What is NIS2?
The NIS2 guideline, is the successor to the NIS guideline (where NIS stands for Network and Information Systems / Security). NIS2 is sometimes called the "GDPR of cybersecurity."
This directive aims to improve the digital resilience of EU member states and, in particular, aims to achieve a higher level of information security and cybersecurity among both public authorities and private companies. After all, the increasing degree of digitization and (cross-border) connectedness of digital systems is increasing cyber vulnerability.
To better meet these challenges, additional measures need to be taken. NIS2 aims to achieve this by harmonizing the regulations of EU member states in that area.
The precursor to the NIS2 directive was implemented in Belgium in 2019 through the law establishing a framework for the security of network and information systems of public interest for public safety, also called the NIS law. Although the new directive is called NIS2, the title does no longer refer to "security of network and information systems," but instead refers more generically to "cybersecurity.
NIS 2 aims not only to boost the cybersecurity of governments and private companies, but also to improve cooperation among EU member states in that area. This includes setting up and/or strengthening cooperation programs and better sharing of information on vulnerabilities.
On April 18, 2024, the transposition law of the NIS2 directive approved in the Belgian parliament and on May 17, 2024 published in the Belgian Official Gazette. The NIS2 law is on Oct. 18, 2024 entered into force.
What sectors are covered by NIS2?
The number of enterprises covered by NIS 2 has increased compared to NIS. These include, among others, enterprises operating in the sectors listed in Annexes I and II of NIS2 Act:
| (Highly critical sectors) - Appendix I | (Other critical sectors) - Appendix II |
| Energy (electricity, district heating and cooling, petroleum, natural gas, hydrogen) | Postal and courier services |
| Transportation (air, rail, water, road) | Waste Management |
| Banking | Manufacture, production and distribution of chemicals |
| Financial market infrastructure | Food production, processing and distribution |
| Healthcare (hospitals but also reference laboratories, manufacturers of medical devices or pharmaceutical preparations and others) | Manufacture (of medical devices and in vitro diagnostic medical devices; computer, electronic and optical products; electrical equipment; machinery and equipment n.e.c., motor vehicles, trailers and semi-trailers; other transport equipment) |
| Drinking water | Suppliers of digital services |
| Wastewater | Research |
| Digital infrastructure | |
| Management of ICT services (business-to-business). | |
| Government (central and regional) | |
| Space |
Is every company in these sectors covered by NIS2?
Not every company that falls into one of the above sectors must automatically conform to NIS2. This is the case only when the company is considered an essential entity or a significant entity according to the following criteria:
Essential entity
- Active in an industry mentioned in Annex I from NIS 2 and
- a "large" enterprise: 250 employees or more or an annual turnover of more than EUR 50 million and a balance sheet total exceeding EUR 43 million
Significant entity
- Active in an industry mentioned in Annex I from NIS 2 and
- a "medium-sized" company: 50 - 249 employees with an annual turnover between 10 - 50 million euros or a balance sheet total between 10 - 43 million euros
or
- Active in an industry mentioned in annex II from NIS 2 and
- a large or medium-sized enterprise based on the above criteria
There do exist some exceptions for which these size criteria do not apply, such as providers of public electronic communication networks, DNS service providers, providers that are considered critical or have systemic risks as well as central government agencies.
The main difference between essential entities and significant entities is that essential entities are subject to a more intensive supervisory regime. This supervision of compliance with NIS2 obligations can be either ex ante or ex post are. For significant entities, a lighter regime applies where supervision is only involved ex post or if there are indications of non-compliance with NIS 2 or if incidents are alleged to have occurred.
Small enterprises or micro-enterprises are not likely to fall within the scope of NIS 2. However, this may be different if their product or service is critical and the enterprise is designated by royal decree, after which NIS2 does apply.
What cybersecurity measures should be taken?
To manage cybersecurity risks, NIS2 prescribes a number of measures. These measures can be risk-based, taking into account the state of the art and the associated implementation costs.
NIS 2 does include measures that must be implemented as a minimum, such as, among others.
- An information systems risk analysis and security policy;
- incident handling;
- ensuring business continuity;
- supply chain security;
- cyber hygiene and cybersecurity training;
- an access policy;
- multifactor authentication
In addition to measures to be taken, NIS 2 also focuses on sharing and receiving information with and through the national CSIRT. For example, NIS 2 has extensive reporting obligations, requiring companies to report incidents to the appropriate authorities within 24 hours. Reporting within 24 hours is seen as an early warning, with additional reporting obligations. For example, within 72 hours an actual incident report and within one month a report describing the incident, the cause, actions taken and the consequences of the incident.
What are the penalties for non-compliance with NIS2?
Failure to comply with NIS2 can result in fines of up to €10 million or 2% of annual turnover for essential entities and up to €7 million or 1.4 % of annual turnover for significant entities.
NIS 2 also affects the governing bodies of companies covered by NIS2. After all, the law makes them personally liable if the obligations to take measures to control cyber security risks are not complied with. For this, the explanatory memorandum refers not only to the board of directors but also to senior management as majority shareholders!
Dutch 
English