What is NIS2?

The Network and Information Security Directive (NIS) has been in effect in the European Union since 2016. This directive aims to strengthen the security and information security of vital sectors through specific measures and regulations. To implement the NIS directive, member states must establish a national framework to ensure the security and resilience of network and information systems in vital sectors. This includes identifying vulnerabilities, establishing security measures, and setting up a coordination mechanism for incident response. The ultimate goal is to protect the digital infrastructure of the European Union from cyber threats and ensure that vital services continue to operate even in the event of a cyber attack.

Uncertainties on NIS1, and NIS2 as a solution

However, the current NIS1 directive appears to be unclear regarding measures and responsibilities, with inconsistencies in compliance and sanctions. This has led to the introduction of NIS2 as a supplement to NIS1.

Some points that may be unclear in NIS1 include:

1. Uncertainties in the measures and responsibilities of NIS1.
2. Inconsistencies in the compliance and sanctions of NIS1.
3. The exact consequences and legal implications of non-compliance with the NIS1 directives.
4. The role and responsibility of executives within organizations regarding information security according to NIS1.
5. The impact of NIS1 on different sectors and suppliers.

The specific measures and requirements for organizations to comply with the NIS1 directives.

The goal is to clarify these issues in NIS2.

Key points of the NIS2 directive

With the introduction of NIS2, the sectors are more clearly defined. In addition to vital/essential sectors, NIS2 also includes suppliers. This means that organizations need to make proper agreements with suppliers to ensure security. Furthermore, it is crucial for organizations to establish good collaboration and communication with their suppliers so that they can jointly implement and maintain the required security measures.

Another significant change under NIS2 is that executives within organizations will be held accountable and must demonstrate active involvement in information security. This means that executives must play a proactive role in ensuring the security of their organization. They must ensure adequate supervision of security measures and conduct regular checks and audits to evaluate the effectiveness of these measures.

In addition to increased executive liability, compliance monitoring with security regulations will also be intensified. This means that stricter checks and audits will take place to verify whether organizations comply with the required security standards. From October 2024, even stricter measures will be taken against executives who are negligent in information security, ranging from fines to legal consequences, depending on the severity of the negligence.

Organizations need to take these changes seriously and ensure that they are well-prepared for the new information security requirements.

Who does NIS2 apply to?

NIS2 applies, among others, to vital/essential sectors—sectors crucial for the proper functioning of a country. These sectors play a vital role in ensuring the basic needs of society, providing essential services, and maintaining the stability and security of the country.

Some examples of vital/essential sectors include:

1. Transportation
2. The energy sector
3. Financial sector
4. Healthcare
5. Drinking water and wastewater management
6. The government sector
7. (Digital) infrastructure
8. Aerospace

Within the digital infrastructure, various key components are included, such as data centers, network hubs, and internet access points. This infrastructure is essential for supporting modern communication and digital services crucial in our contemporary society.

When implementing NIS2, it is important to consider the size of organizations. Both medium-sized and large organizations play a significant role in ensuring the safety and resilience of vital/essential sectors. They must take appropriate measures to prevent and limit cyber threats and attacks.

Preparing for the NIS2 directive with the self-evaluation tool

The National Cyber Security Center has launched a self-evaluation tool to prepare organizations for the NIS2 directive. Using this tool, organizations can determine if they fall under the NIS2 directive and whether they are considered "essential" or "important" for the functioning of society and/or the economy. By completing the self-evaluation, organizations can ascertain whether they comply with the requirements of NIS2 and can take timely measures to comply with the new legislation. It is of great importance that organizations are aware of the potential legal consequences and fines that non-compliance with the NIS2 directive may bring. Therefore, it is advisable to use the self-evaluation tool and ensure that your organization complies with the requirements of NIS2. You can find the self-evaluation tool here.

Risk management and measures

Taking appropriate measures as an organization begins with risk management. This involves following a systematic approach to identify, assess, and control risks.

To ensure the quality and completeness of the measures taken, it is important to use multidisciplinary tools and standards. These tools and standards assist in identifying potential risks and implementing appropriate security measures.

When determining the measures, it is important to consider the objectives of the organization and the available resources. Additionally, it is essential to periodically evaluate the measures and adjust them if necessary.

Continuous pentesting as an effective NIS2 measure

An important part of security measures is the continuous pentesting of systems. Pentesting, also known as penetration testing, is a method used to check if someone with malicious intent can infiltrate the infrastructure. In the past, pentesting was often conducted once, and reporting only occurred if vulnerabilities were found. However, in the current era, continuous and regular pentesting is crucial. This means conducting tests regularly to check if the implemented security measures are still effective and to identify and address potential vulnerabilities promptly. Continuous pentesting should not only be carried out when a product is put into use but also regularly to ensure that the security measures comply with NIS2 legislation. This legislation specifically aims to ensure the security of digital systems and networks. Additionally, continuous pentesting can help identify new threats and attack methods that may arise in an ever-changing cyber landscape. By regularly conducting pentests, organizations can proactively respond to new security risks and improve their security measures.

In summary, continuous pentesting of systems has become an essential practice in modern times due to the increasing complexity of cyber threats. It provides organizations with the opportunity to proactively improve their security level and minimize the risks of breaches and data leaks.

Securing the digital landscape with NIS2: a continuous process

NIS2 is a significant step forward in better protecting the EU against cyber attacks and responding more effectively to such incidents. Organizations within vital sectors need to take the right measures and be aware of the impact of information security on their operations.
Continuous pentesting of systems is a crucial component of ensuring security and complying with NIS2 guidelines. By regularly conducting pentests, potential vulnerabilities can be identified and addressed promptly, strengthening the security of systems and data.