Become a Partner
Back to Resource Center

NIS2 guideline for accounting firms: what minimum cybersecurity measures should you take?

The new NIS2 directive requires accounting firms to take more measures to prevent cybersecurity breaches. The European cyber law has been in effect since January 16, 2023. The Netherlands and other member states have until October 2024 to implement the legislation nationally. This means that from that point on, accountants will have to comply with new cybersecurity guidelines.

What is the new NIS2 directive?

The new NIS2 directive tightens the requirements for essential businesses and adds obligations for “important businesses,” including accounting firms. In an earlier article, we explained what the new directive entails and what changes compared to NIS1. The main difference is the expansion to “important businesses” in addition to essential businesses, which the directive already applied to. Accounting firms are also considered important businesses and must adhere to stricter cybersecurity guidelines from 2024 onwards.

What changes for accounting firms?

Accounting firms already have to comply with guidelines for good IT documentation, especially regarding information security that guarantees the continuity, reliability, and risks of automated data processing (ISA 315 (COS 315) of the ISAAB). Accounting firms are also required to report on cybersecurity based on an expert examination (Article 2:393 paragraph 4 BW).

Additionally, new rules are being added. For example, the board of directors is now responsible for the cybersecurity of the accounting firm, no longer just the responsibility of an IT partner within the firm. The new directive adds three other changes:

  • List of minimum basic security measures
    The directive is more concrete, thanks to a list of minimum basic security measures that businesses must apply. The directive imposes an approach to risk management.
  • Dealing with security in the supply chain
    Businesses must address security risks in their supply chain, including risks that arise from supplier relationships.
  • Stricter oversight
    National authorities may conduct stricter oversight and enforcement. The new directive aligns sanction rules and reporting requirements more equally across all member states.

Will you be fined if you don’t comply?

Accounting firms that do not comply with the new directive will receive a warning and then a reminder. The local authority may then impose fines, up to a maximum of 10 million euros or two percent of the annual turnover.

What risks do accounting firms face?

The European Union designates accounting firms as important businesses. Cyber risks have an impact on the firms themselves as well as on the broader society. Of course, accountants have long been aware of the risk posed by cybercrime. For example, Skopos research shows that the majority of accountants believe that information security should receive more attention.

Accounting firm Grant Thornton points to a shift from making money to malicious intent and the increasing risks that come with it. Moreover, it has already been reported that Dutch companies are being hacked by Russian intelligence services.

The SRA, which represents 375 independent accountants with 900 branches in the Netherlands as a network organization, reports that accounting firms are increasingly encountering, for example, ransomware, malware, and cryptojacking.

Preventing cybercrime: what can you do as an accounting firm?

Based on the new NIS2 directive, accounting firms must take adequate measures from 2024 onwards to prevent cybersecurity breaches or limit their consequences. You can already take action in the run-up to the new directive. The SRA recommends, for example:

  • Mapping risks
    You can only take appropriate measures if you know what risks your accounting firm faces. Ensure that you map out the risks or engage external specialists for that. Within the risks, distinguish between those for direct service provision and business continuity. Classify the risks to create a list of priorities and take the appropriate measures.
  • A cybersecurity policy framework
    Develop a cybersecurity policy framework to think organization-wide about cyber risks and the important measures. Start with a simple A4 sheet outlining the principles, frameworks, and different responsibilities. Later, expand this to a more comprehensive policy, such as those focused on specific cyber risks facing your accounting firm.
  • Preparing for data breaches and hacks
    Prepare for data breaches and hacks because every organization can experience them. Create a plan outlining who should respond and how and what recovery measures are necessary. Keep track of all incidents and analyze what happened. Close the gaps in security and verify whether the measures are delivering the intended outcomes.
  • Take concrete measures
    Take concrete measures when security gaps remain. Or, comply with the measures specified in the new NIS2 directive to prepare for the changes in 2024. Enhance cybersecurity, both within your accounting firm and in supplier relationships. The new directive requires businesses to consider cybersecurity across the entire supply chain.
  • Outsource IT to specialists
    Outsource IT and cybersecurity to specialists who deal with these issues daily. Also, hire specialists to migrate applications to the cloud or add, improve or change other IT services. They develop based on Security by Design, thinking about (cyber)security at every step.

In addition, some basic measures can directly improve the cyber resilience of your accounting firm, such as:

  • Multi-factor authentication (MFA) for all digital accounts
  • Regular (automated) backups
  • Use of a password manager with a complex master password
  • Set up a notification for emails from external senders
  • Make contact lists available offline

Make it easy with Guardey

As an accounting firm, you may feel overwhelmed by all of this. After all, you’d rather focus on your accounting work. So, let Guardey take care of cybersecurity for you. We offer a complete solution for secure connectivity, protection against harmful software, and professional (but fun!) employee training.

With Guardey, you choose a complete cybersecurity solution in one go. We are entirely plug & play, so it’s straightforward, accessible, and affordable.

Discover our solution or ask us any questions. We’ll be happy to explain how Guardey can protect your accounting firm from all digital threats and how to comply with the NIS2 directive from 2024!

Frequently Asked Questions

I already have a firewall, do I still need Guardey?

Relying solely on a firewall for cyber security leaves your organization vulnerable to evolving and sophisticated threats. Cyber attacks target multiple vectors, including vulnerabilities in software, employee endpoints and web applications. Guardey works in conjunction with the firewall.

Firewalls keep out up to 80% of online risks. With Guardey, it is transparent which online risks did make it through the firewall. In addition, human errors are still too often made, so also train employees to work responsibly online.

I already have a VPN, do I still need Guardey?

It’s good that you are already using a VPN. This makes you invisible to malicious people, but at the end of the day, employees can still be vulnerable by bringing in the wrong orders or wrong websites.

Guardey is more than a business VPN. Guardey also provides monitoring in the VPN tunnel. This detects online risks and allows a quick response.

We are too busy for weekly gamification. Why should I play the gamification?

These days we are all busy, we recognise that 😉 All the more important is employee awareness. Make sure employees don’t accidentally make mistakes due to pressure. After all, that only creates extra work.

That’s why our challenges are only a maximum of 5 minutes and can be done quickly in between. A new challenge becomes available every week. As an organisation, do you want to play these challenges every week, every two weeks or every month? Of course, that’s no problem either.

Can I also play just the gamification?

Short answer: yes! It is possible to play just the gamification.

Have you already taken sufficient cyber security measures for your employees in the office and outside the office? But can awareness still be worked on? Then you can also play just the gamification. This can already be done very easily in just the browser. Check out our game only package here.

Is Guardey effective against phishing attempts?

Phishing is especially dangerous when you don’t know you’re dealing with phishing. That’s why our cyber awarness game is the first step against phishing. Make people aware of the dangers and make sure they have the right knowledge so they don’t click on anything.

Further Guardey plays a crucial role in detecting suspicious online activities. For instance, if a member of your organization interacts with a website known for hosting phishing content, Guardey will promptly alert you about the potential risk. By providing this proactive alert system, Guardey aids in preventing users within your organization from falling prey to phishing scams.

Want to ask more questions?
Get a personal demo

Get the latest resources & news, delivered directly to your inbox.

Anouk ter Harmsel

Let's protect your business!

  • Try completely risk free
  • 24/7 support
Start 14-day free trial