NIS2: Europe expands the scope of its regulations
Published on 25/04/2023 in News
The NIS (Network and Information Security) Directive aimed to achieve a high level of security, but now NIS2 is here, bringing with it a broader scope to boost IT infrastructure resilience. It’s an evolution every organization needs to take seriously.
Three years later …
The NIS law, which stems from the European NIS Directive, was the first cybersecurity legislation to be passed in Belgium. Three years after it came into force, the Centre for Cybersecurity Belgium is relatively happy with companies’ compliance. “However, it’s still too early to fully assess the implementation of the rules. The first internal audits have just been carried out and the first external audits will take place in 2023,” says Valéry Vander Geeten, legal manager at the Centre for Cybersecurity Belgium.
If you fall under the legal requirements, you must comply with the directive.
Valéry Vander Geeten uit, legal manager at the CCB
NIS2: more sectors covered
Up until now, the rules applied to the following sectors: transport, energy, finance, health care, drinking water, digital infrastructure and digital service providers. NIS2 provides for the expansion of the types of operators in some of the existing sectors and for the addition of new sectors, such as telecom operators, public administration entities, companies producing electronic products, food, and chemicals. “It should also be noted that prior identification by the competent sectoral authority would no longer be required. If you fall under the legal requirements, you must comply with the directive,” Vander Geeten says.
What does NIS2 mean? Which sectors are covered by the new regulations? The practical details have been summarized in a handy overview.
Authorizing ethical hackers
To make managers more accountable, the sanctions provided for in the new directive could also apply to the actual managers and not just the organization. And Vander Geeten points out an important new recommendation “that companies implement a coordinated vulnerability disclosure policy. This means setting rules in advance that allow people outside the company [i.e. ethical hackers] to look for potential vulnerabilities in its information systems. Organizations would then publish these rules on their website or on a bug-bounty platform.”
Cybersecurity isn't just an IT issue, it's part of corporate culture above all.
Valéry Vander Geeten uit, legal manager at the CCB
Cybersecurity at every level
Stricter legislation is beneficial to any organization, regardless of its size. The energy sector is obviously crucial to all other sectors and the security of its industrial systems is a major issue. The same goes for the public sector, as recent incidents have shown. "In the NIS2 proposal, micro or small businesses would be excluded, with numerous exceptions especially for entities that could impact public security, public safety or public health. Nevertheless, I think that everyone is concerned. Cybersecurity isn't just an IT issue, it's part of corporate culture above all."
A necessary evolution
No one will deny the need for the proposed changes at European level. The risks associated with cybercrime are increasing exponentially and legislation that is too limited in scope would be unreasonable in an increasingly digital and interconnected world. "There are major differences in the resources, maturity and resilience of operators between the various sectors. This is a strong argument for greater cross-sectoral harmonization in the implementation of NIS security rules," concludes Valéry.
Comply with European regulations.
Do you have questions about your organization’s security? Talk to one of our experts.
One
One magazine is the Proximus B2B magazine for CIOs and IT professionals in large and medium-sized organisations.