What does the NIS2 directive mean for your business?

What exactly is NIS2?

The NIS2 Directive (Directive (EU) 2022/2555 of December 14, 2022) requires organizations to protect themselves from cyber threats and to adopt strict security of critical infrastructure and personal data. It aims to strengthen the security of network and information systems and ensure the resilience of society and the economy in relation to cybersecurity.

Bart Callens, product manager cybersecurity Proximus NXT

Indirectly involved in NIS2 directive

NIS2 also provides a more comprehensive and incisive framework. “One significant new measure is that organizations covered by NIS2 regulations are supposed to oversee the quality of the cybersecurity of their direct suppliers and service providers. As a result, companies not within the scope of NIS2 will still be indirectly involved,” Valéry asserts.

Valéry Vander Geeten, Centre for Cybersecurity Belgium

Essential and major organizations also have an obligation to report incidents that have a significant impact on the performance of their services. “An early warning must be issued within 24 hours of becoming aware of the incident and communication sent out within 72 hours,” Valéry points out.

NIS2 guarantees increased resilience

But just how far-reaching is NIS2 for an organization? “A great deal depends on the security maturity already in place. If a company is ISO 27001-certified, the step toward NIS2 will be much smaller compared to a company with a less structured security approach,” Bart asserts.

Valéry believes that “companies should not consider that path as a burden because, in fact it helps them increase their resilience with respect to cyber incidents.” According to Bart, the attitude towards NIS2 has changed among businesses. “There was some ambiguity initially: does my company fall under the scope or not, and what do we have to do? Now that the CCB has developed a clear framework and provided tools, such as the Cyberfundamentals Framework (CyFun ®), many companies see NIS2 as an important link toward an optimized security policy.”

External support

There is no single answer to the question whether or not a company should go down the route of NIS2. “A lot depends on internal capacity and knowledge, available time and procedures already in place,” Valéry says. Bart agrees. “The CCB offers several tools on its website to guide companies (see 7 steps to comply with NIS2 legislationNew window). At the same time, there is already a lot of off-the-shelf solutions for every CISO and CIO, but they can also opt for company-specific solutions. Consequently, external support can add value in many cases.”

Proximus NXT conducts full NIS2 assessments with the customer. “We work out the current security maturity score and point out actions to raise that level. This results in a practical and realistic roadmap towards NIS2, within the predetermined period. If desired, we guide and support the customer through its entire NIS2 compliancy process and ensure that it remains compliant. This guidance is provided by Proximus NXT experts with years of experience as CISO through the CISO-as-a-service service.”

NIS2 attestation and sanctions

Essential organizations must have their NIS2 implementation regularly reviewed and assessed by a conformity assessment body. They are supposed to achieve the assurance level basic or major by April 18, 2026, and the final level must be certified by April 18, 2027. Major organizations can also submit to regular conformity assessment. When audited, the appropriate label or certificate counts as a presumption of conformity. In the event of insufficient compliance with the NIS2 Act, sanctions can be imposed, including various administrative measures and administrative fines.