Schedule a Demo
Back to Resource Center

NIS2 guideline for accounting firms: what minimum cybersecurity measures should you take?

The new NIS2 directive requires accounting firms to take more measures to prevent cybersecurity breaches. The European cyber law has been in effect since January 16, 2023. The Netherlands and other member states have until October 2024 to implement the legislation nationally. This means that from that point on, accountants will have to comply with new cybersecurity guidelines.

What is the new NIS2 directive?

The new NIS2 directive tightens the requirements for essential businesses and adds obligations for “important businesses,” including accounting firms. In an earlier article, we explained what the new directive entails and what changes compared to NIS1. The main difference is the expansion to “important businesses” in addition to essential businesses, which the directive already applied to. Accounting firms are also considered important businesses and must adhere to stricter cybersecurity guidelines from 2024 onwards.

What changes for accounting firms?

Accounting firms already have to comply with guidelines for good IT documentation, especially regarding information security that guarantees the continuity, reliability, and risks of automated data processing (ISA 315 (COS 315) of the ISAAB). Accounting firms are also required to report on cybersecurity based on an expert examination (Article 2:393 paragraph 4 BW).

Additionally, new rules are being added. For example, the board of directors is now responsible for the cybersecurity of the accounting firm, no longer just the responsibility of an IT partner within the firm. The new directive adds three other changes:

  • List of minimum basic security measures
    The directive is more concrete, thanks to a list of minimum basic security measures that businesses must apply. The directive imposes an approach to risk management.
  • Dealing with security in the supply chain
    Businesses must address security risks in their supply chain, including risks that arise from supplier relationships.
  • Stricter oversight
    National authorities may conduct stricter oversight and enforcement. The new directive aligns sanction rules and reporting requirements more equally across all member states.

Will you be fined if you don’t comply?

Accounting firms that do not comply with the new directive will receive a warning and then a reminder. The local authority may then impose fines, up to a maximum of 10 million euros or two percent of the annual turnover.

What risks do accounting firms face?

The European Union designates accounting firms as important businesses. Cyber risks have an impact on the firms themselves as well as on the broader society. Of course, accountants have long been aware of the risk posed by cybercrime. For example, Skopos research shows that the majority of accountants believe that information security should receive more attention.

Accounting firm Grant Thornton points to a shift from making money to malicious intent and the increasing risks that come with it. Moreover, it has already been reported that Dutch companies are being hacked by Russian intelligence services.

The SRA, which represents 375 independent accountants with 900 branches in the Netherlands as a network organization, reports that accounting firms are increasingly encountering, for example, ransomware, malware, and cryptojacking.

Preventing cybercrime: what can you do as an accounting firm?

Based on the new NIS2 directive, accounting firms must take adequate measures from 2024 onwards to prevent cybersecurity breaches or limit their consequences. You can already take action in the run-up to the new directive. The SRA recommends, for example:

  • Mapping risks
    You can only take appropriate measures if you know what risks your accounting firm faces. Ensure that you map out the risks or engage external specialists for that. Within the risks, distinguish between those for direct service provision and business continuity. Classify the risks to create a list of priorities and take the appropriate measures.
  • A cybersecurity policy framework
    Develop a cybersecurity policy framework to think organization-wide about cyber risks and the important measures. Start with a simple A4 sheet outlining the principles, frameworks, and different responsibilities. Later, expand this to a more comprehensive policy, such as those focused on specific cyber risks facing your accounting firm.
  • Preparing for data breaches and hacks
    Prepare for data breaches and hacks because every organization can experience them. Create a plan outlining who should respond and how and what recovery measures are necessary. Keep track of all incidents and analyze what happened. Close the gaps in security and verify whether the measures are delivering the intended outcomes.
  • Take concrete measures
    Take concrete measures when security gaps remain. Or, comply with the measures specified in the new NIS2 directive to prepare for the changes in 2024. Enhance cybersecurity, both within your accounting firm and in supplier relationships. The new directive requires businesses to consider cybersecurity across the entire supply chain.
  • Outsource IT to specialists
    Outsource IT and cybersecurity to specialists who deal with these issues daily. Also, hire specialists to migrate applications to the cloud or add, improve or change other IT services. They develop based on Security by Design, thinking about (cyber)security at every step.

In addition, some basic measures can directly improve the cyber resilience of your accounting firm, such as:

  • Multi-factor authentication (MFA) for all digital accounts
  • Regular (automated) backups
  • Use of a password manager with a complex master password
  • Set up a notification for emails from external senders
  • Make contact lists available offline

Make it easy with Guardey

As an accounting firm, you may feel overwhelmed by all of this. After all, you’d rather focus on your accounting work. So, let Guardey take care of cybersecurity for you. We offer a complete solution for secure connectivity, protection against harmful software, and professional (but fun!) employee training.

With Guardey, you choose a complete cybersecurity solution in one go. We are entirely plug & play, so it’s straightforward, accessible, and affordable.

Discover our solution or ask us any questions. We’ll be happy to explain how Guardey can protect your accounting firm from all digital threats and how to comply with the NIS2 directive from 2024!

Frequently Asked Questions

What is gamification?

Gamification is adding game elements into non-game environments, such as security awareness training, to increase participation and foster active learning.

What are the benefits of gamification in security awareness training?

Traditional security awareness training can often be dry and boring. With gamification, the complex subject matter is transformed into an engaging and memorable experience.

By integrating game elements such as challenges, quizzes and rewards, it incentivizes users to actively learn. This makes the training more enjoyable and fosters a sense of competition and achievement. This combination drives better retention and application of cyber security knowledge.

Why is it important to train security awareness on a weekly basis?

Research shows that up to 90% of the learnings from yearly or even quarterly training are forgotten within a few weeks. Guardey was built to keep its users aware of cyber threats 365 days a year. The game comes with short, weekly challenges that slowly builds up the user’s knowledge and eventually drives lasting behavior change.

Which topics are covered in Guardey’s security awareness game?

Guardey covers a wide array of topics to train users about all currently relevant cyber threats, put together in collaboration with ethical hackers and educationalists. The topics covered include phishing, remote work, password security, CEO fraud, ransomware, smishing, and much more.

How much time do the weekly challenges take?

Every challenge takes up to three minutes to complete.

Can I use Guardey to comply with the ISO27001, NIS2, and GDPR security awareness policies?

Yes. ISO27001, NIS2, and GDPR all require that all employees receive appropriate security awareness training. Guardey is always up-to-date with the latest cyber threats, policies, and procedures.

Is security awareness training important for all employees, or just specific roles?

Cybersecurity awareness training is crucial for all employees, not just specific roles. Every staff member can potentially be a target or an unwitting entry point for cyber attacks. Training helps create a security-focused culture and minimizes risks for the entire organization.

While certain roles may require specialized training, a foundational level of training should be accessible to everyone.

In which languages is Guardey available?

Guardey is available in English, Dutch, Italian, French, Spanish, German, Polish, Swedish and Danish.

Want to ask more questions?
Get a personal demo

Get the latest resources & news, delivered directly to your inbox.

Anouk CTA Guardey website

Let's protect your business!

  • Try completely risk free
  • 24/7 support
Start 14-day free trial