8 March 2023 • General
The new NIS2 directive requires accounting firms to take more measures to prevent cybersecurity breaches. The European cyber law has been in effect since January 16, 2023. The Netherlands and other member states have until October 2024 to implement the legislation nationally. This means that from that point on, accountants will have to comply with new cybersecurity guidelines.
What is the new NIS2 directive?
The new NIS2 directive tightens the requirements for essential businesses and adds obligations for “important businesses,” including accounting firms. In an earlier article, we explained what the new directive entails and what changes compared to NIS1. The main difference is the expansion to “important businesses” in addition to essential businesses, which the directive already applied to. Accounting firms are also considered important businesses and must adhere to stricter cybersecurity guidelines from 2024 onwards.
What changes for accounting firms?
Accounting firms already have to comply with guidelines for good IT documentation, especially regarding information security that guarantees the continuity, reliability, and risks of automated data processing (ISA 315 (COS 315) of the ISAAB). Accounting firms are also required to report on cybersecurity based on an expert examination (Article 2:393 paragraph 4 BW).
Additionally, new rules are being added. For example, the board of directors is now responsible for the cybersecurity of the accounting firm, no longer just the responsibility of an IT partner within the firm. The new directive adds three other changes:
- List of minimum basic security measures
The directive is more concrete, thanks to a list of minimum basic security measures that businesses must apply. The directive imposes an approach to risk management.
- Dealing with security in the supply chain
Businesses must address security risks in their supply chain, including risks that arise from supplier relationships.
- Stricter oversight
National authorities may conduct stricter oversight and enforcement. The new directive aligns sanction rules and reporting requirements more equally across all member states.
Will you be fined if you don’t comply?
Accounting firms that do not comply with the new directive will receive a warning and then a reminder. The local authority may then impose fines, up to a maximum of 10 million euros or two percent of the annual turnover.
What risks do accounting firms face?
The European Union designates accounting firms as important businesses. Cyber risks have an impact on the firms themselves as well as on the broader society. Of course, accountants have long been aware of the risk posed by cybercrime. For example, Skopos research shows that the majority of accountants believe that information security should receive more attention.
Accounting firm Grant Thornton points to a shift from making money to malicious intent and the increasing risks that come with it. Moreover, it has already been reported that Dutch companies are being hacked by Russian intelligence services.
The SRA, which represents 375 independent accountants with 900 branches in the Netherlands as a network organization, reports that accounting firms are increasingly encountering, for example, ransomware, malware, and cryptojacking.
Preventing cybercrime: what can you do as an accounting firm?
Based on the new NIS2 directive, accounting firms must take adequate measures from 2024 onwards to prevent cybersecurity breaches or limit their consequences. You can already take action in the run-up to the new directive. The SRA recommends, for example:
- Mapping risks
You can only take appropriate measures if you know what risks your accounting firm faces. Ensure that you map out the risks or engage external specialists for that. Within the risks, distinguish between those for direct service provision and business continuity. Classify the risks to create a list of priorities and take the appropriate measures.
- A cybersecurity policy framework
Develop a cybersecurity policy framework to think organization-wide about cyber risks and the important measures. Start with a simple A4 sheet outlining the principles, frameworks, and different responsibilities. Later, expand this to a more comprehensive policy, such as those focused on specific cyber risks facing your accounting firm.
- Preparing for data breaches and hacks
Prepare for data breaches and hacks because every organization can experience them. Create a plan outlining who should respond and how and what recovery measures are necessary. Keep track of all incidents and analyze what happened. Close the gaps in security and verify whether the measures are delivering the intended outcomes.
- Take concrete measures
Take concrete measures when security gaps remain. Or, comply with the measures specified in the new NIS2 directive to prepare for the changes in 2024. Enhance cybersecurity, both within your accounting firm and in supplier relationships. The new directive requires businesses to consider cybersecurity across the entire supply chain.
- Outsource IT to specialists
Outsource IT and cybersecurity to specialists who deal with these issues daily. Also, hire specialists to migrate applications to the cloud or add, improve or change other IT services. They develop based on Security by Design, thinking about (cyber)security at every step.
In addition, some basic measures can directly improve the cyber resilience of your accounting firm, such as:
- Multi-factor authentication (MFA) for all digital accounts
- Regular (automated) backups
- Use of a password manager with a complex master password
- Set up a notification for emails from external senders
- Make contact lists available offline
Make it easy with Guardey
As an accounting firm, you may feel overwhelmed by all of this. After all, you’d rather focus on your accounting work. So, let Guardey take care of cybersecurity for you. We offer a complete solution for secure connectivity, protection against harmful software, and professional (but fun!) employee training.
With Guardey, you choose a complete cybersecurity solution in one go. We are entirely plug & play, so it’s straightforward, accessible, and affordable.
Discover our solution or ask us any questions. We’ll be happy to explain how Guardey can protect your accounting firm from all digital threats and how to comply with the NIS2 directive from 2024!