A: Improve cybersecurity at European companies
B: Reduce the risk of data breaches
C: Align European cyber security measures
D: All of the above is correct
The NIS2 is the new European cybersecurity law. The law should better protect European companies from cybercrime. That better protection should, for example, reduce the risk of data breaches.
In addition, the goal is to harmonize European security measures. Europarliamentarian Bart Groothuis talks about this at the Chamber of Commerce: “Technical developments are going very fast. NIS 1 has been in force since 2018 and is outdated. Not every member state applies the law equally or strictly everywhere. If you now do business with other European countries or have a branch in multiple countries, different rules apply everywhere. That doesn’t work. We are going to draw a single line on that.”
A: All organizations
B: Organizations with more than €50 million turnover
C: Essential and important organizations in specific sectors
The NIS2 will apply to all essential and important organizations in sectors from the table below. The following criteria apply:
…are large organizations operating in a sector from Group A in the table below.
An organization is large at:
1. 250 or more employees or;
2. Annual net sales of €50 million or a balance sheet total of €43 million or more.
…are medium-sized organizations operating in an industry from Group A or B in the table below.
An organization is medium-sized at:
1. 50 or more employees or;
2. An annual turnover or balance sheet total of €10 million or more.
|Group A (essential and important organizations)||Group B (important organizations)|
|Transportation||Postal and courier services|
|Digital infrastructure||Manufacturing and production|
|Management of ICT services|
A: Only essential organizations are audited
B: Essential organizations are audited before and after, important organizations only after.
C: There is no distinction between essential and important organizations.
Control of essential organizations will be more stringent than that of important organizations. Essential organizations will be checked in advance At
DigitalTrustCenter of the Ministry of Economic Affairs and Climate, you can read the following about it: ‘Essential entities are subject to a more intensive regime of supervision; both ex ante and ex post monitoring. Significant entities are subject to a lighter form of supervision that is only ex post. For example, if there are indications of non-compliance with the law or if an incident has occurred.’
The NIS2 will also apply to SMEs. That is, for essential and important organizations in the sectors mentioned.
MEP Bart Groothuis explains at the Chamber of Commerce: “Everyone who provides an essential service to consumers falls under the new law. So also small service providers. We are still arguing about what exactly we mean by ‘essential’. Internet service providers, small factories, companies dealing with water or energy: those kinds of companies will be considered essential.”
A: A directive, it is about security recommendations
B: Legislation, prescribing minimum basic security.
The NIS2 is the new European cyber legislation. It is a European directive that member states integrate into their national legislation.
In the Netherlands, the NIS was thus integrated into the Network and Information Systems Security Act (Wbni) in 2018.
An agreement on the NIS2 was reached at European level in December 2022, which came into force a month later. Member states must integrate it into their national legislation within 21 months from that time. This means that the legislation will come into force in the Netherlands no later than October 2024.
Note that in the Netherlands we refer to the NIB2 (Network and Information Security) instead of the NIS2.
A: Each organization is responsible for its own systems
B: Every organization is responsible for its own systems and those of suppliers and others in the chain.
C: Every organization is responsible for its own systems, those of suppliers and others in the chain as well as those of other (cooperation) partners.
The NIS2 makes organizations responsible for their own systems, those of suppliers and others in the chain as well as those of other (cooperation) partners. The NIS2 thus obliges protection against system risks. Specifically, organizations must: Evaluate the cyber security of suppliers.
– Critically examine security risks at companies in the supply chain
– Participate in supply chain risk assessments within the industry.
– Establish supply chain risk assessment and management for third parties.
– Take measures for secure electronic communication with suppliers.
– Notify customers and authorities of third-party threats.
More specifically, according to the NIS2, organizations should actively monitor for any cyber risks in the (supply) chain. Organizations should:
– Identify and assess threats to third-party products and services.
– Develop policies, plans and solutions to address threats.
– Take measures to secure the sourcing and supply of third-party products and services.
Finally, organizations should continuously monitor, evaluate and take appropriate measures to seriously consider and address any third-party cyber risks. For example, it is important to conduct regular assessments or even audits of third parties. In addition, regular attention should be paid to vendor agreements.
If security is found to be substandard at third parties, organizations should take action on that themselves, including terminating a partnership if necessary.
A: No, it is an advisory for which authorities issue warnings
B: Yes, up to a maximum of 100,000 euros per incident
C: Yes, up to a maximum of 1,000,000 euros per incident
D: Yes, up to a maximum of 10,000,000 euros or 2% of annual global turnover
As with the NIS, authorities can impose fines for non-compliance. The fine is up to a maximum of 10 million euros or 2% of annual worldwide turnover. That which is higher determines the amount of the fine.
A: Fines or penalties may be lower
B: Organizations receive certification
C: These measures have no impact
Authorities decide what fines or penalties to impose on organizations in violation.
A: An immediate notification in the event of a data breach
B: An immediate notification for any cyber incident affecting business operations
C: A final report describing the incident, the type of threat, severity and consequences, and applied and ongoing measures.
D: All of the above
Organizations must immediately report all cyber incidents that affect business operations, including data breaches.
The National Cyber Security Center writes: “The NIS2 directive requires entities to report incidents to the regulator within 24 hours. These are incidents that (may) significantly disrupt the provision of the essential service. In the case of a cyber incident, it must also be reported to the Computer Security Incident Response Team (CSIRT)”.
The reporting requirement involves two reports:
Organizations must make a report as soon as possible with the strictly necessary information, such as what happened, what the (possible) cause is and what illegal or malicious act took place. Organizations will make the report to the appropriate national authority or the Computer Security Incident Response Team (CSIRT). The authority or CSIRT will respond to the report within 24 hours.
Within one month of the initial notification, organizations must submit a final report. That report must include the following:
A: October 2023
B: March 2024
C: October 2024
An agreement was reached at the European level in December 2022. That agreement came into force a month later. Member states have 21 months since then to transpose the NIS2 into national legislation.
That means the NIS2 will come into force in the Netherlands no later than October 2024.
Note that in the Netherlands we speak of the NIB2 (Network and Information Security) instead of the NIS2.