NIS2: New European cybersecurity regulations on the horizon

Cybersecurity remains a hot topic, not only due to the continuously increasing number of hacks and ransomware attacks but also from the perspective of regulators and the evolving legal framework in this field. Europe is on the verge of introducing new cybersecurity guidelines: the Network and Information Security Directive 2 (NIS2).

The NIS2 directive primarily targets organizations providing essential or important services. While small and medium-sized enterprises (SMEs) seem to be largely excluded, the NIS2 directive does apply to certain specific services, even for smaller organizations. It also extends to the entire supply chain, meaning that organizations not considered essential themselves but doing business with essential parties may also be subject to the directive.

NIS2 measures

The security requirements of NIS2, expected to be incorporated into Dutch national legislation from October 2024, are categorized into duty of care, reporting obligation and supervision. Although the translation of the directive into national legislation is not yet complete, the similarities with existing standards and frameworks are evident. For instance, the ISO 27001 standard has recently undergone significant changes, incorporating security measures that align well with NIS2 requirements, such as information security when using cloud services.

Risk-Based approach

To ensure that organizations are adequately prepared for the legal cybersecurity requirements of NIS2, it is essential to make the right preparations now. A risk-based approach, as specified in the NIS2 directive, provides concrete guidelines for this. Implementing control measures according to 'best practices' such as CIS v8 or ISO 27001 is a practical preparation. The IT infrastructure is crucial in this regard. Modern cloud platforms not only offer functional services but also help meet strict legal requirements.

Digital resilience

With thoughtful preparation, organizations can confidently navigate the complex landscape of legal frameworks, both technologically and policy-wise. By taking the right steps now, organizations can proactively meet the expected requirements of NIS2 and enhance their digital resilience. For support in this process, specialized organizations offering consultancy, audit and training services can be enlisted.