NIS2: Europe expands the scope of its regulations

Published on 28/09/2021 in News

NIS2: Europe expands the scope of its regulations

The NIS (Network and Information Security) Directive aimed to achieve a high level of security, but now NIS2 is here, bringing with it a broader scope to boost IT infrastructure resilience. It’s an evolution every organization needs to take seriously.

Three years later …

The NIS law, which stems from the European NIS Directive, was the first cybersecurity legislation to be passed in Belgium. Three years after it came into force, the Centre for Cybersecurity Belgium is relatively happy with companies’ compliance. “However, it’s still too early to fully assess the implementation of the rules. The first internal audits have just been carried out and the first external audits will take place in 2023,” says Valéry Vander Geeten, legal manager at the Centre for Cybersecurity Belgium.

If you fall under the legal requirements, you must comply with the directive.

Valéry Vander Geeten uit, legal manager at the CCB

author

NIS2: more sectors covered

Up until now, the rules applied to the following sectors: transport, energy, finance, health care, drinking water, digital infrastructure and digital service providers. NIS2 provides for the expansion of the types of operators in some of the existing sectors and for the addition of new sectors, such as telecom operators, public administration entities, companies producing electronic products, food, and chemicals. “It should also be noted that prior identification by the competent sectoral authority would no longer be required. If you fall under the legal requirements, you must comply with the directive,” Vander Geeten says.

What does NIS2 mean? Which sectors are covered by the new regulations? The practical details have been summarized in a handy overview.

NIS2 regulation Opens a new window

Authorizing ethical hackers

To make managers more accountable, the sanctions provided for in the new directive could also apply to the actual managers and not just the organization. And Vander Geeten points out an important new recommendation “that companies implement a coordinated vulnerability disclosure policy. This means setting rules in advance that allow people outside the company [i.e. ethical hackers] to look for potential vulnerabilities in its information systems. Organizations would then publish these rules on their website or on a bug-bounty platform.”

What is ethical hacking and how does it work? Two ethical hackers from the Proximus Accelerator Davinsi Labs answer 7 questions.

7 questions on ethical hacking

Cybersecurity isn't just an IT issue, it's part of corporate culture above all.

Valéry Vander Geeten uit, legal manager at the CCB

Cybersecurity at every level

Stricter legislation is beneficial to any organization, regardless of its size. The energy sector is obviously crucial to all other sectors and the security of its industrial systems is a major issue. The same goes for the public sector, as recent incidents have shown. "In the NIS2 proposal, micro or small businesses would be excluded, with numerous exceptions especially for entities that could impact public security, public safety or public health. Nevertheless, I think that everyone is concerned. Cybersecurity isn't just an IT issue, it's part of corporate culture above all."

A necessary evolution

No one will deny the need for the proposed changes at European level. The risks associated with cybercrime are increasing exponentially and legislation that is too limited in scope would be unreasonable in an increasingly digital and interconnected world. "There are major differences in the resources, maturity and resilience of operators between the various sectors. This is a strong argument for greater cross-sectoral harmonization in the implementation of NIS security rules," concludes Valéry.

Comply with European regulations.

Discover security services

Do you have questions about your organization’s security? Talk to one of our experts.

Contact our expert Opens a new window

The Centre for Cybersecurity Belgium is a federal administration, under the authority of the Prime Minister, charged with coordinating cybersecurity policy in Belgium.
Valéry Vander Geeten is Head of Legal Affairs at the Belgian Cybersecurity Center (CCB) as well as Data Protection Officer. He is also in charge of coordinating the adoption of the NIS directive in Belgium.

One

One magazine is the Proximus B2B magazine for CIOs and IT professionals in large and medium-sized organisations.

Other articles of One