NIS2: Does your organisation meet the new guidelines?

Cyber attacks caused about $7 billion in damages in 2021. So it’s not surprising that stricter rules are being put in place to deal with this kind of crime. They are also working hard on it at the European level. But these new rules are not just for big companies, nor are they optional. How do you make sure you comply with the new cybersecurity guidelines?

When do you need to be NIS2 compliant?

Through the introduction of new European guidelines (NIS2), the European Union aims to force companies to get their cybersecurity act in order. The objective: preventing cyber attacks from disrupting all or parts of society in the future. As a company, you need to be in control of your cyber risks. NIS2 is now an official EU directive that still needs to be translated into national legislation by the individual member states. It is expected that Dutch companies, including SMEs, will have to comply with this new legislation by late 2024.

Also applicable for SMEs

The NIS cybersecurity directive currently in place only affects large enterprises in vital industries. This all changes with NIS2. In fact, it will apply to a lot more sectors, including SMEs. As an SME, it is high time for you to take a serious look at whether NIS2 will also apply to you. And if it does? Then you need to have your protective digital measures in place. The cybersecurity specialists of Joanknecht can help you do that. Failure to comply with NIS2 not only makes you vulnerable to cyber attacks, you can also be heavily fined. And these sanctions can really hurt. Count on a maximum of 2% of global turnover (and no more than 10 million euros), so basically as much as a ransomware attack would cost.

Why should you get your cybersecurity into shape?

Cybersecurity is essential for every business. And the benefits of setting up your cybersecurity correctly are manyfold. Just think of these examples:

• Protection of your corporate data and systems
• Reduced risk of a data breach
• Preservation of your company’s reputation
• And, of course, retaining your customers 😉!

Make no mistake. Cybersecurity incidents are the order of the day. We all want to prevent these kinds of incidents. It is important to reduce your attack surface, and that can only be done by taking the right measures.

Does your company fall under NIS2? Then it’s time to take action!

NIS2 requires you to comply with more stringent cybersecurity measures. This is serious business, because a cyberattack can have major consequences for your business.

Want to know if your company is falls under NIS2 compliance? Then you can check the following:

1. Are your business operations classified as ‘essential activities’?
   According to the European commission, the definition of ‘essential activities’ is broken down into eight key sectors: transport, healthcare, banking, financial markets, digital infrastructure, drinking water supply, sewage disposal and energy supply. The size of the business is secondary. Even small courier services, local software companies, data centres and logistics parties will be affected by NIS2. The Dutch legislator plans to have a definition of industries that fall under NIS2 compliance later this year.
2. Do you do business with suppliers or supply chain partners engaged in essential activities?
   NIS2 is aimed at the entire supply chain. This includes companies that do not carry out essential activities themselves but that do business with organisations that fall under that heading. So you will need to identify whether your supply chain partners fall under this category. Do you supply software to parties such as KPN or PostNL? Do you do business with a carrier that also ships medical equipment? Do you supply hardware to a small energy supplier? In all these cases, you will need to comply with NIS2.
3. Are those essential activities carried out anywhere within the European Union?
   For NIS2, it is not where you are based, but where you carry out the activities. This is called ‘extraterritoriality’. So if you offer services that are considered essential activities anywhere in the European Union, then you have to comply with the new directive. Even if you do business with a non-European party that performs essential activities in the European Union!

What you need to arrange for NIS2

Is your answer to one or more of these questions ‘yes’? Then you’ll need to roll up your sleeves. That is, if you don’t already have your security in order. Be sure to start off with the following basic measures:

1. Perform a full-scale IT risk assessment and link measures to risks.
2. Install software updates as soon as they are offered;
3. Ensure that each application and system generates sufficient log information (log info contains a record of all the activities that take place in a network or application);
4. Apply multi-factor authentication (2FA) where necessary;
5. Determine who has access to data and services based on functions and roles. For example, establish role-based access control (RBAC);
6. Network segmentation. If the company network consists of several different zones, it cannot simply be taken down;
7. Check which devices and services can be accessed from the internet. Protect these with a firewall, anti-malware and a virus scanner;
8. Encrypt any storage media such as USB sticks, external hard drives and company phones that contain sensitive company information;
9. Back up systems on a regular basis and also be sure to test them.

You need to be able to demonstrate that the basic measures are in place in your organisation. Depending on the situation in your organisation, additional measures may also need to be taken.

How can Joanknecht help you with your NIS2 compliance?

NIS2 means you (might) have some work in store for you. Do a thorough risk analysis and organise the associated risk management procedures. It’s about your capacity to respond to incidents. And that the incident response plan is actually tested by the people and teams involved. The experienced cybersecurity specialists of Joanknecht can support you in becoming NIS2 compliant. Let us help you with:

• Determining whether your business falls under NIS2.
• Conducting a risk inventory (and setting up risk management).
• Drafting a cybersecurity plan that meets NIS2 requirements.
• Implementing the required cybersecurity measures.
• Monitoring the effectiveness of cybersecurity measures.
• Identifying alternative supply chains.
• Training your staff in cybersecurity awareness.

Our specialists work closely with you to develop a cybersecurity plan that is tailored to your specific requirements. We also assist you with the implementation of your cybersecurity measures and monitor the effectiveness of those measures.

Enforcing NIS2 compliance: you could be next

Don’t comfort yourself by thinking that the fines won’t be too bad. The fines issued since the GDPR entered into force aren’t that bad either, right? They most certainly are. But enforcement of the GDPR is done based on an ex-post facto policy: control after serious suspicion of non-compliance by a company. NIS2 will soon be enforced based on an ex-ante policy. That means random checks will take place. So who knows, it might just be your turn next.

Get in touch with our cybersecurity experts.

Make sure that your systems are in order. Familiarise yourself with the subject and take action now – don’t wait for the new directive to come into force. And please do not hesitate to ask one of our cybersecurity specialists for advice. They’ve been around the block a few times.

Lucas Vousten | +31 (0)40 240 9516 | lvousten@joanknecht.nl

Ties Meesters | +31 (0)40 240 9459 | tmeesters@joanknecht.nl