The 2016 NIS directive only concerns a limited number of crucial organizations, so your company shouldn’t bother? Ooooops, with NIS.2 you might be very, very wrong! So check out this presentation.
Ready for NIS.2?
Though the initial NIS directive (on Security of Network and Information Systems) has not yet run its first full cycle (with the first external audits not until 2023), its limitations are already clear: too limited in scope; too many differences in national approaches and variations in resources; and not enough information sharing. So a NIS.2 proposal has been introduced.
Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating its impact on their security posture today. And no better place to start than the presentation “NIS2: NIS with teeth? Or biting off more than we can chew?” by Pieter Byttebier of the Center for Cybersecurity Belgium (CCB). As International Relations Officer, he is deeply involved in the discussions around the NIS.2 proposal.
The proposal rests on three pillars: member state capabilities; risk management; and cooperation and information exchange. In his presentation, Pieter Byttebier touches upon five key questions, with ‘will NIS.2 apply to my organization’ foremost among them. And let’s be clear, an overview of ‘essential’ and ‘important’ entities as listed in the Annexes of the NIS.2 proposal illustrates the much broader scope of this directive. As an example, take ‘important entities, sector manufacturing, subsector manufacture of machinery and equipment n.e.c.’ as referred to in ‘section C division 28 of NACE Rev.2’: not many companies in this subsector will evade NIS.2… Micro companies with fewer than 50 personnel and less than 10 million euro annual turnover will be exempted, but national authorities could even include them selectively.
One other question refers to the ‘teeth’ of NIS.2. Indeed, entities will run not only a gamut of e.g. warnings and administrative fines. Management must sign off on cyber security measures, and in ‘essential’ entities, management will be held liable, including temporary bans against managers.
Again, this NIS.2 proposal is still very much a work in progress. So Pieter Byttebier is inviting input from organizations on all aspects of this proposal. Start with his presentation, and do contact him. And find out whether NIS.2 ‘as is today’ applies to your organization, so you can start to prepare. That is not wasted effort, as any measures you take, make your company more secure and act as business enablers.