9 January 2023 • Cyber security
The NIS (Network and Information Systems) Directive was created in Europe to promote a high level of network and information systems security in the EU. A few years later, the NIS1 Directive came into force, and the NIS2 guideline will come into play in the not-too-distant future.
The directive now only applies to large companies and institutions that fulfil essential tasks for cooperation. That will soon change, which means that your accountancy firm will also have to change course.
The NIS1 guideline has been in force since 2016
Since 2016, large companies and institutions that fulfil fundamental tasks in society, such as suppliers of electricity or water, must comply with the rules of the NIS1 directive. With the entry into force of the new directive, they were obliged to improve information security to prevent cyber-attacks.
In May 2022, the European Commission approved a new version of the NIS1 directive. It is still unknown when the NIS2 guideline will come into effect. But that doesn’t mean there isn’t work to be done.
The NIS2 directive not only imposes stricter rules on companies, but more companies must also comply with the rules. For example, all healthcare organisations, suppliers of ICT services and financial institutions must also take the rules to heart.
What if you do not comply with the NIS2 guideline?
You want to prevent your company from not meeting the requirements of the NIS2 guideline. Those who ignore the directive will receive a hefty fine.
The fines for non-compliance with the NIS2 directive can amount to 10 million euros or up to 2% of the total annual turnover for medium-sized and large companies. You cannot take any risks with such large amounts. In addition, you think the security of your customer’s information is also important, right?
By properly complying with the rules, you can keep the money in your pocket and your customers can trust your organization more. So take the new regulations seriously right away. Do not wait for the inspection to send a reminder.
NIS2 guidelines and accountancy firms
From 2024, accountancy firms will also be among the group of companies that must comply with the NIS2 guideline. With a treasure trove of financial data, that’s not surprising.
It is important for both the audit practice and for advice on compilation assignments that the accountants have sufficient knowledge of the consequences that the new European NIS2 guideline entails for clients. It is already mandatory to report on cybersecurity when performing audits, by Article 2:393 paragraph 4 of the Dutch Civil Code (expert investigation). The ISA 315 (COS 315) of the ISAAB also requires good documentation about IT. This report is about the continuity, reliability and risks of automated data processing.
Not only will the current rules be tightened. New rules are also added. For example, the management’s responsibility for the cyber security status will be tightened. An IT partner of your accountancy firm is no longer responsible for supervising cybersecurity within your accountancy firm, but the director (you) plays a crucial role.
NIS2 guideline in brief
The NIS2 directive will drastically change the level of cyber security in Europe. Sharpening the cyber security status is an investment that will pay off. Customers gain more confidence in your organization and hackers hardly have a chance to break in.