NIS2: playtime is over, time to act NOW

No transition time

If organizations expected to have another 18 or 30 months to effectively implement NIS2, they are in for a harsh reality. The Belgian Cybersecurity Center (CCB), which is responsible for transposing the EU directive into Belgian law, confirms that companies that have not taken appropriate measures by October 18 risk significant fines and reputational damage.

Uncertainty about deadline

Despite the upcoming deadline, many companies are still unclear about the effective implementation date of NIS2. Koen Tamsyn, Solution Manager Cybersecurity at Inetum, says: "We closely monitor the legislative framework and take into account possible changes, but at this moment, October 18, 2024, remains the deadline. From then that date onwards, the law will effectively come into force and all obligations will be applicable. The CCB is positive about the approval process by the government and assumes that Belgium will be ready on time with its translation into national law. I therefore strongly encourage everyone to start as soon as possible with the process to comply with all obligations

Broad scope of companies involved

The scope of NIS2 is much broader than that of NIS1. This means that many more companies are affected. For starters, 11 sectors have been added, bringing the total to 18. In addition, size and criticality are also being taken into consideration. The CCB estimates that 2,400 organizations in Belgium will be affected by this new directive. At Inetum, we believe this number to be closer to 3,000.

As NIS2 has a strong focus on companies’ relationships with their suppliers, affected companies are also required to assess the security of their supply chain. This means NIS2 affects suppliers as well, even though it does not apply to them directly. This makes it vital to determine whether NIS2 applies to your own company if you have not done so already.

What does NIS2 compliance mean?

If the NIS2 directive applies to your company, here's what you must implement in your organization.

First, you must take various measures to adequately manage and mitigate your cybersecurity risks. More specifically, this concerns ten areas:

1. Risk analysis and management
2. Security policy and asset management
3. Incident handling (prevention, detection, and response to incidents)
4. Business continuity and crisis management
5. Supply chain security (taking supplier vulnerabilities into account)
6. Vulnerability management and handling
7. Regular assessments
8. Use of encryption where necessary
9. Basic cybersecurity hygiene and training
10. Use of multifactor authentication (MFA) or continuous authentication

Second, you must also meet a number of obligations on reporting incidents. For example, you must now report significant incidents to your Computer Security Incident Response Team (CSIRT) or the relevant competent authority within 24 hours. You must also provide a progress report after a maximum of three days (72 hours) and a final report within one month of your initial report.

More information can be found in our NIS2 flyer.

On the road to NIS2 compliance with our partners

No single supplier or solution can provide all the cybersecurity an organization needs to be NIS2-compliant. That's why we've teamed up with several partners. These events are available for you in English:

• April 25: How can Hoxhunt positively influence the security behavior of your employees?
• Feel free to also visit us at Cybersec Europe on May 29-30, where you can personally exchange thoughts with our experts. 

Do you have any suggestions for other topics? Please let us know by email to info@inetum-realdolmen.world.