The NIS2 directive

What is NIS2?

NIS2 is an EU directive which aims to achieve a high common level of cybersecurity across the European Union. The Directive entered into force in January 2023 and requires Member States to translate the Directive into national legislation by October 2024. The Directive sets out cybersecurity risk-management measures and reporting obligations. As a successor of the NIS Directive, NIS2 contains stronger requirements for a broader scope of actors, including a broader set of mandatory cybersecurity risk-management measures and new incident notification requirements. The board will have a crucial and active role in approving cybersecurity risk-management measures. In the case of essential entities, the board can also face personal liability. Non-compliance will be punished with fines up to EUR 10 million or 2% of global annual revenue.

To whom will NIS2 apply?

The following sectors fall in scope of the NIS2 Directive:

• Category 1: energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructure; ICT service management; public administration; space
• Category 2: postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers; research

The Directive applies to the organizations that fall within these sectors and have a minimum of 50 employees and/or at least an annual turnover (and/or an annual balance sheet total) of EUR 10 million. Additionally there are some specific cases in which the size of the organization is irrelevant.

Organizations that fall in scope of the NIS2 Directive will be at the minimum regarded as “important entities”. However, organizations mentioned in category 1 which have a minimum of 250 employees and/or an annual turnover of EUR 50 million and/or an annual balance sheet total of EUR 43 million, will be regarded as “essential entities”. Essential entities will face stricter supervision and enforcement than important entities.

It is important to identify at an early stage whether your organization falls in scope of the NIS2 Directive and whether your organization will be regarded as “essential entity”.

What are the key topics?

For organizations in scope, the NIS2 Directive imposes risk-management and reporting obligations. As the Directive has yet to be translated into national legislation, the NCSC acknowledges that there is currently still some unclarity surrounding the specific obligations organizations will face as part of NIS2. However, based on Deloitte’s analysis of the NIS2 Directive, your organization should at least pay attention to the following key topics: risk ownership, security requirements, supply chain security, and incident reporting.

Key topic 1: risk ownership

As part of NIS2, the board is assigned a crucial and active role in ensuring compliancy with risk-management obligations. According to NIS2, the board must approve cybersecurity risk-management measures taken by the organization and oversee their implementation. The Directive states that the board of essential entities can be held liable (personal liability) for breach of their duty to ensure compliance with the Directive. The board is also required to follow training in order to gain sufficient knowledge and skills to perform their responsibilities.

Key topic 2: security requirements

Article 21 of the NIS2 Directive provides a list of security risk-management measures that essential and important entities should implement to protect network and information systems. These measures include, but are not limited to, incident handling, business continuity and crisis management, basic cyber hygiene practices, and policies and procedures regarding the use of encryption.

Key topic 3: supply chain security

If your organization is in scope of NIS2, one of the security risk-management measures, as mentioned above, to pay specific attention to is supply chain security. As part of this measure, your organization should address the security-related aspects of its relationship with its suppliers or service providers. This includes the task of identifying vulnerabilities related to each of the suppliers and service providers. Another aspect to look into is their quality of products and cybersecurity practices, such as secure development procedures.

Key topic 4: incident reporting

In case of a significant incident, essential and important entities will have to provide the government’s Computer Security Information Response Team (CSIRT) or competent authority with an early warning within 24 hours and an incident notification within 72 hours. Furthermore, the organization’s customers must be informed of incidents that are likely to adversely affect the provision of that service. Significant incidents are defined as incidents causing severe operational disruption of services or financial loss for the organization, as well as causing considerable material or non-material damage affecting other individuals or entities.

Supervision & enforcement

The NIS2 Directive stipulates both supervisory and enforcement measures. Essential entities can expect on-site inspections, off-site supervision and security scans among others. Important entities can expect the same, however, only if there is evidence, indication or information that the important entity allegedly does not comply with the Directive.
Enforcement measures include warnings, binding instructions and administrative fines up to EUR 10 million or 2% of the total global annual turnover of the organization. The management bodies can also face personal liability and any natural person who is responsible for discharging managerial responsibilities at chief executive officer in an essential entity can be temporarily prohibited from exercising managerial functions in that entity.

What are the next steps?

If your organization is in scope of the NIS2 Directive, it is of importance to start preparations early as some of the key requirements mentioned above take time to implement. Therefore, Deloitte advices organizations to start preparations prior to the drafting of the Dutch legislation by improving the security and resilience of their processes and services.

While preparing for NIS2, your organization should consider other EU directives, regulations and acts. For instance the Directive on the Resilience of Critical Entities (CER), Cyber Resilience Act (CRA), AI Act, and Digital Operational Resilience Act (DORA) might overlap in obligations with NIS2. Take for example the reporting obligations of GDPR that can be used as a basis to develop reporting capabilities for NIS2. By addressing multiple regulations at the same time or building upon already established capabilities in accordance with other EU regulations, duplication of efforts can be prevented.

Deloitte can help your organization to address NIS2 in an integral manner. Our approach is to utilize the already existing capabilities within your organization as a basis to work towards NIS2 compliancy, while taking into account other EU regulations. Even though there is still some unclarity regarding the implementation of NIS2 into Dutch legislation, we can help identify the necessary actions points to help your organization take the first steps. Our approach includes, but is not limited to:

• A health check to have a high-level overview of your organization’s key attention points for NIS2.
• A readiness assessment to help identify the next steps and roadmap for your organization.
•  The implementation of security capabilities, including incident response, third-party risk management, and training.

Want to talk further? Please contact us.