk-based approach genuinely starts from the business itself.

The NIS2 directive has to be transposed into Belgian law by 17 October 2024. Should our businesses make a start right away?

Yes and no. The deadline of 17 October 2024 refers to the legal framework and not its implementation. Nevertheless, I would advise companies and organisations not to procrastinate. Experience has shown that changing IT and other business processes can easily take two years to complete. 

While Belgian law can still make specific additions, the general principles of NIS2 are common knowledge, so there is no reason for businesses not to start adjusting their existing processes now. After all, the requirements are nothing more than the implementation of generally accepted security principles. To implement them, companies can use the CCB’s Cyberfundamentals Framework, which is based on four IT security frameworks: NIST CSF, ISO 27001/ISO 27002, CIS Controls and IEC 62443. Orange can help businesses make the right choice.

What else can businesses do apart from focusing on incident management and adopting a risk-based approach?

As with many things, IT security is about striking the right balance between people, processes and technology. Most companies have taken care of the technology aspect to a certain extent. This is because in the past, cybercriminals first attempted to gain access via the network. Businesses were able to stop these attacks by investing in technical solutions such as firewalls. Meanwhile, cybercriminals have adapted their methods and nowadays use phishing techniques to try and trick employees. That is why NIS2 has such a strong focus on security awareness: businesses must invest in employee training – and that includes the boardroom.

Companies must opt for multi-layered security: a firewall to counter intrusion, monitoring to know when to intervene, mandatory two-factor authentication to prevent misuse of user accounts, and training to make security a shared responsibility.

What happens if businesses fail to meet the requirements of NIS2?

NIS has already included directors’ liability. This means that, in principle, directors who fail to invest in the security of their business and are subsequently the victim of a cyberattack can be sentenced to jail time. NIS2 adds that in the event of gross negligence, a director may be temporarily banned from exercising their executive duties or that a company may even be forced to cease operations altogether. This would obviously tarnish that person’s reputation and that is why the expectation is that directors will be more readily prepared to take their responsibility.

When all is said and done, directors’ liability is a tool that gives the European Commission leverage to try and increase security budgets and create a culture of security by design, analogous to what GDPR did for privacy by design. Now directors can no longer set the IT security budget as they see fit. With the NIS2 directive, the company’s needs are first identified and then it is the director’s job to earmark the necessary budget. 

Is NIS2 also relevant for companies outside the sectors to which the directive applies?

Yes, it is. IT security is an increasingly important aspect of the customer-supplier relationship. Businesses that supply services are often asked by their customers how they handle security. In certain cases, an audit must show that the company is fulfilling its obligations. This means that in the future, businesses that want to work with an organisation that falls under the NIS2 directive will have to be able to show that their own security policy lives up to the same standards. But ultimately, my advice is this: work towards NIS2 compliance not because you have to or because customers expect it, but because it is the way to optimise IT security.