Is your company ready for the new Network and Information Security (NIS2) legislation ?

      

Cartoon cybersecurity
Whoever executes his business continuity plan for the first time at a real incident will discover that something has been overlooked.

Since July 2019, the NIS1 legislation imposed by Europe has been in force in Belgium. This aims to protect Europe against the strongly increasing cybercrime. So why the need for a NIS2 legislation ? An evaluation came to the following conclusions about NIS1:

– Diverging and not harmonized regulations in the different member states.
– Companies and member states are not sufficiently prepared against cyber-attacks.
– A number of vital sectors are out of scope.
– Companies and governments are not prepared for crisis situations.
– Insufficient cooperation between member states.
– Weak enforcement.

The NIS2 regulation addresses the above shortcomings. By Oct. 17, 2024 at the latest, Belgium will have to transpose this directive into local law. Read further in this post what the directive entails and how you can prepare your company.

The NIS2 regulation

The new directive, requires EU member states to cooperate more closely on cybersecurity. The scope of NIS2 expands to as many as 2.000 organizations, including sectors such as chemical, food, manufacturing, ICT services. NIS2 imposes a reporting requirement for cyber incidents and threats within 24 hours. It forces companies to prepare very specifically and work with suppliers to avoid loopholes for cybercriminals. So companies outside the direct scope of this legislation, as suppliers to one of the many companies in scope, may still come into contact with the new legislation. With fines for non-compliance and holding executives accountable, the goal of NIS2 is clear: a safer digital world.

What does this mean for your organization? These are the measures you will need to work on as an organization, if not already in place:

– Risk analysis and Information System security.
– Incident handling
– Business continuity measures (disaster recovery, crisis management, backups)
– Supply chain security.
– Security in acquisition, development and maintenance of systems.
– Procedures to evaluate the effectiveness of cybersecurity risk management measures.
– Basic computer hygiene and training.
– Policies regarding proper use of cryptography and encryption.
– HR security, access control and property management.
– Use of multi-factor authentication, secure communications and emergency communications.

Read more details about the scope and measures regarding NIS2, on the Center for Cyber Security website here: The NIS 2 Directive: what does it mean for my organization? | Centre for Cyber security Belgium

Business Continuity plan

Legislation such as NIS2 or GDPR leads to additional efforts in many organizations. There is a lot of focus on technical means to defend against cyber-attacks. But in reality, people mostly turn out to be the weak link. This is why the legislature requires organizations to develop policies and procedures. Their effectiveness strongly depends on corporate culture and no one is flawless. Hence the importance of a Business Continuity plan. Such a plan provides what must be done to be able to work again in case of a ‘disaster’ situation.

The English proverb says, ‘The proof of the pudding is in the eating’, meaning that practice will tell. This is why we recommend regular testing of the Business Continuity plan. In such a test, one assumes a certain situation, for example, malware that has rendered all systems unusable. This does not have to involve testing the entire plan each time; you can also test certain components. It is especially important to actually carry it out and not to stick to a theoretical exercise. We can learn a lot from these tests. Whoever executes his plan for the first time at a real incident runs a strong risk of discovering only then that something has been overlooked.

Those who think they are safe because they work ‘in the cloud’ or use a SAAS system should read the fine print of the contract carefully. Furthermore, a whole number of risks also remain for SAAS solutions. Think of a situation where a hacker manages to take over an employee’s account (because they use the same password for all their systems, for example). The latter may then be able to access important data or, on the contrary, make that data disappear.

Sources:

Presentation J Klykens, Director Center for Cyber Security Belgium,
https://ccb.belgium.be/en