NIS2

EUROPEAN AND NATIONAL LEGISLATION ON THE CYBER SECURITY OF ORGANIZATIONS

The new European directive Network and Information Security Directive 2 (NIS2) is set to become effective in Dutch legislation as early as October 2024. Currently, the Dutch law for NIS1 is the Security of Network and Information Systems Act (WBNI). The new directive imposes significant requirements on the cybersecurity level of organizations in various societal sectors that are characterized as essential or important.

These mandatory, risk-based cybersecurity measures can effectively contribute to a better security level, and many elements will already be part of the cybersecurity policy of the organizations. However, failure to comply with these mandatory measures may result in significant fines.

XLS Global has developed a clear NIS2 assessment tool that can provide you with insight into your current situation immediately. You can access this tool via the button below.

NIS2 Analyzer

HOW IT WORKS

NIS2 IN BRIEF:

As NIS2 is not equally accessible to everyone, we offer a brief overview of this European Directive on Network and Information Security. In this article, we explain the essence and tell you who it is important for. Discover the requirements and best practices for compliance with NIS2.

WHERE DO YOU STAND?

To ensure that your organization is ready for these legal cybersecurity requirements in time, it is important to start with the right preparations now. Although the requirements have not yet been formalized in national legislation, it is clear which direction it is heading, and the parallels with existing frameworks and good practices such as ISO 27001.

Run the NIS2 Analyzer now and get a first impression of where you are today.

NIS2 Analyzer

What?

The NIS2 imposes security requirements that are grouped under duty of care, reporting obligation, and supervision, and are already relatively concrete before they are formalized in national legislation. These include, among others, the concrete lists of measures from Article 21 and the significant fines from Article 34 (4). Read more in the directive: EUR-Lex – 32022L2555 (europa.eu). In addition, there are a number of other notable elements such as security in the supply chain, reponsability of management bodies, and training obligations.

FOR WHOM?

Organizations that will fall under the new European directive Network and Information Security Directive 2 (NIS2) include energy companies, airlines, water companies, digital service providers, government agencies, and their suppliers. To check if your organization falls under this directive, it is recommended that you consult information from your local government. The Dutch government has released a self-assessment questionnaire. This questionnaire can be found at NIS2 Self-Assessment NL. More information on this can be found at samendigitaalveilig.nl. If you have any questions, please feel free to contact us for expert advice and support.

WHICH ENTITIES?

The NIS2 directive is aimed at more types of companies and organizations than the first NIS directive. This means that there are now more public and private organizations that must comply with the rules.

The organizations now covered by the NIS2 directive include:

Annex 1 sectors	Annex 2 sectors
Energy Transport Banking Infrastructure financial market Healthcare Drinking water Digital infrastructure ICT-service providers Wastewater Government services Space	Digital service providers Postal and courier services Waste management Food production Chemicals Research Manufacturing

Essential entities

These are large organizations that are active in a sector from Annex I of the NIS2 directive (see table).

An organization is considered large based on the following criteria:

at least 250 employees;
an annual turnover of more than €50 million and a balance sheet total of more than €43 million.

Important entities

These are medium-sized organizations that are active in a sector from Annex I and medium and large organizations that are active in a sector from Annex II.

An organization is considered medium-sized based on the following criteria: