What does the introduction of NIS2 mean for your company?

The NIS2 Directive enters into force in autumn 2024, with the aim of further improving cybersecurity and incident management in the EU Member States. What companies does NIS2 apply to? Who monitors its application, what sanctions have been determined and what is the effect in terms of insurance? We explain these points.

I Stock 874075212

What exactly is the NIS2 Directive?

The second Network and Information Security Directive (the ‘NIS2 Directive’), is the successor to the NIS Directive adopted by the European Union in 2016. The NIS Directives aim to strengthen the EU Member States’ level of collective cybersecurity by increasing the enforcement requirements in this area for critical infrastructure sectors.

The NIS2 Law will enter into force in Belgium on 18 October 2024, reinforcing cybersecurity measures, incident management and the supervision of entities providing services that are essential for maintaining critical social or economic activities. The law will also improve the coordination of government policy in the field of cybersecurity. With it, the federal legislators will implement the provisions of the second NIS2 Directive, thus continuing and extending the provisions of the previous NIS directive on cybersecurity, which will be repealed.

What companies fall within the Directive’s scope?

An entity falls within the Directive’s scope if it is active in any of the sectors, subsectors or types of services listed in 'sectors of high criticality’ or ‘other critical sectors’ and is of a certain size.

CCB Infographic1 NIS2 E crop
*Source: Centre for Cybersecurity Belgium (CCB)

In principle, the Directive concerns large and medium-sized enterprises (enterprises with more than 50 employees and more than 10 million euros in annual turnover). Small and micro enterprises fall outside its scope unless explicitly stated otherwise.

CCB Infographic3 NIS2 E crop
*Source: Centre for Cybersecurity Belgium (CCB)

What if your enterprise falls within the Law’s scope?

Entities falling within the scope of the NIS2 Law are required to take ‘appropriate and proportionate’ measures to secure their network and information systems, to prevent and manage cyber threats and incidents and to limit the consequences of incidents for their customers and for other services. They are required, among other things, to undertake risk management measures and risk assessments and provide training in cybersecurity, security obligations for personnel and so on.

In addition, such entities have a reporting obligation in the event of serious and significant incidents. In the event of a serious incident, the entity must immediately issue a warning: this must be done within 24 hours of becoming aware of the incident at the latest. Official notification must also be given within 72 hours of becoming aware of the incident, and entities must submit a final report to the supervisory authorities within one month of the definitive response to the incident.

In addition to the mandatory notification of serious and significant incidents by essential and important entities, there is the possibility of voluntary reporting of non-significant incidents or of significant incidents, cyber threats or near-miss incidents by entities not subject to the NIS2 Law.

What body is in charge of monitoring?

The inspection service of the national cybersecurity authority, the Centre for Cybersecurity Belgium (CCB), is responsible for carrying out checks and ensuring that essential and important entities are taking appropriate measures to manage cybersecurity risks and complying with the rules on incident notification.

For essential entities, a mandatory conformity assessment by the CCB is proposed. Important entities may also undergo a conformity assessment; this will be on a voluntary basis as such entities are only required to undergo checks after an incident.

All entities that fall within the scope of the law are required to register with the CCB and provide accurate information about their activities.

What sanctions are there for non-compliance with NIS2?

There are two kinds of sanction: administrative sanctions and fines. The fines vary depending on whether the business is essential or important:

  • For businesses classified as essential, there are potential fines of up to 10 million euros or 2% of their total annual worldwide turnover in the preceding financial year.
  • For businesses considered to be important, the maximum fines are 7 million euros or 1.4% of their total annual worldwide turnover in the preceding financial year.

It is up to the governing bodies or managers of essential and important entities to approve cybersecurity risk management measures and monitor their implementation, as they can be held liable for any breaches.

To ensure that they understand the measures they approve, members of the governing bodies of essential and important entities must attend cybersecurity training and provide such training to their employees on a regular basis. Managers must acquire sufficient knowledge and skills to identify risks to their organisation and to be able to assess cybersecurity measures and how they affect their organisation.

Possible measures include warnings, recommendations, supervision, binding instructions, targeted and ad hoc inspections, disclosure obligations and administrative fines.

How does NIS2 affect insurance?

Arranging cyber insurance is an important part of the precautionary measures that the entities concerned need to take for NIS2.

Before arranging cyber insurance, a company must have a number of essential elements of cybersecurity (such as multi-factor authentication and offline backups) in place. This means that it must carry out a thorough risk assessment and take appropriate measures in order to be able to arrange the insurance – which is good for the company’s cyber resilience.

In addition, the insurance will enable companies to seek assistance from experts in the event of an incident, so that it can be dealt with as efficiently and quickly as possible. Cyber ​​insurance thus both provides financial protection and ensures business continuity.

Given that specific conditions are imposed on the directors of the entities concerned, the importance of arranging directors’ liability insurance should not be underestimated.

We do not expect any immediate problems with cover under either type of policy due to the introduction of NIS2. Insurers will most likely wait and see whether the changes have any effects.

Related posts

Cyber laptop

Vanbreda Cyber Security Study: 21% of all cyber security incidents in 2022 resulted in damage in excess of 100,000 euro

Cyber & fraud
13.02.2023

Now, more than ever Belgian companies are aware of potential digital risks and recognise the need to protect themselves via cyber security insurance. Damage statistics in our cyber portfolio also show that cyber security incidents are becoming more and more costly for Belgian companies. In 2022 the total cost of 1 in 5 incidents exceeded 100,000 euro. Regular security updates, employee training and choosing the right IT partner should all be part of an effective prevention strategy. They are also important criteria when it comes to arranging cyber security insurance in the Belgian market today.

Read more
Read more about Vanbreda Cyber Security Study: 21% of all cyber security incidents in 2022 resulted in damage in excess of 100,000 euro
Videopodcast cyber insurance

Videopodcast — Cyber insurance

Videopodcast
07.10.2022

In the first episode of our ‘Succes Verzekerd’ podcast, we welcome cyber security expert Tom Van Britsom to the microphone. Tom is a business development manager with a profound interest in cyber security and cyber insurance.

Read more
Read more about Videopodcast - Cyber insurance
Phishing as a service

Phishing: be aware and train your staff

Cyber & fraud
23.11.2021

Forget the spelling mistakes, strange layouts and outdated logos, phishers have learned their lesson and are now imitating websites so well that even specialists have to look twice. How then are non-professionals supposed to deal with this? “Awareness and training are the best ways to stop phishers in their tracks,” says Tom Van Britsom, cyber expert at Vanbreda Risk & Benefits. “And with our new ‘Phishing as a service’ offering, we can help your company achieve that goal.”

Read more
Read more about Phishing: be aware and train your staff
Cyberverzekering in 9 stappen

9 steps to the ideal cyber insurance cover

Cyber & fraud
29.06.2021

Ongoing digitalisation has made more and more companies aware of the need for effective cyber insurance cover. The question as to what exactly constitutes a good cyber insurance policy usually leads to an interesting selection process. Tom Van Britsom, cyber expert at Vanbreda Risk & Benefits, takes us on a quest to find the ideal cyber insurance for your organisation.

Read more
Read more about 9 steps to the ideal cyber insurance cover