NIS2 & Cbw: The basics and measures to comply

What is the NIS2-directive?

The NIS2 directive, adopted by the European Union, is an updated and expanded version of the original NIS directive, which aims to improve cybersecurity and resilience of essential services in EU member states. This directive expands the scope by including more sectors and sets stricter standards for security and incident reporting. The directive is currently being implemented into Dutch law.

The reason for the NIS2 directive lies in recent global developments such as the covid-19 pandemic, the war in Ukraine, increasing cyber threats and the impact of climate change, which put pressure on the security of society and the economy. The directive aims to strengthen the digital and economic resilience of EU member states in response to these challenges.

The NIS2 directive focuses on reducing risks that threaten network and information systems, particularly in the area of cybersecurity. This contributes to more European harmonisation and a higher level of cybersecurity for businesses and organisations in the EU. The directive replaces the first NIS directive, which in the Netherlands was included in the Network and Information Systems Security Act (Wbni) in 2016. In the Netherlands, the NIS2 directive is translated into the Cyber Security Act (Cbw), which replaces the Wbni.

A number of obligations (Dutch) have been put in place within NIS2 and CER directives. Organisations covered by the NIS2 directive are required to register in an entity registry. This register, managed by the National Cybersecurity Centre (NCSC), provides a European overview of all entities covered by the directive.

The NIS2 directive introduces a duty of care that requires organisations to carry out risk assessments and take appropriate measures to protect their services and systems based on these assessments. Board members of these organisations must approve these measures and oversee their implementation, for which they must also undergo training.

In addition, the NIS2 directive establishes a notification requirement, requiring organisations to report incidents that could disrupt the continuity of essential services to a regulator within 24 hours. Cyber incidents must also be reported to the Computer Security Incident Response Team (CSIRT), which can provide support. There will be a central reporting point for reports through the NCSC.

Finally, organisations covered by the NIS2 directive will be subject to monitoring. This involves checking their compliance with obligations, such as the duty of care and notification. It is currently being determined which sectors will fall under which specific regulators.

Who does the NIS2 directive apply to?

What are highly critical sectors, other critical sectors, large organisations, medium-sized organisations, essential entities, important entities and what are the exceptions to the rule? We explain that here. To check directly yourself whether your organisation falls under NIS2 and in which category, you can use the central government's NIS2 self-assessment tool (Dutch). If you are visually inclined, download the government's infosheet (Dutch) on compulsory registration with flow chart to determine whether your organisation needs to comply here. The following image is from the Government's Cyber Security Act infosheet (Dutch) and gives a nice visual presentation of what is discussed below.

Overview of sectors, entities, and criteria. SOURCE (Dutch)

To determine whether an organisation falls under the NIS2 directive, the government firstly uses a distinction (Dutch) between highly critical sectors and other critical sectors. Then, depending on the size of the organisation, it is determined whether an organisation falls under essential entity or important entity.

(Highly) critical sectors

Highly critical sectors Annex 1 consist of the following sectors:

• Energy
• Transport
• Banking
• Infrastructure financial markets
• Healthcare
• Drinking water
• Digital infrastructure
• Managers of ICT services
• Wastewater
• Government services
• Local authorities
• Space

Other critical sectors Annex 2 consists of the following sectors:

• Digital providers
• Postal and courier services
• Waste management
• Food products
• Chemicals
• Research
• Manufacturing

Does your organisation fall within a highly critical or other critical sector? Then you may need to comply with the NIS2 directive. Based on the size of the organisation, you definitively determine that, although there may be exceptions.

Does your organisation fall under NIS2?

Based on the size of the organisation, it will be determined whether the organisation is essential or important. Although not all has been determined yet, the major difference is that essential organisations will be subject to active oversight and major entities to retrospective oversight if warranted. Either way, that means you have to get started if you fall under the NIS2 directive.

What is a medium-sized and large company?

Large organisations have: 1) at least 250 people employed OR 2) an annual turnover of more than 50 million euros, and a balance sheet total of more than 43 million euros.

A medium-sized organisation has: 1) at least 50 people employed OR 2) an annual turnover of more than 10 million euros, and a balance sheet total of more than 10 million euros.

Below, the sectors are used to determine whether an organisation is essential or important. There are some exceptions to the above rules. The following organisations are always covered by the Cybersecurity Act: government sector, trust service providers, top-level domain name registries, DNS service providers, domain name registration service providers and providers of public electronic communication networks and services. In addition, a line minister can still designate a smaller company to be covered by the Cybersecurity Act.

Essential or Important?

Large organisations from a sector listed in Annex 1 (highly critical sectors) are essential entities. The exceptions just mentioned, such as government, always fall under essential entities. Organisations falling as ‘Critical Entity’ under the CER Directive are also essential entities.

The rest of the organisations are classified as key organisation. So these are medium-sized organisations that fall into an Annex 1 sector (highly critical), and large and medium-sized companies that fall into an Annex 2 sector (other critical sectors).

When does the Cyber Security Act come into effect?

The NIS2 directive was adopted by the European Union at the end of 2022. The EU has set a deadline for all member states of 17 October 2024. Some member states, such as Germany, say they will meet this date. However, the Dutch government has already indicated in January that it is not going to meet this deadline. D. Yesilgöz-Zegerius, Minister of Justice and Security, wrote in a letter to the House (Dutch): “I aim to subsequently present the bills to your Chamber in the autumn of this year.”

However, the fact that the Government will not meet the deadline does not mean that your organisation should not be prepared. The Minister also indicated that early preparation is crucial, given the huge shortage of cybersecurity specialists. There is another extremely important point to consider here, namely that organisations in other member states that are already compliant can already mandate compliance with NIS2. Belgium and Germany are likely to meet the deadline and these are precisely the most important export countries for the Netherlands.

In short, stick to the 17 October deadline! So at the time of writing, that gives your organisation only two months left to fully comply with all the requirements of the NIS2 directive. No reason to worry yet, but it is essential to start yesterday. We are happy to help with that, together with our network of partners.

Consequences of failing to comply

Apart from potentially lost business, you can also face substantial fines if you fail to comply. For essential entities, this is likely to come to light soon, as there are checks in advance. For important entities, this often only comes to light after the fact, which is perhaps much worse, as there will already have been a cybersecurity incident that causes an audit.

Besides the fact that cybersecurity or order must be in order from a responsibility standpoint, an organisation can also face high fines. Chapter VII, Article 34 of the NIS2 Directive mentions fines:

• “not less than EUR 10 000 000 or not less than 2% of the total annual worldwide turnover in the preceding financial year of the company to which the essential entity belongs, whichever is higher.”

and

• “with a maximum amount of at least EUR 7 000 000 or at least 1.4% of the total annual worldwide turnover in the previous financial year of the company to which the key entity belongs, whichever amount is higher.”

Further, sometimes far-reaching, enforcement tools that the regulator can use if the legislation is not complied with are described below.

Tangible steps towards compliance

Above, we already briefly mentioned the four obligations prescribed by the Cybersecurity Act: Duty to Register, Duty to Report, Supervision and the most important: Duty of Care.

Registration requirement

Using the information above, determine whether your organisation is covered by the Cybersecurity Act. The government's self-assessment tool (Dutch) can also help with this. The National CyberSecurity Centre (NCSC) is currently working on an online registration system where organisations can register as NIS2 entities. This will also provide a European overview of NIS2 entities.

Duty to report

A central reporting point is also being set up by the NCSC for reports. This will allow organisations to easily report incidents to both the regulator and the Computer Security Incident Response Team (CSIRT), which offers organisations support and advice in the event of an incident.

When to report?

Significant incidents should be reported within 24 hours. An incident is, according to the Cybersecurity Act, significant if it:

1. caused or may cause serious operational disruption of services or financial losses for the entity concerned; or
2. affected or may affect other entities by causing significant material or immaterial damage

Reporting process

Reporting process. SOURCE (Dutch)

1. Within 24 hours, an early warning should be issued with whether it is a (malicious) incident with potential (significant) impact.
2. Within 72 hours, an official report should be made with assessment of the incident, impact and IoCs (Indicators of Compromise, which describe indications and evidence of incidents).
3. An interim status report may be requested at the request of CSIRT or relevant competent authority.
4. A final report should be made within 1 month of the incident. If the incident is still ongoing after one month, a progress report is sufficient. The final report will then follow later.

Supervision

Essential entities are subject to proactive supervision, i.e. even when there are no incidents. For key entities, this supervision takes place retrospectively, after an incident. The tools regulators can use for key entities are: control officer, security scan, security audit, breach disclosure, binding instruction, order under administrative order, request for suspension of certification or licence, request for suspension of board members and an administrative fine.

Important entities may face a security scan, security audit, disclosure breach, binding designation, order under administrative order and an administrative fine.

Duty of care

Last is the most important criterion, namely duty of care. This is what you need to work on with your organisation. This is the bare minimum that must be regulated. In addition, there may be additional standards and frameworks for specific sectors, e.g. healthcare or government. vBoxx is happy to help walk through your organisation to discover what specifically needs to be done. You will receive this from us in a report afterwards. You can request our free NIS2 scan from us and then you can use our large network of partners to get help in complying with each measure.

Much helpful information and detailed descriptions and steps of these measures can also be found on the website of the Digital Trust Center (Dutch) of the Ministry of Economic Affairs and Climate. The information below on measures also comes largely from this website.

Your next steps

There are many facets involved in complying with the new Cybersecurity Act. Many of the basic systems can be adopted and provided by vBoxx. Think Cloud storage, e-mail, calendars, video calls, password management, servers, backups and more. Together with our network of partners, many measures can be achieved.

Our partner Gart Solutions is an IT partner that has specialised in secure and resilient infrastructure setup, cloud migration, DevOPS, IT consulting and other solutions for NIS2 compliance.

For complex systems and issues, they are available to share their 15-year expertise with you. Combined with vBoxx's services and infrastructure, this ensures a watertight solution for the most important parts of your organisation!

Let us think along and schedule the NIS2 scan below. That way, we can look together at suitable solutions and which partners can help. Entirely free and without obligation, of course!

Also watch our webinar we gave on NIS2 and in particular measure 7: Supply chain security. Or read the blog post about measure 7.