Become a Partner
Back to Resource Center

NIS2 guideline for accounting firms: what minimum cybersecurity measures should you take?

The new NIS2 directive requires accounting firms to take more measures to prevent cybersecurity breaches. The European cyber law has been in effect since January 16, 2023. The Netherlands and other member states have until October 2024 to implement the legislation nationally. This means that from that point on, accountants will have to comply with new cybersecurity guidelines.

What is the new NIS2 directive?

The new NIS2 directive tightens the requirements for essential businesses and adds obligations for “important businesses,” including accounting firms. In an earlier article, we explained what the new directive entails and what changes compared to NIS1. The main difference is the expansion to “important businesses” in addition to essential businesses, which the directive already applied to. Accounting firms are also considered important businesses and must adhere to stricter cybersecurity guidelines from 2024 onwards.

What changes for accounting firms?

Accounting firms already have to comply with guidelines for good IT documentation, especially regarding information security that guarantees the continuity, reliability, and risks of automated data processing (ISA 315 (COS 315) of the ISAAB). Accounting firms are also required to report on cybersecurity based on an expert examination (Article 2:393 paragraph 4 BW).

Additionally, new rules are being added. For example, the board of directors is now responsible for the cybersecurity of the accounting firm, no longer just the responsibility of an IT partner within the firm. The new directive adds three other changes:

  • List of minimum basic security measures
    The directive is more concrete, thanks to a list of minimum basic security measures that businesses must apply. The directive imposes an approach to risk management.
  • Dealing with security in the supply chain
    Businesses must address security risks in their supply chain, including risks that arise from supplier relationships.
  • Stricter oversight
    National authorities may conduct stricter oversight and enforcement. The new directive aligns sanction rules and reporting requirements more equally across all member states.

Will you be fined if you don’t comply?

Accounting firms that do not comply with the new directive will receive a warning and then a reminder. The local authority may then impose fines, up to a maximum of 10 million euros or two percent of the annual turnover.

What risks do accounting firms face?

The European Union designates accounting firms as important businesses. Cyber risks have an impact on the firms themselves as well as on the broader society. Of course, accountants have long been aware of the risk posed by cybercrime. For example, Skopos research shows that the majority of accountants believe that information security should receive more attention.

Accounting firm Grant Thornton points to a shift from making money to malicious intent and the increasing risks that come with it. Moreover, it has already been reported that Dutch companies are being hacked by Russian intelligence services.

The SRA, which represents 375 independent accountants with 900 branches in the Netherlands as a network organization, reports that accounting firms are increasingly encountering, for example, ransomware, malware, and cryptojacking.

Preventing cybercrime: what can you do as an accounting firm?

Based on the new NIS2 directive, accounting firms must take adequate measures from 2024 onwards to prevent cybersecurity breaches or limit their consequences. You can already take action in the run-up to the new directive. The SRA recommends, for example:

  • Mapping risks
    You can only take appropriate measures if you know what risks your accounting firm faces. Ensure that you map out the risks or engage external specialists for that. Within the risks, distinguish between those for direct service provision and business continuity. Classify the risks to create a list of priorities and take the appropriate measures.
  • A cybersecurity policy framework
    Develop a cybersecurity policy framework to think organization-wide about cyber risks and the important measures. Start with a simple A4 sheet outlining the principles, frameworks, and different responsibilities. Later, expand this to a more comprehensive policy, such as those focused on specific cyber risks facing your accounting firm.
  • Preparing for data breaches and hacks
    Prepare for data breaches and hacks because every organization can experience them. Create a plan outlining who should respond and how and what recovery measures are necessary. Keep track of all incidents and analyze what happened. Close the gaps in security and verify whether the measures are delivering the intended outcomes.
  • Take concrete measures
    Take concrete measures when security gaps remain. Or, comply with the measures specified in the new NIS2 directive to prepare for the changes in 2024. Enhance cybersecurity, both within your accounting firm and in supplier relationships. The new directive requires businesses to consider cybersecurity across the entire supply chain.
  • Outsource IT to specialists
    Outsource IT and cybersecurity to specialists who deal with these issues daily. Also, hire specialists to migrate applications to the cloud or add, improve or change other IT services. They develop based on Security by Design, thinking about (cyber)security at every step.

In addition, some basic measures can directly improve the cyber resilience of your accounting firm, such as:

  • Multi-factor authentication (MFA) for all digital accounts
  • Regular (automated) backups
  • Use of a password manager with a complex master password
  • Set up a notification for emails from external senders
  • Make contact lists available offline

Make it easy with Guardey

As an accounting firm, you may feel overwhelmed by all of this. After all, you’d rather focus on your accounting work. So, let Guardey take care of cybersecurity for you. We offer a complete solution for secure connectivity, protection against harmful software, and professional (but fun!) employee training.

With Guardey, you choose a complete cybersecurity solution in one go. We are entirely plug & play, so it’s straightforward, accessible, and affordable.

Discover our solution or ask us any questions. We’ll be happy to explain how Guardey can protect your accounting firm from all digital threats and how to comply with the NIS2 directive from 2024!

Frequently Asked Questions

What is Guardey in short?

You just want to know what Guardey is, in a few lines, not scrolling through the whole website. We got you covered. Here you are:

Guardey focuses on three parts of your cyber security:

A safe and encrypted VPN connection via Guardey’s secure infrastructure or a Site-to-Site VPN.

We analyze information packages from the data going through the VPN tunnel, give clear insights into your data infrastructure, and provide alerts in case of threats like ransomware, viruses, and irregularities in your network.

Your cyber security is as strong as your weakest link. With Guardey, you can educate your whole team and increase awareness in a fun and efficient way through gamification.

It’s an advanced software as a service with applications for Windows and Mac OSX and an online platform for reporting and managing your teams and company policies.

How does the free trial works?

Your free 14-day trial with Guardey is based on our Basic plan. In our basic plan, all the alarms will only be available for yourself or your own company, and you manage the alarms in-house. We don’t need any payment information to start your trial, and you can invite as many users as you want.

The majority of SMEs don’t have an in-house IT department or a team of cyber security specialists. Therefore we also offer Guardey co-managed and Guardey custom. In both plans, you are able to connect Guardey to a preferred Guardy IT partner or, of course, your own IT partner.

They can semi or fully manage the alarms and the health of your infrastructure so that you can focus on your business.

After your 14 days of the free trial, you can decide if you want to continue with a paid plan. Upgrading during your trial period means you stop your trial and upgrade to a paid plan. You need a verified payment method to upgrade.

How can I pay after the trial period?

We don’t ask for any payment information to start your trial.

If you want to upgrade during or after your free trial to a paid plan, you can use one of the below payment methods:

  1. Credit cards (Visa, MasterCard, American Express, Maestro, PostePay, Cartes Bancaires)
  2. PayPal
  3. Direct Debit (iDeal SEPA)
Can I up- or downgrade to a different plan?

Yes you can! You can always upgrade immediately and costs are calculated pro-rata on your next invoice. A downgrade will be effective from your next payment period.

Want to ask more questions?
Get a personal demo

Get the latest resources & news, delivered directly to your inbox.

Anouk ter Harmsel

Let's protect your business!

  • Try completely risk free
  • 24/7 support
Start 14-day free trial
Hey, wait!

Before you go, let us offer you a free 14-day trial.