No items found.

New European laws and regulations: NIS2

Tuesday, July 16, 2024

The new law NIS2 is coming. Do you know what to expect?


A new European law will go into effect in 2025. The NIS2 (Network and Information Security Directive) is based on the European NIS2 directive. What does this law entail? And for whom is this law applicable? We tell you in this article!


The NIS2 (Network and Information Security Directive) is a European law that regulates the security of digital networks and information systems.

The new law aims to have the security of digital networks and information systems in order to combat cybercrime.

This applies to certain organizations as well as their suppliers. In 2018, its predecessor, - the NIS1 Directive - was introduced in Europe. This law mainly applied to digital service providers and vital providers in key sectors. The new NIS2 directive adds a number of sectors.

The NIS2 legislation requires all essential and key organizations and suppliers in the following sectors to follow the guidelines:

Sectors covered by NIS2:

Essential sectors:

  • Energy
  • Transport
  • Banking
  • Infrastructure financial market
  • Health Care
  • Drinking water
  •  Digital infrastructuur
  • Managers of ICT services
  • Wastewater
  • Government services
  • Local governments
  • Space travel

Key sectors:

  • Digital providers
  • Postal and courier services
  • Waste management
  • Foodstuffs
  • Chemical substances
  • Research
  • Manufacturing

Large organizations operating in the essential sectors of the Cybersecurity Act are considered essential organizations. An organization is considered large if it has at least 250 employees or an annual turnover of more than €50 million and a balance sheet total of more than €43 million.

Medium-sized organizations have at least 50 employees or an annual turnover and balance sheet total of more than €10 million. Medium-sized organizations in the essential sectors are considered to be key organizations.

Obligations of the NIS2

Duty of Care:
You are responsible for assessing the risks in the services you provide and should take appropriate measures to properly secure them. An example of this is logging access or monitoring network activity within your network or systems.

Does an incident occur?
If so, you are required to report it according to the protocol below:
You are required to report to the official authorities within 24 hours, 72 hours and 1 month in case of a cyber incident.

Comply with laws and regulations

All organizations from the aforementioned essential and important sectors must comply with the NIS2 regulations. If an organization fails to comply, the organization may face large fines. (2% of global annual sales or up to 10 million euros).

  • Implementation of security policies: Every organization should implement a security policy implement to keep information secure and protect information from unauthorized persons.
  • Periodic conduct of risk assessments & control: Organizations should periodically identify risks and threats and actively take measures to mitigate these risks.
  • Incident Response Planning: Does an incident occur? Then there should be planning ready that details the steps to be taken.
  • Business Continuity & Crisis Management: Organizations should have plans for what steps they may need to take to ensure that business continuity is business and how they should recover from potential damage.
  • Supplier chain management: organizations in the relevant sectors should ensure that suppliers meet the same requirements to be secure.
  • Encryption: Data should be transmitted in encrypted form or stored in encrypted form, so that in the event of a cyber-attack, no confidential data is compromised.
  • Sharing vulnerabilities: The European Union is committed to generic cooperation in the IT world and sharing information about cyber attacks to prevent future attacks prevention.

Why EasySecure?

Within EasySecure, security and privacy are very important to us. We therefore choose the best security and work with the best hosting parties, with our own European data center. Our cloud software is checked, tested and updated monthly to ensure our high quality standard.

EasySecure is ISO-27001 certified and our business operations are based on the guideline NIS2.

We focus on constant improvement of our security measures and also document this in agreements with our suppliers, cooperation and supply chain partners. This ensures that the EasySecure Software and associated services are compliant with the NIS2 directive.

In the coming period, these laws and regulations will be further developed and implemented at the European level. In the coming years, it will continue to evolve and be implemented directly in our business operations..

Questions?

Do you have questions about the NIS2 guideline? We are happy to help you get started and to provide you with information. Please contact us for a no-obligation consultation so that we can advise you as best we can.

How can we help you?