NIS2: brace yourself for the new cybersecurity guidelines

NIS2: brace yourself for the new cybersecurity guidelines

Cybersecurity Special October 2022

Cyber attacks caused about $7 billion in damages in 2021. Let that sink in. So it’s not surprising that stricter rules are being put in place to deal with this kind of crime. They are also working hard on it at the European level. But these new rules are not just for big companies, nor are they optional. So brace yourself for the new cybersecurity guidelines…

This includes SMEs

With the introduction of new European guidelines (NIS2), the European Union is aiming to force companies to get their cybersecurity in order. The objective: preventing cyber attacks from disrupting all or parts of society in the future. NIS2 is the successor to the NIS (Network and Information Systems), the current cybersecurity directive. Never heard of it? This is not unusual, as that directive only applies to large companies in critical sectors. This all changes with NIS2. In fact, it will apply to a lot more sectors, including SMEs. So, as a Dutch company, you will have to take a serious look at whether NIS2 will apply to you in the near future. And if so, you will have to have all your measures in place. If not, you run the risk of getting a hefty fine. Expect up to 2% of global turnover (up to a maximum of 10 million euros). So that will cost you virtually as much as a ransomware attack.

Why bother with cybersecurity?

Applying NIS2 just to avoid a fine  should not be your reason for getting started with cybersecurity. As an entrepreneur, surely you want to have everything in good order for your organisation? Including a professional and reliable ICT infrastructure? Cybersecurity incidents are the order of the day. We all want to prevent these kinds of incidents. It is important to reduce your attack surface, and that can only be done by taking the right measures.

Does your company fall under NIS2?

Then NIS2 is serious business. But how can you determine whether it applies to your company? For that, you should ask yourself the following questions:

  1. Do your business activities fall under ‘essential activities’?
    According to the European commission, the definition of ‘essential activities’ is broken down into eight key sectors: transport, healthcare, banking, financial markets, digital infrastructure, drinking water supply, sewage disposal and energy supply. The size of the business is secondary. Even small courier services, local software companies, data centres and logistics parties will be affected by NIS2.
  1. Do you do business with suppliers or supply chain partners engaged in essential activities?
    NIS2 is aimed at the entire supply chain. This includes companies that do not carry out essential activities themselves but that do business with organisations that fall under that heading. So you will need to identify whether your supply chain partners fall under this category. Do you supply software to parties such as KPN or PostNL? Do you do business with a carrier that also ships medical equipment? Do you supply hardware to a small energy supplier? In all these cases, you will need to comply with NIS2.
  1. Are those essential activities carried out anywhere within the European Union?
    For NIS2, it is not where you are based, but where you carry out the activities. This is called ‘extraterritoriality’. So if you offer services that are considered essential activities anywhere in the European Union, then you have to comply with the new directive. Even if you do business with a non-European party that performs essential activities in the European Union!


What you need to arrange for NIS2

Can you answer ‘yes’ to one or more of these questions? Then you’ll need to roll up your sleeves. That is, if you don’t already have your security in order. What does that mean for your company? Take a look at the Guide to Cyber Security Measures from the Netherlands Cyber Security Centre (NCSC) or read this article on ‘how to prevent a cyber attack?’. That will certainly help you on your way. But at the very least, be sure to start off with the following basic measures:

  1. Install software updates as soon as they are offered;
  2. Ensure that each application and system generates sufficient log information (loginfo contains a record of all of the activities that take place in a network or application);
  3. Apply multi-factor authentication (2FA) where necessary;
  4. Determine who has access to data and services based on functions and roles. For example, establish role-based access control (RBAC);
  5. Network segmentation. If the company network consists of several different zones, it cannot simply be taken down;
  6. Check which devices and services can be accessed from the internet. Protect these with a firewall, anti-malware and a virus scanner;
  7. Encrypt any storage media such as USB sticks, external hard drives and company phones that contain sensitive company information;
  8. Back up systems on a regular basis and also be sure to test them.

You need to be able to demonstrate that the basic measures are in place in your organisation. Depending on the situation in your organisation, additional measures may also need to be taken.

Don’t wait. Act now!

NIS2 means you (might) have some work in store for you. Moreover, please don’t think that these fines will not be all that bad. The fines issued since the GDPR entered into force are not that bad either, right? They most certainly are. But enforcement of the GDPR is done based on an ex-post facto policy: control after serious suspicion of non-compliance by a company. NIS2 will soon be enforced based on an ex-ante policy. That means random checks will take place. So who knows, it might just be your turn next. Make sure that your systems are in order. Familiarise yourself with the subject and take action now – don’t wait for the new directive to come into force. And please do not hesitate to ask one of our cybersecurity specialists for advice. They’ve been around the block a few times.

Lucas Vousten | +31 (0)40 240 9516 |

Ties Meesters | +31 (0)40 240 9459 |

Have a look at our cybersecurity visual.

Contact us